7 Replies Latest reply on Mar 1, 2018 7:58 AM by Grégoire Michel

    Behavioral Tracking  with GDPR

    Sule Arifagaoglu



      Let's say, I have consent (double opt-in) from a person who lives in Europe or who has an EU citizenship.


      Can I track their behavior such as opened an email or clicked an email since s/he gave me a consent?


      Does anyone know?

        • Re: Behavioral Tracking  with GDPR
          Dan Stevens.

          Hi Sule - first, remove the "who has an EU citizenship" piece.  GDPR doesn't look at citizenship or residency.  It applies to anyone that's IN THE EU.  An American, a Canadian, an Australian, an Italian... everyone.


          When you gain consent on your forms, you should also include a link to your privacy policy that explains - in simple terms - how their data will be used.  Including how you track their behaviors.  This last piece is part of cookie consent.  Any time a first time visitor visits your site (including Marketo landing pages), you will need to surface a banner of some sort that explains how you use cookies "to optimize their experience while visiting your site".  This banner must also include the ability for the user to opt-out of this - either from ALL cookies or by accessing a cookies preference center where they can select specific cookies to disable (some cookies can't be disabled - those are considered "functional" cookies.  Marketo is not a functional cookie).


          Have a look at these two great posts that include additional detail to what you're asking:


          GDPR: A Game Changer for Marketing Operations

          Marketing Strategies to Thrive in a GDPR World

          1 of 1 people found this helpful
            • Re: Behavioral Tracking  with GDPR
              Sule Arifagaoglu

              Thanks Dan for your prompt response. 


              My understanding was that it applies to anyone that's in the EU and  it includes also "who has an EU citizenship" -it doesn't matter they live in Europe or not - that's why me any my organization will apply GDPR standards to not only Europe but globally.


              Please see below;

              "The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The key articles of the GDPR, as well as information on its business impact, can be found throughout this site. "


              "Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. Previously, territorial applicability of the directive was ambiguous and referred to data process 'in context of an establishment'. This topic has arisen in a number of high profile court cases. GPDR makes its applicability very clear - it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU. "


              These statements have been taken from www.eugdpr.org


              Please correct me if my understanding is wrong.

                • Re: Behavioral Tracking  with GDPR
                  Dan Stevens.

                  Yes, if the EU citizens are also in the EU, then GDPR applies to them.  And realistically, this is the primary audience.  But there are circumstances where GDPR does not apply - take this example:


                  A German citizen lives in NY and works for JP Morgan/Chase.  This person also exists in our marketing database.  Since he/she is not in the EU, GDPR does not apply to them and we must only consider the US CAN-SPAM laws when marketing to this person.

              • Re: Behavioral Tracking  with GDPR
                Mihaela Bisnel

                Hi Sule,

                There are website compliance software solutions that can present the website visitor with the choice to allow or block cookies by type. For example, they scan your website on a regular basis and present the visitor with an update list of cookies. They inform the visitor what the cookie does and allows them to both give and withdraw consent. As long as they give consent to your Marketo tracking cookie - you can use that.

                If this sounds like it may be of interest message me for more details mb@ittrust.eu.

                Best of luck!

                Mihaela B