Re: Russia Law NR 242

Here's how I (and the legal team at my company) have interpreted the law.

1. You only have to comply on forms that are targeting Russian citizens. So if someone from Russia hits our U.S. website we don't have to comply, because our forms are in English and we are targeting U.S. citizens.

2. On Russian forms you have to ask "Are you a Russian citizen?" If they answer yes, you have to ask in a very specific way if they consent to you storing their personal data on a server in Russia and a server in the U.S. or wherever you're based. Make this field required. If they don't check the box they can't submit the form.

3. If they consent you have to create a mechanism that immediately sends the data to the Russian server on form submit. I'm using a webhook.

There are companies that will sell you server space in Russia so you don't have to have your own physical server there. We are using one of these third parties.

You will have to hide the Submit button if they answer yes to the first question and no to the second. I haven't figured out how to do this part yet. I basically need a visibility rule to hide the button.

Hide the SUBMIT button based on Radio Button?

I'm just going to make the checkbox mandatory. Wouldn't that work?

I'm just going to make the checkbox mandatory. Wouldn't that work?

Depends on the UX you want... hiding the submit button is an abrupt way to end the lead's journey, but for these leads that's not really a worry.

Thanks for the link to the code snippet.

Hi Tim,

One large Marketo customer is based in Russia and the final decision that was made between the two legal teams was that Marketo was being used for 'Marketing Purposes' and not to house personal data. Definitely a grey area but there were at least 3 other customers who targeted leads in Russia that were able to adopt the same reasoning.

Thank Wyatt - sorry lost track of this thread

Reviving this thread.

As of December 2019, ( https://pravo.ru/news/216269/) the Russian Parliament has approved updates for the Russian NR 242 Law which increase the fines for failing to meet data localization requirements (that is, storing data in Russia first)  up to 18 mln RUB ($240К).

As mentioned before, this change affects those Russian & international companies which collect the personal data of Russian citizens using Marketo forms.

Facebook and Twitter  have already been fined for failing to meet the requirements https://www.marketwatch.com/story/russian-court-fines-facebook-twitter-over-data-storage-2020-02-13 - as a warning shot, only 4 mln RUB each ($53K).  

We at Leadonance teamed up with leading Russian lawyers with GR experience to provide some insight. Here's a solution that we can recommend that received legal approval from our team and which implemented by two software vendors which use Marketo in Russia:

1a)  Avoid using native Marketo forms on Russian websites/subdomains/webpages completely and use custom forms instead., The forms would need to
- write personal data to a database located on a server in Russia and only then
- send new leads to Marketo via REST API. This would require a custom-built solution and a server rented in Russia. 

1b) Another solution could be to keep the native forms, but to set up a custom version of the munchkin code on RU subdomains/website pages instead. The new version of the munchkin would first write new leads  with their personal data to a database located on a server in Russia, receive confirmation that the data has been stored successfully and only then send the data to Marketo. Evidently this may result in subpar user experience since the process has to go step-by-step (and some bells and whistles need to be added, e.g. if the Russian server is down, do NOT write to Marketo database either but show an error instead) but that's the price to pay if you want to keep using Marketo forms in Russia and at the same time comply with the requirements of the law. We went the other route.

2) Regardless of the technical side of the implementation, you have to get consent for transborder data transfer. Roskomnadzor (Russian federal body for media & telecommunications) didn't put it in writing, but based on the cases that have already been reviewed, it's recommended to do express consent, just like with GDPR. Bottomline: do not pre-check the checkbox with "I agree to Terms&Conditions" copy, and if you don't have one at all, you really need one. Also, the checkbox being checked should be mandatory for lead submission.

3) And of course, you need to update your terms & conditions to clearly describe where the data would be going - where Marketo servers are located.