18 Replies Latest reply on Jan 25, 2018 10:50 AM by Dan Stevens

    GDPR and Hidden Fields

    Macarena Mazzeo

      Hi All,

       

      Under the GDPR there are 2 main points that caught my attention:

      • Purpose limitation - data can only be used for the purpose specified at collection
      • Data minimisation - limit the amount of data collected to what is necessary to serve the purpose for what its collected

       

      Do you think this points will affect the use of hidden fields as the user won't be aware of certain data we are collecting?

       

      Thanks!

        • Re: GDPR and Hidden Fields
          Erik Heldebro

          Hi Macarena,

          This is an interesting topic, if you think about it there are more data fields aside from hidden fields on a form, such as lead score fields which are constantly updated in the background. I see it more as a data processing optin on a form. You will need to do a clear documentation of the data you are processing to be compliant.

           

          It would be interesting to hear what others have to say on this topic.

           

          /Erik

          1 of 1 people found this helpful
            • Re: GDPR and Hidden Fields
              Dan Stevens

              Background processing - like behavioral scoring - is also the result of being able to properly TRACK this engagement as users interact with our digital properties, campaigns and content.  Unfortunately, under GDPR, it sounds like we'll now need to block ALL cookies by default (including Munchkin) until a user has given their consent to install these cookies on their browser.  This is significant.  Think about it - would you provide your consent on every site you visit to the multitude of cookies that can be installed?  Heck no.  Serving up pop-ups like this is really going to degrade the overall customer experience (and have a significant impact on our ability to use Marketo - and other marketing automation platforms - like we do today).

               

              2 of 2 people found this helpful
                • Re: GDPR and Hidden Fields
                  Macarena Mazzeo

                  Hi Dan,

                   

                  Thank you very much for this for this valuable insight, I really appreciate it.

                  This is very concerning. I thought we would be able to use Munchkin as long as we put in every form a field that allows customers to opt-out. But you are saying it's the other way around, that we won't be able to use Munchkin unless they have given us their explicit consent.

                  I know Marketo provided a GDPR webinar but it was very high level, without getting into the actual details. We need a very detailed explanation of measures needed to be taken to ensure we are 100% compliant.

                   

                  Thanks,

                  1 of 1 people found this helpful
                    • Re: GDPR and Hidden Fields
                      Dan Stevens

                      I posted some questions during that webinar - and while they weren't addressed during the webinar, our CSM got some of the answers for me.  Specific to cookie consent, this is the reply we received from Marketo (it's important to note that you should also be having these conversations with your legal teams as you work toward GDPR compliance):

                       

                      The GDPR regulation only makes a single reference to cookies, however what is said is important - when cookies can identify an individual via their device, it is considered personal data and so governed by GDPR, hence the questions below. Two points:

                       

                      1. The ePrivacy Regulation governing cookies and other tracking technologies is still in draft form and should be monitored closely for further guidance.
                      2. Consent for cookies that can identify an individual will need to gained, so that landing on a site for the first time, those cookies have to be blocked until the user takes some action that they are giving their consent.

                       

                      The exact interpretation of this needs to be made by them in conjunction with their own legal team, we cannot offer legal counsel. The mechanisms for how to manage cookie tracking for Marketo are captured in the Practical Guide.

                      6 of 6 people found this helpful
                      • Re: GDPR and Hidden Fields
                        Erik Heldebro

                        I didn't have a chance to watch the webinar although I was pleased to see this guide they posted which, although not fully encompassing all requirements, does address some examples of hands-on processes for GDPR in Marketo: The GDPR and The Marketer: A Practical Guide for the Marketo Customer

                  • Re: GDPR and Hidden Fields
                    Macarena Mazzeo

                    I found the below in a SiriusDecisions report, and though it might be useful for everyone https://marketplace.siriusdecisions.com/Blogs/GDPRIsComing5MarketingAutomationPitfalls

                     

                    Here are five important – but often unexpected – danger areas:

                    1. MAP "data management campaigns.” Although marketing automation has encouraged systematic data embellishment and “use your data to create new data,” companies must now ensure all such activity is declared. Data from the past will need to be audited, and marketers are responsible for future updates and the outputs of any new or existing automated procedures.
                    2. Reverse IP tracking. As marketing automation has found its pivotal and permanent place in the hearts of our businesses, reverse IP tracking has become part and parcel of everyday prospecting. Before GDPR, this was somewhat of a gray area – but now it's crystal clear. Marketers must seek consent before storing and processing an individual’s IP address.
                    3. Lead scoring. Scoring programs provide marketers with ready-made segmentation and an engine to automatically send leads to sales. In GDPR terms, this type of processing constitutes profiling, and marketers must have consent to do it. Across the aisle in sales, propensity-to-buy calculations may also be hard at work in a sales force automation system. If this is used to profile for followup then, once again, permission must be granted.
                    4. Reactivation programs. Marketers regularly seek to jump-start old databases by running reactivation programs for individuals inactive for months or even years. Unfortunately, under GDPR, individuals who have not opted in recently to communications cannot be contacted in this way.
                    5. Record disposal. Finally, something outside of all marketers' comfort zone. If you do not have consent to store and process an individual's data, you must delete what you have. This applies to records accumulated over time but lacking opt-in, as well as to individuals who withdraw consent.

                    Thanks.

