The most important change in data privacy regulation in 20 years
We are regularly updating this article as new updates and information become available. Check out the updates below or fast-forward straight to the article.
Last updated January 7, 2019:
- Setting Active-Consent Checkboxes as 'Required' is not GDPR-Compliant We've received guidance from our legal team that suggests you should NOT make your consent checkbox required. By default, the consent box is optional. Learn more on adding an active-consent checkbox here.
- [Drip Integration] Since May 25, active consent data is now automatically passed from Leadpages’ Drag & Drop forms to Drip. No other email service provider has made this update, so it’s another reason to jump on the Drip train.
- Consent data from forms in both the Drag & Drop and Legacy/Standard builders are collected in a downloadable.CSV file, which includes consent data if your form includes the GDPR checkbox. So, if you’ve been worrying about capturing ‘proof’ of consent, we’ve got you covered!
Update from May 24, 2018:
- Setting Active-Consent Checkboxes as 'Required' is not GDPR-Compliant We've received new guidance from our legal team that suggests you should NOT make your consent checkbox required. Therefore, you will no longer be able to set our Leadpages active-consent checkbox to required and any Leadpages and/or Leadboxes with a required consent checkbox must be updated. Here’s how to do that.
- [Drip Integration] Starting May 25, active consent data is now automatically passed from Leadpages’ Drag & Drop forms to Drip. No other email service provider has made this update, so it’s another reason to jump on the Drip train.
- Consent data from Drag & Drop forms will be collected in a downloadable .CSV file In addition, consent data will be collected retroactively for all visitors who have converted on your checkbox forms.
Last updated May 14, 2018: Leadpages has updated its Web Privacy Policy and Terms of Service to reflect GDPR compliance. Customers can access and sign their Data Protection Agreement (DPA) with Leadpages. And for a detailed understanding of our recent product features, visit the GDPR Knowledge Base Article. The active consent checkbox is also now available for our Legacy and Drag & Drop builders. (Heads up here: you'll no longer be able to set your checkbox as 'required' and here's why).Update from April 23, 2018: Leadpages now offers an active-consent checkbox.Update from April 13, 2018: There may be cases where you have to acquire/ re-acquire consent from existing contacts. Ask your lawyer for clarification on the topic of re-permissioning, specific to your business.
We will be compliant. Will you? The Leadpages team is working hard to become GDPR compliant - but your business is responsible for its own compliance. Each individual organization needs to evaluate its data practices against the new regulations and ensure compliance. We want everyone in the Leadpages family to transition into the post GDPR world as painlessly as possible. We’ll be updating this blog as new information & instructions become available.
startWhat you need to know about (the NEW) GDPR
According to a recent study, only 36% of marketers have heard about the new General Data Protection Regulations (GDPR) that will take effect on May 25, 2018. GDPR is designed to hold organizations (like Leadpages & your business) more accountable for keeping personal data secure and outlines new procedures for how you collect data, store, and use data - as well as the rights individuals have to protect, access, and modify your data on them.Whether you’ve been on the GDPR bandwagon for some time now, or the May 2018 deadline has taken you by surprise - breathe easy and read on. We’re all on this road to compliance together. This new legislation applies to all people/ organizations/ businesses involved in processing personal data (names, email addresses, tracking, etc.) about individuals within the European Economic Area (EEA) within the context of selling goods and services - regardless of where in the world your business (and data) is based. The EEA states include the EU and Norway, Iceland, and Liechtenstein as well as (for now) the UK. Practically speaking, if you’re selling to, communicating with, and collecting information from any of these geographies - you’re going to want to tune in. These new standards are laid out in a 200-page document and set a significantly higher bar for how data is collected, stored, and used. But fear not. While becoming compliant with the new standards does require effort, we’re all in this together and this article is designed to give a plain-English overview of what you need to know, how it affects your business, how you can stay on the right side of the law, and what Leadpages is doing to help.
I’m not based in the EU. Should I care about GDPR?
Very possibly. Regardless of where your business is based or where you process or store your data, GDPR applies to all people/ organizations/ businesses involved in processing data about individuals in the context of selling goods and services to citizens in the European Economic Area (EEA) (this includes EU + Norway, Iceland, and Liechtenstein and the UK) - regardless of whether the organization is based in that same geography. It also applies to all businesses established in the EEA. Data on all EAA persons is regulated, regardless of where the information is stored.Heads Up: The law applies to persons in the EEA (as opposed to citizens or residents). That means that if you’re targeting a lead generation campaign to couples on vacation in Italy you are still subject to GDPR.
When does GDPR go into effect?
