 
					
				
		
Hi All,
Under the GDPR there are 2 main points that caught my attention:
Do you think this points will affect the use of hidden fields as the user won't be aware of certain data we are collecting?
Thanks!
Solved! Go to Solution.
Background processing - like behavioral scoring - is also the result of being able to properly TRACK this engagement as users interact with our digital properties, campaigns and content. Unfortunately, under GDPR, it sounds like we'll now need to block ALL cookies by default (including Munchkin) until a user has given their consent to install these cookies on their browser. This is significant. Think about it - would you provide your consent on every site you visit to the multitude of cookies that can be installed? Heck no. Serving up pop-ups like this is really going to degrade the overall customer experience (and have a significant impact on our ability to use Marketo - and other marketing automation platforms - like we do today).
 
					
				
		
On a similar vein of thought - as far as I know you still cant delete fields in Marketo - now that we are aware we should "only collect the data we need" - its actually quite important to be able to delete fields and their stored values in Marketo, due to having legacy data, as well as to prevent them from being recorded to by stopping them existing. Does anyone know if this is possible yet? Peter Bell do you know if this is planned?
Curious as to why you would want to delete a field (rather than just the data within that field?
 
					
				
		
If we are asked to provide all the data we hold on an individual - and we have fields for "x personal data" - it increases "doubt" it also allows for more mistakes/risk.
So risk mitigation - remove fields so that we can definitely say we only hold the data we need - "data and purpose minimization"
I suppose this makes sense - to some extent - for some fields; and if your target audience is 100% EU focused and you have no use for that field across your entire instance/database. But GDPR comes with a variety of consent and different ways to capture/use personal data. In some instances, you may only be able to capture email address - and nothing else; in other cases, you will require more detail - depending how the data will be used (legitimate interest). Can you provide an example of a field that you would want to delete?
If Marketo doesn't provide a way to physically delete a field (and just allow you to "hide" fields), you might want to think about running a batch campaign to clear all data from specific fields and ensure those fields are not contained on any forms or within the spreadsheets/templates that you might use to get data into Marketo. You could even batch populated a "N/A" or "NOT USED" value in those fields - and then block all field updates to that field.
 
					
				
		
So if you're in an instance with any age (2+ years) you're likely to have redundant fields, from integrations, old approaches, etc. This could vary wildly across different organisations. The risks are:
Keep in mind "hiding" data in Marketo is not the same thing as getting rid of it  and running multiple batch campaigns to block out fields is risky (aka something can go wrong) hence the question - to increase our ability to manage our databases, will Marketo allow us to delete fields.
 and running multiple batch campaigns to block out fields is risky (aka something can go wrong) hence the question - to increase our ability to manage our databases, will Marketo allow us to delete fields.
 
					
				
		
Also wanted to chime in here.
Clearing data from fields via batch campaigns would only provide the appearance that the field no longer holds any data. However, previous data entries could still be accessed and extracted by diving into the person's activity history or via the Marketo REST API. Based on the language of GDPR, I'm assuming that a permanent deletion of this data is required, meaning that clearing the data or blocking field updates would not drive compliance. Thoughts?
Great point, Brian.
I have had an idea in to the Marketo product team for a few years now on deleting Marketo fields. I asked when and if it could be implemented during the last Summit, and what was mentioned is that they are working on it, but do not have a timeline on when it will occur.
 
					
				
