Re: GDPR - option to not capture / keep email address etc?

Thanks Michelle! So what I've done for the moment is three separate fields:

1. Consent for processing (hidden field)

2. Consent time and date token

3. Consent notes (action they took - ex downloading white paper ABC)

On the bottom of forms, I have put "*Required: Content will be emailed to you. The information you provide will be used in accordance with the terms of our privacy policy." (Privacy policy is linked.)

After they fill out the form, the consent for processing is now "Yes". Field 2 and 3 also fill in.

They will not be added to any mailing lists - hoping this is the good way to go.

Hi Jenn -

I track data consent and email consent separately using the following fields:

- Email Optin, Email DateTimestamp, Email Optin Source, Email Optin IP Address

- GDPR Processing Rights, GDPR Processing Rights DateTimestamp, GDPR Processing Rights Source, GDPR Processing Rights Notes

A couple things to call out with that - I call it data rights, not consent. Because you could have rights through consent or legitimate interest.

Also, the source could be the same as the email opt-in source. I like keeping the source separate from notes, because then I can include normalized phrases that I can filter off of in smart lists to encompass different scenarios, ie "Retain for 30 days only", or "Limited Processing Rights: No Scoring or Enrichment"

For a whitepaper example, I think you could simply have the opt in language on the form ie:

<unchecked, non-required checkbox> I would like to receive more <type of communication/information> from <company name>. I understand and agree to the privacy policy. <link privacy policy>

Then you have full optin and data consent if you have a robust privacy policy. This info can then populate all fields. If the opt in is ignored, your data rights fields only would be populated, something like this:

- GDPR Processing Rights = Yes

- GDPR Processing Rights DateTimestamp

- GDPR Processing Rights Source = Legitimate Interest from Whitepaper Form Download

- GDPR Processing Rights Notes = No processing unless consent obtained, Retain for 30 days only

Then in the email with the whitepaper you can again invite the user to subscribe by directing them to a optin/subscription page and form. If not response, delete after 30 days. In the mean time, marketing suspend, and populate a marketing suspend reason with something to the effect of 'no email consent'.

Does this help?

I will be speaking in detail on this at Summit if you're interested.

Thank you for your response Sanford Whiteman​

I am re-reading the GDPR pdf from Marketo. It is quite helpful with understanding the different ways of consent: https://www.marketo.com/ebooks/the-gdpr-and-the-marketer/

(I'm sorry to bombard you with these questions if you are unsure. But thought to continue on this thread in case someone else has the answer)

1. Page 9: a disclaimer that these fields are required and the person is acknowledging they agree to our privacy policy. Fine and dandy. Is it then ok to have this persons information and it is up to them to update their preferences on our preference center (which will be on the bottom of a confirmation email etc?)

Is it then ok to have this persons information and it is up to them to update their preferences on our preference center (which will be on the bottom of a confirmation email etc?)

Thing is, it's all still fuzzy as far as technical implementation. Even a not-lying-we-really-do-GDPR law firm won't understand checkboxes and pre-fill and so on.

Are we denying people access to change their preferences, by simply making them go to your Preference Center instead of displaying them in every single place we can? It's undeniable that we're discouraging them based on what we could technically offer them, but whether that rises to an illegal level of denying, who knows? It used to be fairly clear that a method of unsubscribing needed to be easy to find and, um, not fake. Now we worry that we aren't prominently featuring the Uninstall button, so to speak.

I think overall (like Greg says) people underestimate how severe the consequences are of the strictest interpretation of the GDPR.  If you want to stay incontrovertibly legal, unlike the supposedly "drop dead easy" suggestion above, you must not process forms at all.  Perhaps if your form posted to an anonymous web service, and data only existed in memory for as long as it took to send an email (you could only attempt to send it one time, since after that you've implicitly stored the data!) maybe that would pass muster.  Not that we can do that with Mkto, though.

I like this idea: to be compliant, simply remove all forms from your web site !

Hi Jenn

The GDPR, taken rigorously, would require that you in fact have 2 opt-in fields:

• One consent field for the daqta storage. In fact, this one could event be made mandatory (if one does not consent, they cannot submit the form since they do not authorize you to store their, not even 1 minute)
• One consent field for the various treatment you might do with the data, first of which is sending emails

The issue is that no one wants to multiply the number of consent fields, so people are merging all of them in only one fields that covers all the consents thus creating the misunderstanding and grey zone pointed out by Sanford.

Until Marketo implements these ideas, and especially this one, most Marketers and DPOs I work with will go for a smart campaign based anonymization, knowing that you can still reengineer the data for 90 days (after which the Data Value Change activities are discarded by Marketo, per their retention policy that will become applicable next august).

-Greg

Greg, by "smart campaign based anonymization," do you mean a Smart Campaign that replaces all the "personal" data with default values?

Yes, this is it.

But you need to be aware that the activity log will still enable to retro-engineer the data for 90 days.

-Greg

Not just data, but completely clearing the activity history (which includes all the data necessary to reproduce the lead) using a Flow step. Returning the person to the same place they'd be as an anonymous lead.

Thanks Grégoire Michel​!

Pardon my naiveté, but I thought making that field required was not allowed under the law? Or is that just for sending marketing emails?

Making the field opt-in field mandatory is not allowed unless the optin is required to process the associated service. In the case of the optin to store the personal data, if you no not have this opt-in, then the data cannot even enter Marketo and therefore, one should not be allowed to submit the form... But this is only possible if the data storage opt-in is separated from the other opt-ins.

-Greg