GDPR becomes fully enforceable on May 25, 2018 (at which point the grace period runs out).
Why comply with GDPR?
- Protect the data security of your contacts and avoid harmful data breaches
- Protect your brand from potentially embarrassing data breaches
- Avoid (super) hefty finesGetting caught in noncompliance can result in fines up to €20 million (that’s $24.6 million USD) or 4% of Global Annual Turnover (ouch!)
What happens if I fail to comply?
Penalties for noncompliance are pretty painful and quite costly. Violators (individuals and/or organizations) could be fined up to €20 million or 4% of worldwide turnover (revenues). The severity of the fine will depend on the severity of the offence and GDPR lays out a number of tiers. For example, an organization that doesn’t have its data records fully in order could be fined two percent of annual global revenues. (Multinational organizations are treated as single entities)
How will the data police know I’ve complied?
The question of how exactly GDPR will be enforced is still mostly unknown. Though, experts anticipate that you may be called upon to prove that you have complied. To proactively prepare for that possibility, you should:
- Obtain (active) consent before collecting data on any person
- Maintain documentation of data processing activities
- Appoint a data protection officer
- Create & use data protection impact assessments
You can also check out the additional recommendations by the Information Commissioner of the United Kingdom.
What is GDPR, really?
GDPR = General Data Protection Regulation of the European Union. Essentially, it is the most important change in data privacy laws in the last 20 years and specifies how consumer data should be collected, used, and protected & also clarifies what individuals rights are concerning their own personal data. It builds on the previous EU Data Protection Directive (est. in 1995) and is designed to be relevant for the next twenty years. It was officially adopted by the European Parliament in April 2016 and initiated a 2-year grace period in which companies must become compliant. Therefore, it becomes officially enforceable on May 25, 2018. Most agree that this new legislation was long overdue as current regulations for the European Economic Area (EEA) date all the way back to 1981. In many ways, the GDPR is designed as a legislative quantum leap forward, to better align with recent advances in technology and to accommodate current business models.
“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”GDPR Portal
What kind of data are we talking about?
GDPR applies to personal data. That means:
“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.” GDPR Personal Data Definition
Will Leadpages comply with GDPR?
YES! The data protection team at Leadpages has been working for months in order to ensure full compliance. Leadpages is considered a ‘data processor’ under GDPR regulations and we fully intend to comply with our data protection obligations by the May 25, 2018 deadline. (We also fully intend to help you do the same!)
Does Leadpages compliance mean I don’t have to do anything else?
No. Unfortunately, we’re not a get out of jail free card. While we wish we could do it all for you, each individual organization regulated by GDPR needs to evaluate its data practices against the new regulations and ensure compliance.
What is Leadpages doing to comply with GDPR?
As a processor, Leadpages must comply with Article 28. Meeting these requirements will include actions such as maintaining records of data processing activity, appointing an official data protection officer, and ensuring continual compliance by regularly reviewing data protection measure.We will also continue to update this posts as new details become available. Updates:
- Leadpages has updated its Web Privacy Policy and Terms of Service to reflect GDPR compliance.
- Data Protection Agreement (DPA) for Customers GDPR specifies that any Controller that is subject to GDPR will need to have a signed Data Processing Agreement with any third party that it shares data with where that third party is a Processor as defined under GDPR.If you’re collecting any personal data (name, email address, etc.) from someone located in the EEA, you’re a controller. The organization/application that stores that data on your behalf (Leadpages, for example) is the processor.Customers of Leadpages who are considered to be Controllers under the terms of GDPR should sign a DPA with Leadpages in advance of the May 25, 2018 compliance deadline.Click Here to Get Started
- Active Consent Check-box: Inside the drag and drop builder forms, you can now add a consent check/tick box and customize the language for your opt-ins (available in both the Legacy and Drag & Drop Builder). Ideally, you'll have a field like this in your email service provider that will register this consent. But if you don't, you'll be able to demonstrate this consent with the fields added to your Leadpages.
Additional Questions? Visit the GDPR Knowledge Base Article for more in-depth descriptions and FAQs.
What does the GDPR do?
