Like most marketers, we are trying to ensure we are in compliance with GDPR. I keep reading that GDPR compliance needs to come in the form of an unchecked checkbox on forms to show 'explicit consent'. However, I have yet to see this in practice. Below is an example landing page from Salesforce. As you can see, when you select an EU country (France for example), they offer a checkbox to opt into email marketing, but the GDPR disclaimer simply states that by completing the form and submitting, you are giving consent to have your information stored:
By registering, you confirm that you agree to the storing and processing of your personal data by Salesforce as described in the Privacy Statement.
Salesforce Example: https://www.salesforce.com/form/events/webinars/form-rss/1662434?d=cta-header-7
Thanks in advance!
In the form you linked to, if you submit, you give consent for the storage of your data. You still need to check the box to give consent to receiving emails.
This is an interesting application of the 2 consents that needs to be given for the GDPR:
The second consent it pretty straightforward but the first one its difficult to comply with: if you do not consent to the storage of your data and you fill out the form, there is a contradiction since, behind the form, there is a (probably Pardot) database... Salesforce has solved this with this secondary mention, separated from the first one.
Most of the companies I see link the 2 consents to the first checkbox and have a hard time anonymizing data.
Thanks for the example though. Very interesting.
I've seen multiple versions of similar forms to what Salesforce is doing although their language is more upfront then some of the others in terms of consent to have your data stored. Most of my clients (B2B) have determined that processing this way is compliant with GDPR. Glad to see that Salesforce agrees.
After multiple discussions with our Legal team, please find below the approach that we are taking for GDPR:
2. We will have a checkbox in all our forms(both web and Marketo forms( will also have a link to privacy and cookie policies)) which will be a required field globally that will have a verbiage catering to both expressed consent and data processing needs. If they do not provide their consent they will not be able to submit any form so we will have new users who have provided consent in our db going forward.
3. Initially we thought of doing an Opt-in campaign for GDPR but our Legal team has advised us not to do so and as we are B2B and we have acquired these contacts based on their legitimate interest we can continue sending communications to these till they opt-out using our unsubscription link or preference center.
can you maybe elaborate more on the argumentation behind the link B2B-legitimate interest-no need for explicit consent?
I would be quite cautious with the use of legitimate interest. What it means is not clearly defined by the GDPR and whether it's the legitimate interest of the person/visitor or the legitimate interest of the vendor is not even explicit.
What I want to say is that only the first jurisprudence will tell us what it means.
Also, with regards to the B2B, for the moment, no detailed application notice have been issued by the compliance agencies. The only thing we know is that when the issue one, it will be agreed between the 28 countries. Meaning it's likely it will comply with the past habits of the strictest ones (Germany) rather than the coolest ones (UK, France).
Yes, this is similar to what we were advised; there is room for some types of communication with your customers, where there is contract-based relationship, however for things like profiling you need consent. Still, I am interested to hear different explanations and argumentations.
Sorry for the delayed response. What i meant by legitimate interest in our scenario is as we do B2B business, our legal team mentioned that if we have acquired them previously, we would not need them to provide their explicit consent going forward. Recent update to our efforts to be in compliance to GDPR involves us to just have updated privacy and cookie policies on our website and have GTM on our Marketo LPs and have people accept those and if they did we will consider them as opt-in and capture date and time stamp for their form submission and as per the regulators, they would be interested in the process we are following and the date and time stamp for when we acquired them in the system and nothing else.
I feel we will learn and know more as we go and am just waiting to see how it all plays out after 25th.