                    3 of 3 people found this helpful
                      • Re: GDPR and Hidden Fields
                        Dan Stevens

                        Thanks for sharing, Macarena. These points are super important and relevant for almost all of Marketo’s customers (even if businesses don’t operate in the EU). As I’ve been saying, GDPR is really going to restrict our use of Marketo (and other MAPs) as we’re used to doing today.

                         

                        Given the significanc of this insight you shared, it probably deserves its own post (and not as a comment within an existing thread about forms, marked as “answered”).

                        • Re: GDPR and Hidden Fields
                          Mark Knight

                          My understanding of the Profiling restrictions are that you need to allow the user the right to OPT-OUT (assuming the profiling is tracking based for direct marketing purposes and not making an automated decision on user from a contractual perspective)

                           

                          When processing is for direct marketing purposes, including profiling, the data subject similarly has a right to object but in this case processing must cease and the controller is not authorized to continue under any circumstances.

                           

                          REF:  Top 10 operational impacts of the GDPR: Part 5 - Profiling

                           

                          My reading of this is you need a new banner to Preference management, that will allow an initial visitor the right to opt-out of Profiling (that will deactivate the anonymous tracking on your site)

                           

                          (i am not a lawyer etc..., but i will be raising this issue with a German lawyer i am working with to determine how we need to change our website processes)

                          - this thread is very timely - thanks.

                           

                          <<<< UPDATE following discussion with lawyer >>>>

                          GDPR does not make the need for cookies/tracking to be opt-in. This remains opt-out via the preference centre as mentioned above.

                          What could POTENTIALLY make tracking opt-in is the e-privacy regulation, that is still currently in draft form, although scheduled for release the same time as GDPR it is generally considered it will not be launched at the same time as it is still under review following the public consultation period.

                          Summary report on the public consultation on the Evaluation and Review of the ePrivacy Directive | Digital Single Market

                           

                          How to deal with cookies?

                          77% of citizens and civil society and 70% of public authorities believe that information service providers should not have the right to prevent access to their services if users refuse the storing of identifiers, such as cookies, in their terminal equipment. Three quarters of industry on the other hand disagree with this statement.

                          1 of 1 people found this helpful
                            • Re: GDPR and Hidden Fields
                              Dan Stevens
                              GDPR does not make the need for cookies/tracking to be opt-in. This remains opt-out via the preference centre as mentioned

                               

                              Been hearing both sides of this.  But to hear this come from a German lawyer, is encouraging!

                               

                              I think what people need to realize is that the way many sites today (including ours) notify visitors (in specific countries, where applicable) that "By using this site, you agree that we can place cookies on your device. See our Cookie Policy for details." - along with an "X" to close out the banner/window.  And that action (closing the banner/window) is providing implied consent and that the visitor agrees to have cookies placed on their device.  This approach is completely non-compliant under GDPR.  Instead, you must give users the ability to opt-out and continue to navigate your website.  Using tools like OneTrust - which is the cookies preference center I posted above - will allow the user to opt-out of specific cookies and give you the ability to note which cookies cannot be disabled in order for the site to function properly.

                          • Re: GDPR and Hidden Fields
                            Robert Nicholson

                            On a similar vein of thought - as far as I know you still cant delete fields in Marketo - now that we are aware we should "only collect the data we need" - its actually quite important to be able to delete fields and their stored values in Marketo, due to having legacy data, as well as to prevent them from being recorded to by stopping them existing. Does anyone know if this is possible yet? Peter Bell do you know if this is planned?

                              • Re: GDPR and Hidden Fields
                                Dan Stevens

                                Curious as to why you would want to delete a field (rather than just the data within that field?

                                  • Re: GDPR and Hidden Fields
                                    Robert Nicholson

                                    If we are asked to provide all the data we hold on an individual - and we have fields for "x personal data" - it increases "doubt" it also allows for more mistakes/risk.

                                    So risk mitigation - remove fields so that we can definitely say we only hold the data we need - "data and purpose minimization"

                                      • Re: GDPR and Hidden Fields
                                        Dan Stevens

                                        I suppose this makes sense - to some extent - for some fields; and if your target audience is 100% EU focused and you have no use for that field across your entire instance/database.  But GDPR comes with a variety of consent and different ways to capture/use personal data.  In some instances, you may only be able to capture email address - and nothing else; in other cases, you will require more detail - depending how the data will be used (legitimate interest).  Can you provide an example of a field that you would want to delete?

                                         

                                        If Marketo doesn't provide a way to physically delete a field (and just allow you to "hide" fields), you might want to think about running a batch campaign to clear all data from specific fields and ensure those fields are not contained on any forms or within the spreadsheets/templates that you might use to get data into Marketo.  You could even batch populated a "N/A" or "NOT USED" value in those fields - and then block all field updates to that field.

                                          • Re: GDPR and Hidden Fields
                                            Robert Nicholson

                                            So if you're in an instance with any age (2+ years) you're likely to have redundant fields, from integrations, old approaches, etc. This could vary wildly across different organisations. The risks are:

                                            • Capturing/holding data that you dont want (example - date of birth, national ID for an event etc)
                                            • Making authorities believe you intend to hold data you dont want (empty fields for national ID etc)
                                            • GDPR data requests presenting data you shouldnt have or would regret publishing (think salespersons comments in a crm)

                                             

                                            Keep in mind "hiding" data in Marketo is not the same thing as getting rid of it and running multiple batch campaigns to block out fields is risky (aka something can go wrong) hence the question - to increase our ability to manage our databases, will Marketo allow us to delete fields.