It gives EEA persons more rights and protections regarding their personal data.Let’s imagine Jane is an EEA person (oh I don’t know...living in the quaint city of Pamplona, Spain) who your business interacts with and collects data from. Under the GDPR, as an EEA person, Jane has:
- The right to be informed: Jane has a right to be informed of when her data is being collected and how it is being used by you, typically achieved with a privacy policy and transparent language in the fine print. (Section 2 Articles 13 & 14)
- The right of access: Jane can ask if your organization is processing her data and has a right to receive a prompt answer from you along with the requested information - at little to no cost to Jane. (Section 2 Article 15)
- The right to rectification: Jane can correct or complete her data entries, including data shared with a third party. (Section 2 Article 16)
- The right to be forgotten: Under specific circumstances, Jane can request the removal of her personal data. (Section 2 Article 17)
- The right to restrict processing: Under specific circumstances, Jane can block the processing of her data. (Section 2 Article 18)
- The right to data portability: Jane can request and reuse her personal data for her own purposes anywhere she wants by transferring it across different IT environments (Section 2 Article 20)
- The right to object: Jane can object to the use of her personal data and make a case that the business does not need the data it is processing in order to perform its business function. (Section 4 Article 21)
What does GDPR mean for your marketing:
GDPR applies to ‘data processors’ and ‘data controllers’ - first, you’ll want to figure out which one you are. (We expect most of our customers to be in the data controller category)
- Data controllers: determine the “purposes and means of the processing of personal data”
- Data processors: “process personal data on behalf of the controller”
If you’re collecting any personal data (name, email address, etc.) from someone located in the EEA, you’re a controller. The organization/application that stores that data on your behalf (Leadpages, for example) is the processor.
I’m a ‘data controller.’ What do I need to know about GDPR?
As a data collector (controller), you’ll need to take certain precautions to ensure that the personal data you collect is well protected. That means you’ll want to ensure you have active consent from all EEA persons in your database, you may also need to designate someone to be in charge of data protection (employee or third-party), put together a risk mitigation plan, etc. Article 24 deals with the particulars.
- For Existing DataThere may be cases where you have to acquire/ re-acquire consent from existing contacts. This is known as repermissioning – and it’s best to consult your lawyer to know if you need to repermission your customers for consent to continue using their data.
- For New (Incoming) DataEnsuring that you acquire new subscribers and leads in a GDPR-compliant way Ensure consent is always active and always obtained (this affects both online acquisition and in-person events). Keep an audit trail of where that consent came from, what messaging they were responding to when they opted in, and what the time & date of that opt-in was.
I’m a processor. Now what?
If you’re a Leadpages customer, you’re likely a controller. However, there’s always a unicorn or two in the bunch - so for you processors, you’ll want to read Article 28.
How can Leadpages help me comply with GDPR?
Leadpages is a web application that collects subscribers and leads and funnels that information to your marketing tech stack through a series of integrations. You can use it to effectively manage your web form UX, data capture, customer-facing messaging, and marketing opt-ins. We’re able to help you:
- Capture (active) opt-ins everywhere and anywhere throughout your web presence
- Standardize your opt-in messaging
- Date/ time stamp on the opt-in data
- Easily see which pages and Leadboxes have been deployed and are currently in use
- Quickly determine which pages are delivering optimal conversion
To comply with new GDPR guidelines, Leadpages customers must:
- Request the explicit (active) consent of every visitor before any data collection takes place. This could take the form of a click to consent box or double opt-in flow. Your requests must be in straightforward, easily understandable language free of legalese. It also must stand alone from other matters or requests and not be buried in other text.
- Have a clear and accessible privacy policy that informs visitors how collected data will be stored and used.
- Have a means for leads to request access and view the data that you have collected on them. (You can process these requests manually)
- Provide leads with a way to withdraw consent and purge personal data collected on them; i.e. the “Right to Be Forgotten”. (You can process these requests manually)
To achieve all 4 of these requirements, Leadpages is developing new policies and product features and we will update this article with additional details when those features become available.
GDPR is making my head spin. Where can I get help?
Here are some recommended resources that can help you see the light in all this data security lingo:
- [Web] EU General Data Protection Website
- [Web] Guide to the General Data Protection Regulation (GDPR) [United Kingdom Information Commissioner’s Office]
- [Web] Getting ready for the GDPR resources [United Kingdom Information Commissioner’s Office]
- Rules for the protection of personal data inside and outside the EU [European Commission]
If you’re still stuck, you might consider hiring a data protection expert that will support your organization is staying GDPR compliant. Disclaimer:We're not legal counsel here and can't guarantee that if you follow these steps, you'll be compliant. You’ll need a lawyer to determine that.The Official Leadpages GDPR Statement:GDPR stands for the General Data Protection Regulation of the European Union, and its goal is to protect the data privacy and security of most EU persons by setting a new data protection standard for businesses and governments. It will be enforced beginning May 25, 2018. Leadpages is fiercely dedicated to serving our users and to protecting their data and the data of their customers. The Leadpages team is working to ensure full compliance by the GDPR deadline.