		
I found the below in a SiriusDecisions report, and though it might be useful for everyone https://marketplace.siriusdecisions.com/Blogs/GDPRIsComing5MarketingAutomationPitfalls
Here are five important – but often unexpected – danger areas:
Thanks.
My understanding of the Profiling restrictions are that you need to allow the user the right to OPT-OUT (assuming the profiling is tracking based for direct marketing purposes and not making an automated decision on user from a contractual perspective)
When processing is for direct marketing purposes, including profiling, the data subject similarly has a right to object but in this case processing must cease and the controller is not authorized to continue under any circumstances.
REF: Top 10 operational impacts of the GDPR: Part 5 - Profiling
My reading of this is you need a new banner to Preference management, that will allow an initial visitor the right to opt-out of Profiling (that will deactivate the anonymous tracking on your site)
(i am not a lawyer etc..., but i will be raising this issue with a German lawyer i am working with to determine how we need to change our website processes)
- this thread is very timely - thanks.
<<<< UPDATE following discussion with lawyer >>>>
GDPR does not make the need for cookies/tracking to be opt-in. This remains opt-out via the preference centre as mentioned above.
What could POTENTIALLY make tracking opt-in is the e-privacy regulation, that is still currently in draft form, although scheduled for release the same time as GDPR it is generally considered it will not be launched at the same time as it is still under review following the public consultation period.
77% of citizens and civil society and 70% of public authorities believe that information service providers should not have the right to prevent access to their services if users refuse the storing of identifiers, such as cookies, in their terminal equipment. Three quarters of industry on the other hand disagree with this statement.
GDPR does not make the need for cookies/tracking to be opt-in. This remains opt-out via the preference centre as mentioned 
Been hearing both sides of this. But to hear this come from a German lawyer, is encouraging!
I think what people need to realize is that the way many sites today (including ours) notify visitors (in specific countries, where applicable) that "By using this site, you agree that we can place cookies on your device. See our Cookie Policy for details." - along with an "X" to close out the banner/window. And that action (closing the banner/window) is providing implied consent and that the visitor agrees to have cookies placed on their device. This approach is completely non-compliant under GDPR. Instead, you must give users the ability to opt-out and continue to navigate your website. Using tools like OneTrust - which is the cookies preference center I posted above - will allow the user to opt-out of specific cookies and give you the ability to note which cookies cannot be disabled in order for the site to function properly.
Thanks for sharing, Macarena. These points are super important and relevant for almost all of Marketo’s customers (even if businesses don’t operate in the EU). As I’ve been saying, GDPR is really going to restrict our use of Marketo (and other MAPs) as we’re used to doing today.
Given the significanc of this insight you shared, it probably deserves its own post (and not as a comment within an existing thread about forms, marked as “answered”).
Hi Macarena,
This is an interesting topic, if you think about it there are more data fields aside from hidden fields on a form, such as lead score fields which are constantly updated in the background. I see it more as a data processing optin on a form. You will need to do a clear documentation of the data you are processing to be compliant.
It would be interesting to hear what others have to say on this topic.
/Erik
Background processing - like behavioral scoring - is also the result of being able to properly TRACK this engagement as users interact with our digital properties, campaigns and content. Unfortunately, under GDPR, it sounds like we'll now need to block ALL cookies by default (including Munchkin) until a user has given their consent to install these cookies on their browser. This is significant. Think about it - would you provide your consent on every site you visit to the multitude of cookies that can be installed? Heck no. Serving up pop-ups like this is really going to degrade the overall customer experience (and have a significant impact on our ability to use Marketo - and other marketing automation platforms - like we do today).
 
					
				
		
Hi Dan,
Thank you very much for this for this valuable insight, I really appreciate it.
This is very concerning. I thought we would be able to use Munchkin as long as we put in every form a field that allows customers to opt-out. But you are saying it's the other way around, that we won't be able to use Munchkin unless they have given us their explicit consent.
I know Marketo provided a GDPR webinar but it was very high level, without getting into the actual details. We need a very detailed explanation of measures needed to be taken to ensure we are 100% compliant.
Thanks,
I didn't have a chance to watch the webinar although I was pleased to see this guide they posted which, although not fully encompassing all requirements, does address some examples of hands-on processes for GDPR in Marketo: The GDPR and The Marketer: A Practical Guide for the Marketo Customer
I posted some questions during that webinar - and while they weren't addressed during the webinar, our CSM got some of the answers for me. Specific to cookie consent, this is the reply we received from Marketo (it's important to note that you should also be having these conversations with your legal teams as you work toward GDPR compliance):
The GDPR regulation only makes a single reference to cookies, however what is said is important - when cookies can identify an individual via their device, it is considered personal data and so governed by GDPR, hence the questions below. Two points:
- The ePrivacy Regulation governing cookies and other tracking technologies is still in draft form and should be monitored closely for further guidance.
- Consent for cookies that can identify an individual will need to gained, so that landing on a site for the first time, those cookies have to be blocked until the user takes some action that they are giving their consent.
The exact interpretation of this needs to be made by them in conjunction with their own legal team, we cannot offer legal counsel. The mechanisms for how to manage cookie tracking for Marketo are captured in the Practical Guide.
