GDPR Update December 2017

GDPR Update December 2017

Update: New GDPR Information

To be in line with GDPR requirements, we’ve made several updates to ActiveCampaign since December 2017. You can view these updates, and all future updates and resources, on our GDPR updates page.

See GDPR Updates

You’ve probably heard about new requirements impacting websites pertaining to GDPR. We wanted to share some additional details on how ActiveCampaign will be meeting these requirements and relevant impacts for our users and their customers. We also have a few suggestions of how you can prepare.
GDPR is an European Union privacy regulation that is going into effect on May 25, 2018. It is a broad regulation that applies to all organizations offering goods and services in Europe, whether the organization is located in Europe or not. The regulation, therefore, essentially applies to all organizations with a website interacting with European residents.
ActiveCampaign will comply with the regulation by the May 25, 2018 deadline. As an ActiveCampaign customer, it’s important you understand how GDPR affects you and your use of ActiveCampaign’s products and services. 

Please note, ActiveCampaign is providing this information for informational purposes only and should not be relied upon as legal advice. We encourage you to consult legal and other professional counsel to fully understand how GDPR applies to your organization and business activities.

In this blog post, you’ll find:

  • General information to help you understand the impact of GDPR, as well as how it may impact your email marketing, marketing automation, and sales automation activities. 
  • Insight into how ActiveCampaign is preparing to comply with GDPR and updates concerning compliance.
  • Guidance on steps you can take to prepare for GDPR as far as your email marketing, marketing automation, and sales automation processes are concerned.

What is GDPR?

The General Data Protection Regulation (“GDPR”) is an EU privacy regulation that is intended to strengthen and harmonize EU data protection laws and enhance individuals’ rights to their personal data. GDPR expands the scope of what is considered personal data and imposes additional obligations on data controllers and processors intended to strengthen protections for personal data of EU residents and help them control and manage what happens to this data. 

Who does GDPR apply to?

If you have a website that collects or processes personal data of EU residents, then the GDPR will apply to you and your processing of this personal data. It does not matter what industries you work in, whether you’re a B2B or B2C business, whether you’re a for profit or non-profit, whether you’re based in the EU or not, or whether you’re specifically targeting EU customers or not. If it’s possible for your organization to collect personal data from an EU resident, even unintentionally, you’ll need to comply, and it’s important you familiarize yourself, with the various obligations of the GDPR.

By what date do I need to comply with GDPR?

May 25, 2018. Although that date may seem distant, we recommend understanding and familiarizing yourself with the GDPR now so that you’re aware of the changes you’ll need to make and can plan accordingly.

What are some of the changes GDPR brings?

GDPR brings expansive protections for the personal data of EU residents. There are new privacy rights, stricter consent requirements, and more transparency regarding how data is used and processed after it’s collected.
Data subject rights
GDPR creates some new privacy protections for individuals:

Right to rectification – Individuals can ask that their information be updated or corrected.
Right to be forgotten – Individuals can ask that their information be permanently deleted.
Right of portability – Individuals can ask to have their information transferred to another organization.
Right to object – Individuals may seek to prohibit certain uses of their personal data.
Right of access – Individuals have the right to know what personal data that’s been collected about them and how it’s being used.

More stringent consent requirements
GDPR requires that an individual give informed, affirmative consent for each way their personal data will be collected, used, and processed. This means you’ll need to place additional opt-in statements on your forms and websites, and you won’t be able to collect, use, or process personal data until the individual has given that type of consent. You will not be able to rely on pre-ticked boxes, silence or inactivity as a basis for consent. Also, you’ll be unable to use data in any other way than what you obtained consent for. If you’d like to use the information in a new way, you’ll need to go back to the customer and get their consent. 
In addition, these consent requirements will apply to all currently existing personal data you have of EU residents. If you already obtained consent from individuals as required by the GDPR, don’t worry, you don’t need new consents. If, however, the consents don’t meet the new GDPR standards, you will need to obtain new, adequate consents.
More data processing transparency
GDPR requires that individuals are given transparent information about how their personal data is going to be processed including the specific purpose for collecting the data, how long the data will be retained, and other details. 
Note, that this is not a comprehensive summary of all the changes GDPR brings. For more information on the key changes coming with GDPR, you can read the full text of the regulation here

What happens if I don’t comply?

