GDPR handling of consent to marketing

Grégoire_Miche2
Level 10

Re: GDPR handling of consent to marketing

Hi Carly,

Look at the piece of JS I provided in your other question here: Consent to marketing communications - trigger campaign

-Greg

Anonymous
Not applicable

Re: GDPR handling of consent to marketing

Thank you!

ChristinaZuniga
Level 10 - Champion Alumni

Re: GDPR handling of consent to marketing

Don't unsubscribe someone just because they don't opt in, that should only be used for an affirmative "don't talk to me anymore". Use a separate field to track what level of permission you have (mine is called "permission status"). That way you can have "affirmatively opted in", "affirmatively opted out", "nebulous gray area where they didn't say yes or no and two groups of this, one where I have the right to talk to people (ex: USA people) and one where I don't have the right to talk to people (ex: Italian people).


I can't show you my full workflow (sorry) that tells me logically how each person falls into each bucket, but here's the bottom of that decision tree and the colored boxes are my permission statuses. I made it pretty straightforward in terms of color what is good vs. what is bad , but mostly because this document is for non-Marketo people to understand what our permission means.

I'd recommend something like this so you can logically group people.

pastedImage_0.png

Anonymous
Not applicable

Re: GDPR handling of consent to marketing

Hi guys,

but surely this is GDPR non-compliance...? You say that you add a person's record to your database and if they don't opt in then you don't email them...right?

But surely the Opt-in relating to GDPR isn't about whether you can email them or not, it's about whether you have their consent to process their data - which if they don't opt in, then you don't have their consent, so you can't store/process the data - whether you send emails to it or not. So surely the people who do not opt-in - after a certain number of tries, or a certain period of time passes - must be deleted...not flagged as suspended or unsubbed...

ChristinaZuniga
Level 10 - Champion Alumni

Re: GDPR handling of consent to marketing

Michael Collins​, I have a separate way to processing data opt in so someone can be in my database in any permission level and be opted out of data processing. That's a separate issue.

As for being in the database at all, it depends on your data retention policy. My point in getting to a permission level depending on their requests and their actions actually helps me determine how long I can keep the record. If they are marketing suspended and came in via a Salesforce contact from international sales but aren't in a current opportunity, I have far less time to keep them in my database than if they fill out a form and request sales information. So I'm using my permission status to help me determine how long I'm allowed to keep those records in my database.

You need to review (or create!) a data retention policy that makes sense for your business. If your average deal takes 1 month to close, is it reasonable to keep a new prospect record for 3 days? Probably (#IAmNotALawyer). 1 year? Probably not. Depends on what your lawyers and company decide to do.

Anonymous
Not applicable

Re: GDPR handling of consent to marketing

Ok - maybe I got confused then because I thought this post was about gaining consent, so storing data and emailing it might be 2 different things. Our lawyers have been discussing this for almost a year now! - I think we will end up with a '3 strikes and you're out' policy - so we will attempt opt-in 3 times and if we don't get it then we will delete...

Grégoire_Miche2
Level 10

Re: GDPR handling of consent to marketing

Hi Michael,

  1. Opt-in to store and opt-in to send emails are indeed 2 different things, indeed, and both are required
  2. No one can fill out an online form without being stored in a database somehow, even if only for a few seconds. Therefore, in theory, it should not be possible to fill out a form without optin-in for data storage
  3. some companies (including Salesforce BTW) have resolved this in having a mention one the forms that say that, by filling out the form, people agree with the data privacy policy. Others prefer to have one opt-in field but end up with some huge complexity about removing (which kills reporting) or anonymizing (which cannot be totally done) the data

-Greg

Anonymous
Not applicable

Re: GDPR handling of consent to marketing

Great information here around the flows for consent. Is the opt-in data being stored in SF as the system of record? We are debating whether we need to create new fields in SF to store the opt-in acceptance and date. By default, if they fill out the form with the opt-in checkbox, we know they opted-in. But there is a sense this should be captured and stored in SF.  And the SF admin does not want additional fields unless really necessary. Any recommendations would be greatly appreciated.

Grégoire_Miche2
Level 10

Re: GDPR handling of consent to marketing

Hi Tammy,

Better open a new thread than reopening an old one

Marketo is better system of record than SFDC, because it does a better job in loging the source of the consent. Fills-out form activities in Marketo provide detailed data abut date time, all the values entered AND the ip address. It cannot be tempered with, meaning that it can be used as a proof of consent. In SFDC, depending on the rights, it's almost impossible to guarantee that you will not end up with someone being opt-in without a proof of their consent.

-Greg

Anonymous
Not applicable

Re: GDPR handling of consent to marketing

Thank you for your helpful response, I will open a new thread!