GDPR Compliance: Consent Management implications

Dan_Stevens_ · ‎07-18-2017

Anyone that is doing business globally, surely has GDPR on their mind. We had a steering committee call this morning and one of the topics that came up was around "consent management". Specifically the following:

As part of this complex topic is one that states that a user will have the right to have their data removed (e.g., from Marketo) and we will need to keep a record of this. Does Marketo plan on creating some sort of audit trail of this activity? Today, if you delete a person, the only item that remains is their "unsubscribe" status as part of the durable unsubscribe.
Another surprise to us was the fact that GDPR is enforceable based on CITIZENSHIP, not country of residence. As a result, our company will be enforcing GDPR compliance across all marketing activities globally (not just those that target countries in Europe) - to me, this also means that every company needs to be concerned with GDPR (even if their only market is the US?) - essentially, making it global law. So if a German citizen is living in the US, GDPR applies to them. Therefore, we can't rely on the country value in the user's record. Is this a surprise to others?

I'd be very interested in any items on Marketo's roadmap that deal make it easier for its customers to comply with GDPR.

Anonymous · ‎11-06-2017

Now I might be wrong - let's open with that statement - because, let's face it, some of us are reading something new on GDPR every day...

BUT...

I'm pretty sure I saw something which stated that an opt-in can't be bartered for - i.e. it's still unfair according to GDPR to get explicit consent in exchange for a whitepaper etc...so if I'm reading that right, you can't include your Opt-in button on your web form if it's in exchange for something. So we will end up with the scenario where someone has asked us to do something - i.e.a Request a Demo form, where we will need to get in touch with them, but don't have explicit consent...

fun times indeed...

Erica_Dipyatic · ‎11-17-2017

Agree on the opt-in stance and not being bundled with other actions. In previous readings regarding anti-spam policies, particularly in Germany, this has been in place. Opting in to marketing/email communications has to be individually identified and explicit - what is the user signing up for. The bundling, probably gets skirted around, but I think it's going to be more focused on and yes - gated content and opting-in will definitely need to be more clear and separate in the days ahead.

Dan_Stevens_ · ‎07-21-2017

I just created this poll:

(I thought I'd promote it here since polls don't show up by default in the "Marketing Discussions" feed).

Trish_Keenan1 · ‎07-21-2017

I just voted also - thanks, Dan.

I learned this week that one of our attorneys is already on the case and has gotten approval to have a contractor specialized in compliance come in and audit current practices and provide recommendations as to what needs to be done to be ready. I'll share more information as it's available.

Gerard_Donnell4 · ‎07-21-2017

Cheers,

Just voted.

Gerard_Donnell4 · ‎07-20-2017

huge economic impacts across the world (fines of $20,000,000 or 4% of global revenues - whichever is larger

I heard last week from a source in a leading Silicon Valley tech company that they and others are planning on mailing their entire database to update their preferences and risk the fines now as they are so low compared to after GDPR comes into law. Loads of companies will have to wipe the majority of their databases if they cant prove if they have opted in or not. Fun times ahead!

http://www.cbronline.com/news/enterprise-it/software/honda-flybe-fined-80000-sending-millions-spam-e...

Dan_Stevens_ · ‎07-20-2017

Someone just shared this article with me - wow, is this an eye-opener!

GDPR: The Battle for Consumer Data

Dan_Stevens_ · ‎07-19-2017

I'm trying to get some more clarification on my first bullet in my original post (around country CITIZENSHIP vs. RESIDENCY). Actually our GDPR program manager is asking where they interpreted this, given the main document/FAQ includes the following:

More to come as I hear back from our team. All I can think is that our legal team - where we're bound by our parent company's (Accenture) mandate - is taking a risk-adverse approach here so that there's no chance of us violating any of the regulations. For example, having an email accidentally be sent to someone who has indicated in their lead record that they're not from an EU country, when in fact they are. In this case, I wonder if we would be protected based on the information contained in the record (depending if the data was submitted by the recipient; or collected through some third-party source (e.g., entered into CRM by a sales executive).