Failure to comply could result in hefty fines. You will definitely want to be sure you’re in compliance ahead of the May 25, 2018 deadline. This is not something you can ignore and you wouldn’t want to put off preparing until the last minute.

What is ActiveCampaign Doing?

ActiveCampaign will comply with GDPR by the May 25, 2018 deadline.
As a customer of ActiveCampaign, GDPR grants you expanded privacy protections and rights. We will be prepared to comply with these regulations and handle requests from you so that you are also in compliance. 

Right to rectification – You’re able to edit account information at any time through your ActiveCampaign account settings. You can also reach out to us directly to edit or update your information. See our Privacy Policy for more information on what data we collect and how that data is being used.
Right to be forgotten – You may cancel and terminate your ActiveCampaign account at any time. After receiving a request to be forgotten, we will permanently delete your account and all data associated with it within 30 days of receiving the request. 
Right of portability – If requested, we will export your data so it can be transferred to a third party. You’re able to do this now.
Right to object – At any time, you may object (via opt out) to your personal data being used for specific purposes such as direct marketing, research, etc.
Right of access – We’re transparent about the data we have and how we use it. Refer to our Privacy Policy for information on what data we collect and how that data is used. You can contact us at any time if you’d like to access or edit your data or if you have any questions about your data and how we’re using it. When we make changes to our Terms of Service, we’ll send you an update to review and sign.

How ActiveCampaign will help you comply with GDPR requests from your Customers

GDPR grants expands privacy protections and rights to your customers. ActiveCampaign’s GDPR compliance program will help you comply with requests you receive from your customers. 

Right to rectification – You can update your contact’s information at any time. Your contacts can reach out to ActiveCampaign directly and we’ll correct or delete that information for them. 
Right to be forgotten – If you receive a request to be forgotten, you’re able to delete a contact, which permanently removes his or her information from your account. If your contact reaches out to us directly with a valid request, we’ll notify you about the request and delete the contact’s data from your account, or across all ActiveCampaign accounts, if requested, in order to comply with GDPR. 
Right of portability – If your contact requests their personal data, you can export their data as a .csv file, which we will make available to you via a secure connection.
Right of access – Make sure that your existing Privacy Policy addresses how you’ll use and manage data. If your contact requests their personal data, you can export their data as a .csv file. 

How You Can Prepare

Require Opt-In confirmation

Using double opt-in with clear verbiage ensures you’re complying with the informed affirmative consent requirement to use your contacts’ email addresses and other contact information to send them messages in the future. The GDPR requires that you make it as easy to opt out as it is to opt in. Our existing unsubscribe links in every email campaign helps meet this requirement.

Familiarize yourself with how to edit and delete contacts

Part of GPDR is the right to rectification, which basically means that a contact can request to have their information updated and corrected. We make it easy for you to find a specific contact and update their information on the contact record. Here’s a help doc for contact management, as well as contact deletion.

Learn how to export individual contacts

Right to portability and right of access requests both require you to be able to export individual contacts. This help document will help familiarize you with this process. 

Add an affirmative consent and usage statements to your opt-in forms

One of the changes to GDPR is that you have to tell them specifically how their information will be used and get their consent. You’ll want to make it clear how you’ll be using the personal data that you collect on your opt-in consent forms. You can add whatever verbiage you want to an ActiveCampaign form using an HTML block. We’re unable to supply the verbiage you should include because it’s highly dependent on how you’re using the data. We recommend seeking the counsel of a qualified legal professional. 

Delete contacts and lists you no longer need

GDPR’s intent is to protect the privacy of EU residents. Part of protecting that data means minimizing the risk that it could be abused or accessed without authorization. In the spirit of this regulation, it makes sense to delete personal data that is no longer necessary. You may choose to delete inactive or unsubscribed contacts rather than keeping them in your account. If you aren’t using the data, it’s safer to just get rid of it. 

Consult with a qualified legal professional 

We’re providing this information to help you prepare as an ActiveCampaign customer, but the GDPR guidelines are expansive and probably impact other aspects of your business. We recommend that you seek legal counsel from a qualified professional to understand the total impact of GDPR on your business. 

Never miss an update