Re: Requests for consent must be freely given, specific, informed and unambiguous by a statement or by a clear affirmative action

Dan_Stevens_ · ‎03-27-2018

I recently came across an example where I was registering to download content and the site required me to tick the opt-in checkbox - while submitting the form - in order to download the content: 16 Tips to Capture Marketing Consent for GDPR – CleverTouch .

I used their chat feature to inquire about this since much of what we've learned is that you cannot make the ticking of the opt-in checkbox required. The response I received was as follows:

The GDPR legislation talks about a "balance" in the exchange when it comes to opting-in - we take the view that if we're giving away content for free, there is a balance that you will provide us something in return. If you don't want to provide us that then that's OK - you just won't get the content. As another example, if this was a paid for event then we wouldn't capture opt-in as well, as that would indicate an imbalance (revenue + an opt-in for 1 event registration).

Again, just wanted to share yet another interpretation/implementation of the GDPR laws. Thoughts?

Michelle Miles

Grégoire Michel

Michelle_Miles3 · ‎04-03-2018

Dan Stevens Our counsel has said that you can't bundle or "buy" consent with content. I would not recommend an approach like the one described above.

Michelle Miles

Grégoire_Miche2 · ‎04-03-2018

Hi Michelle,

Yes, this was the meaning of my comment above and all the lawyers tend to agreed on this one (at least we have one question on which they all agree )

-Greg

Dan_Stevens_ · ‎04-04-2018

Randy Davis offers yet another perspective in this thread (halfway down, dated April 4): Marketing Strategies to Thrive in a GDPR World

Liz_Davalos · ‎03-29-2018

Not to add fuel to the fire, but a person is still being tracked in Marketo even if you don't include a token on a link and therefore that would violate GDPR unless I'm misunderstanding what people are talking about here. While I personally agree that we shouldn't have to provide free content without receiving the data it does seem that GDPR requires this. I'd say they may be crossing other legal lines there though and they may have to amend that (maybe what that company is banking on). The whole way a free market functions is you get something for your work, requiring it be given away freely breaks that so I can see some lawyer finding a leg to stand on. We're about 99.9% US so for me receiving our emails and being tracked go hand in hand, I can't give one option without the other. They can choose to subscribe all they want, but if they don't also consent to tracking they won't get emails. They simply cannot be a subscriber and not be tracked. We're making that clear for EU residents...

SanfordWhiteman · ‎03-29-2018

but a person is still being tracked in Marketo even if you don't include a token on a link

What do you mean by "tracked" here?

Clicking an untracked link sent in a Marketo email, opened in a browser that has Munchkin disabled, doesn't leave any extra tracks.

Liz_Davalos · ‎03-29-2018

I mean that Marketo still tracks opens and the email still exists in Marketo so technically (although barely) they are being tracked and you are still retaining their "personal" data.

SanfordWhiteman · ‎03-29-2018

Not if you turn off open tracking (which would also be turned off for anyone who is set to untracked).

From the standpoint of tracking, there's no trace of what happens after they send their email.

SanfordWhiteman · ‎03-29-2018

P.S. More related code at Selectively track links and opens based on lead opt-in (think GDPR, o’course)

Liz_Davalos · ‎03-30-2018

Thanks Sanford, that helps. I didn't realize that could be done. Although a template change means every email we have would need to be updated so that's unfortunate.

Dan_Stevens_ · ‎03-29-2018

Is Marketo still tracking activity at an aggregate level (for use in email performance reports; and email link performance reports)?

SanfordWhiteman · ‎03-29-2018

Not any opens or clicks... I mean, obviously the fact that an email was sent is stored -- but that's the same with every email server on earth!

Jason_Hamilton1 · ‎03-29-2018

It sounds to me more like merging of the interpretation of Legitimate interest and consent. This damn regulation has so much gray. I do not think you can force someone to be required check a box, to get the content.

Amy_Goldfine · ‎03-28-2018

For GDPR we are doing two separate checkboxes (neither is pre-checked). One is for content to processing, and that is required. The other is consent to direct marketing, and that is optional.

Amy Goldfine
Marketo Champion & Adobe Community Advisor

Anonymous · ‎04-02-2018

We're doing the same thing. Consent options must be separate and written in plain english. It was my understanding that consent could not be coupled. It really boils down to three things:

#1 Cookie consent

# 2 Consent to marketing

# 3 Consent to data processing

We're creating cookie notifiers on our site to handle #1. Consent to marketing #2 is a checkbox which is optional (yes/no) - selecting no still yields the requested content. Consent to data processing #3 (privacy policy acceptance) is a required field for submitting a form.

Grégoire_Miche2 · ‎04-03-2018

Hi Willow,

IMHO, the order should be

#1 Cookie consent

#2 Consent to data processing (better : consent to data storage)

#3 Consent to marketing

Marketing (sending emails) is just one type of data processing.

-Greg

Jason_Hamilton1 · ‎03-29-2018

Have you considered legitimate interest as basis for processing? Is everyone grouping 'processing' as one item or are you getting more granular? And if someone says no to processing what are you doing with them? Stopping all processing (scoring, normalization, segmenting, tracking etc...) Or are you deleting them?

Anonymous · ‎04-03-2018

Legitimate interest starts to get into fuzzy territory if you don't also have the consent. You'll want to gather that consent via form or emailed agreement between sales and prospect.

As far as what I'm doing -

Consent to marketing is not given on a content request form. Content is delivered based on "fills out form" triggered campaign. Mark as marketing suspended once email is delivered.

Consent to data processing is revoked (must be given when requesting content as a require field - no data stored without original consent). Turn off sync to sfdc via Marketo. Delete lead from Marketo (not CRM) - clears marketing history. Flag for anonymization in sfdc for product and sfdc admins to handle.

Grégoire_Miche2 · ‎03-28-2018

Hi Amy,

In all strictness, this double consent is what should be done. Most companies are merging the 2 in order to simplify the forms. Which leads to a conclusion: if the person does not consent to be kept in the database, you should delete it or anonymize her immediately. So, if you only use 1 consent box and the person does not consent, you should not only stop sending emails, but also delete the lead or anonymise it. This anonymization issue is one that is listed here: Marketo GDPR Compliance-a summary of key ideas

I am dreaming of a form with a double consent that, when someone does not consent to be stored in the database and submits the form, displays the following follow-up message:

"We are sorry, but we cannot process and send you the link to the requested content since it would require that we store your data in our database, to which just did not consent"

-Greg

Grégoire_Miche2 · ‎03-28-2018

Hi Dan,

I think that the approach from Clevertouch is ot GDPR compliant. The article 7.4 of the GDPR writes:

When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

I do not see why a consent is required for the execution of the delivery of the e-book in the Clevertouch case. This is very similar to the discussion on how to interpret the fact that you can send emails to people who are your customers. You can send them emails, but not any email.

Whether or not Clevertouch's approach is really risky ultimately depends on the country your visitors are from and in which EU countries you operate. In Germany I feel the Clevertouch approach is very risky. In France, it's not. To give readers a hint on how strict things can be, a german company was sued (on the previous regulation, not even the GDPR) and fined because the sales people were adding CTAs below their signature in their emails send from their personal mailboxes...

-Greg

Dan_Stevens_ · ‎03-28-2018

Thanks Greg. This is aligned to our guidance as well. In fact, I would argue that obtaining the data captured on the form is adequate value received - without the need to also require opt-in consent.