Privacy, Compliance, & GDPR

Expand all | Collapse all

Subscription Management and GDPR issues

  • 1.  Subscription Management and GDPR issues

    Posted 02-13-2018 06:27

    Key areas where Subscription Management is currently weak include the ability to customise, and GDPR compliance.

    We have not turned on the feature because we do not believe it can deliver GDPR-compliant results. For example, individuals subscribing to receive future marketing communications should go through a double opt-in consent process, but Subscription Management cannot trigger or manage this. Nor does it record the necessary criteria required for GDPR (that is, 1. how the person opted in, 2. the text of the consent statement to which they are agreeing, 3. segment the type of content they are interested in against the topics they are interested in, ensuring they are sent only relevant communications).

    In order to create something approaching an attractive/customised preference management page, I have been designing an Act-On landing page and (very complicated!) form, where the individual has the option to set what communication type(s) they wish to receive, what content type(s), and their preferred topic(s). Submitting this form takes them through a double opt-in process, ensuring we have a record of their permission to contact them for marketing purposes. It also uses hidden fields to record against their submission how the individual opted in, and the text of the consent statement to which they agreed. This is all then recorded in a form submission list, which will serve as our 'master' consent list. So far I have something that looks like this:

    Image: Preference Management Page 

    This is still flawed, as the form is not relational – that is, a person might e.g. set the type of communications they wish to receive without setting their topics. This is something we are likely to have to live with as it's the best that can be done at the moment, and we need to get some sort of process in place (what with GDPR taking effect in a matter of weeks).

    I appreciate Act-On is not a CRM or preference management tool, and I am trying to make a square peg fit a round hole, but it would not take a great deal of development of Subscription Management to make it attractive and GDPR-compliant – something that Act-On customers currently have to look to other providers for.



    ------------------------------
    Sion Stedman
    Idox Software Ltd
    ------------------------------


  • 2.  RE: Subscription Management and GDPR issues

    Posted 02-25-2018 06:31
    Edited by Sion Stedman 04-13-2018 19:02

    Further comments:

    In my double opt-in method, one purpose of the Form B is that there is a hidden field that adds 'Yes' to a column I have called 'Double_Opted_In'. Both Form A and Form B submit to the same list. So when the person completes Form A, everything is entered to the list, and when they complete the double opt-in, 'Yes' is added against the same record in the list. Part of the reason for this is that we can then check who has completed double opt-in, and if necessary, we could always re-send them a confirmation email.

    In the preference management list we capture: 1) opt-in type (e.g. 'Form Checkbox'); 2) text of consent statement; 3) which version of our Privacy Policy was current at the time of opt-in; 4) the person's country (so we will always be able to see which data protection laws apply to them); and 5) we make ticking a box that says they are aware of our Privacy Policy a required field. Act-On records by default in the list 1) which form it was the person submitted; 2) timestamps when they submitted; 3) IP address. All of the above is in addition to the actual fields where they have set their preferences; that is, which topics they want to receive marketing information about.

    For single opt-in we generally record all of the above but don't have a 'Double_Opted_In' column. Lists of contacts who have single opted-in are used only to contact them for the purpose for which they have given us their details. After a defined period of time, the lists are reviewed and any contacts whose details we have no legitimate reason to keep are deleted.

    Our preference management list keeps all of the double opted-in records in a single list. This list serves as our 'master consent list' if we ever need to show our data to a regulator. This 'master consent list' can then be segmented as needed, or have automated programs applied to it that take information from it and apply it to other lists.

    Ultimately we are responsible for the data we collect using Act-On. But Act-On nevertheless owes it to its customers to create tools that enable them to easily implement GDPR-compliant processes. In this respect, I have found Act-On to be rather USA-centric – that is, without much consideration for the challenges customers handling EU-based data are facing. The issues I have outlined above are issues Act-On should have brought forward solutions to of their own accord, not relied on customers to raise. GDPR takes effect in less than 90 days. I doubt there is time now for customers to implement anything Act-On might come up with.



    ------------------------------
    Sion Stedman
    Idox Software Ltd
    ------------------------------