Dan_Stevens_ · ‎07-20-2017

Here is an additional response from our legal counsel:

I'm very surprised by the scenario highlighted in yellow. I wouldn't think that would apply since the person is not a citizen, nor a resident of the UK.

Dan_Stevens_ · ‎07-20-2017

I replied back with the following (highlighted in yellow) and got another somewhat confusing response:

Dan_Stevens_ · ‎07-19-2017

I was having a conversation with our NA Marketing leader this morning - since GDPR is going to impact them now (primarily in the US, as CAN-SPAM will be replaced with GDPR). She just finished up an Ethics call and noted - while we were discussing how this could have huge economic impacts across the world (fines of $20,000,000 or 4% of global revenues - whichever is larger - for each offense) - there will be dedicated people/prosecutors in place to actively find/determine who is in violation. These folks will be compensated on a commission type plan and therefore will be motivated to find offenders. It's going to be like a witch hunt!

Trish_Keenan1 · ‎07-18-2017

Hi Dan,

Once the Canadian CASL law was becoming imminent, we implemented a whitelisting and double opt-in campaign for Canadian customers and prospects that we are now rolling out across the EU. We added the second opt-in field and a datestamp to the database to record it.

I didn't know the piece about country of citizenship. That's an important consideration that I'll share back with my team. I look forward to Marketo's response here. Thanks!

Dan_Stevens_ · ‎07-18-2017

Hi Trish - we use a similar approach for our opt-in process (you can see our detailed approach in this thread: Re: Express Opt-In Checkbox on Forms - CASL Compliance). But that does us no good if we are forced to delete the lead record (where all of this data exists). I suspect we'll just need to create a formal process to capture these sorts of requests outside of Marketo.

Anonymous · ‎07-27-2017

It's a fun requirement, isn't it? The "right to be forgotten" has an implicit requirement that we remember you - just everything about you. I'm looking at a combination of CRM + external data store to keep this information, but I'm surprised there's been nothing from Marketo on this, or a more formal opt-in/out structure in general.

Dan_Stevens_ · ‎07-27-2017

I, too, am surprised of the lack of info from Marketo. During our steering committee call, we were ask to get Marketo's PoV and a roadmap of enhancements/changes to help their customers comply with GDPR come next May. Unfortunately, I was able to provide nothing. I'd have to think a good percentage of their customers will be impacted by this - even those that don't physically reside in Europe. Just look at the number of views this thread has received.

Trish_Keenan1 · ‎07-18-2017

True! I don't want another manual/outside of Marketo process. I hope this, too, can live on as the unsubscribes do.

Darrell_Alfons2 · ‎07-18-2017

Good question I'm glad you are bringing it up.

I'm curious too, as we are marketing pretty heavily in the EU.

Dan Stevens or anyone else, are you starting to make any changes on your EU lead gen forms? Disclaimers, opt in buttons or anything?

Casey_Grimes · ‎07-18-2017

I'm still going through some legal reading to figure out a full path forward, but thus far the only thing that seems significantly different that I haven't seen mentioned thus far is explicitly capturing the consent language presented to the person at the time they opt-in.

There's some more specific bits around DPO delegation, notifying about third parties who send communication on your behalf, rewording of legal consent language, but those aren't nearly as universal and only selectively apply to companies.

I am particularly interested in the fact that third parties can revoke consent on behalf of others, which may lead to opt-out registers--and managing all of that is going to be very interesting to say the least.

Dan_Stevens_ · ‎07-18-2017

managing all of that is going to be very interesting to say the least

you mean a NIGHTMARE! 😉

Dan_Stevens_ · ‎07-18-2017

Hi Darrell - we're about to deploy opt-in functionality on all of our forms (not just those where strict anti-spam legislation exists). Similar to the opt-in checkbox/language that you see here on our Canada contact-us form: Contact Us | Avanade Canada

There has also been some discussion around a subscription center as well as a way for users to opt-in/out of the ability to be tracked on our websites. Today, we bring up a banner at the bottom of the page for first time (non-cookied) visitors that says "By using this site, you agree that we can place cookies on your device. See our Cookie Policy for details." This sort of implied consent is not compliant with GDPR.