Privacy & Compliance

A few weeks ago, I shared a post on Pardot and GDPR compliance.  Since then, a few people have asked me how this relates to CASL and if it’s more or less stringent.

So if you’re wondering:

“Ottawa comply with CASL?”

…then pour yourself a Molson and let’s break it down, eh? 

PS fair warning, the Canadian jokes do not elevate in their level of sophistication as this goes on, so manage your expectations, please.

The Keys to the CASL

“Strict” and “onerous” are the two most common adjectives I see paired with explanations of the Canadian Anti-Spam Law (CASL). Why?  Because it’s pretty darn complicated, and creates a structure for gaining consent that applies to all “commercial electronic messages” – not just email.

CASL applies to both companies in Canada and to any companies marketing to citizens of the Great White North.  The legislation first went into effect July 1, 2014, and has had a staged rollout.

The last wave of provisions were scheduled to go into force July 1, 2017, and would have allowed lawsuits to be filed against individuals and organizations for alleged violations of CASL.  There was significant pushback from the business community, though, and this piece pulled back at the last minute for parliamentary review (which is part of the reason why you’re still hearing about it this year.)

So, CASL governs commercial electronic what now?

Commercial electronic messages include anything sent to an electronic address — including emails, instant message accounts, and some social media accounts.

Phone calls aren’t relevant under CASL, so Drake and his hotline bling can carry on.  Text messages, however, ARE governed by CASL.

There is an exemption in the law for BBM (Blackberry Messenger) – go figure.  And fax numbers aren’t covered under this legislation (whew).

Consent according to CASL

CASL has rules for two kinds of consent: express and implied.

First, the easy one.  Consent can be implied for:

• Friends and family
• Employees and contractors
• Customers that have been active with you in the last 2 years
• Someone who’s inquired about your company’s services in the last 6 months
• Charitable and political fundraising efforts
• Legal, warranty, and recall stuff
• Transactional emails (like receipts and confirmations)
• Recipients that conspicuously publish their contact info without saying “don’t spam me”
• Referrals – but you have disclose the full name of the person who referred you, and you only get to play that card once

If your contacts don’t meet one of the above criteria, you need express consent to market to them.  This consent can be given either orally (the late Mayor Rob Ford would approve), in writing, or electronically.

When requesting express consent, you have to include:

• Who you are (name of person or organization)
• If you’re acting on behalf of someone, who that person or organization is
• Way for people to get in touch with you to get more information
• The ability to opt-out of all types of communications sent by you, your organization, or third-party partners
• An opt-in checkbox that the user actually checks — no pre-filling

What else do I need to do to skate to where the puck is going here?

In addition to getting CASL-compliant consent for the folks on your list, keep in mind that:

• You’re required to maintain records of how you got consent.
• Commercial electronic messages must include your name, your mailing address, phone number, email, and website URL. And if you’re reaching out on behalf of someone else, their name too.
• All messages need to include an unsubscribe mechanism, and unsubscribes need to be processed in 10 days.
• You can’t make people give you more than their email address to unsubscribe (so no required “why are you leaving us?” stuff)
• You can’t make people log in somewhere or visit multiple pages to submit an opt-out request.
• Express consent applies until someone unsubscribes. Implied consent applies until 2 years after a client/business relationship is terminated, or 6 months after a prospect inquiry.

Penalties for CASL non-compliance

If you think Canadians are nice, you haven’t read up on CASL penalties.

They include criminal charges, fines up to $10M, and personal liability for company officers and directors.  Yikes.

Ignore CASL at your own risk — there’s nowhere to hide, and there’s nowhere Toronto. (Okay sorry, that one was really bad.  And sorry for interrupting to say sorry. How Canadian of me.)

The Pardot Admin’s CASL action items

As Ontario native Shania Twain would say, “from this moment on,” CASL is the law of the land – onerous or not.  To stay in compliance, consider:

• Adding an “express consent” opt-in checkbox to all of your Pardot forms
• Using variable tags to add the info required by CASL to your email templates. Physical address and unsubscribe link are already required by Pardot, but be sure to add in website URL and phone number.
• Adding custom fields to track things like Permission Type (express vs. implied) and Date of Confirmed Opt-In.
• Using automation rules in Pardot or workflow rules in Salesforce to update your custom fields so they reflect the current implied opt-in status for clients/prospects.
• Running an permission pass for the Canadian portion of your list (companies with addresses in Canada, emails with .ca, etc.) to get the express consent you need to continue contacting them
• Documenting your plan for all this, in case Prime Minister Trudeau comes calling

I’m sorry to any Canadians reading this who I may have offended.  At least the wah-mbulance will be covered under your amazing healthcare.

Got questions?  More Canadian puns?  Horror stories of your CASL compliance journey?

I recommend poutine it in the comments!

Compliance? *gag*

There are few things I like thinking about less than regulations impacting email marketers.  But, it’s important for our businesses to CYA and it’s good for us as consumers, and blah blah blah.

I finally got around to catching up on GDPR compliance and how this impacts all of us Pardot admins.  It’s kind of a lot.  In 10 questions, here’s the quickest and least boring way I can summarize it:

1. What does GDPR stand for?

General Data Protection Regulation.  Aka, a new law passed by the EU in May that adds some new requirements (read: hoops) for organizations that market to, track, or handle personal data of EU residents.

This applies to you if you’re doing business or marketing to people in the EU, no matter where your company is physically located.

2. What kind of data is the GDPR all hot and bothered about?

Literally everything.  

The GDPR regulates the “processing” of personal data — so collection, storage, transfer, etc. The definition of personal data is extremely broad and includes any info related to an identified individual.  The reg breaks this into 4 categories:

Personal Data

Anything relating to an identified or identifiable data subject.

(Example: my favorite color is green.)

Sensitive Personal Data

Info on race/ethnicity, political opinions, religious or philosophical beliefs, trade-union membership, health/sex life/sexual orientation, and genetic or biometric data.

(Examples: I’m a raging liberal, I have the resting heart rate of an 83-year-old chainsmoker, and I believe Marc Benioff is a demi-god.)

Pseudonymous Data

Personal data that can’t be connected back to someone without additional information stored elsewhere.

(Example: Say I’m creeping on Jenna Molby’s blog and reading her new post on two column forms. Jenna records my IP address and links it to the pages that I’m viewing.  But it’s “pseudonymous” because without my name and deets, Jenna doesn’t know it is me.)

Anonymous data

Data that can’t ever be connected to an identified or identifiable person.

(Example: Pardot puts a suggestion box in the middle of the Forbidden Forest. Or on a site that collects no information, not even IP addresses.)

3. When’s the last possible second I can wait to think about this?

May 25, 2018 is the date these requirements go into effect.  So like 7 months-ish.  Tick tock.

4. You lied, this is pretty boring… but tell me what’s changing anyway?

The GDPR establishes certain rights for individuals:

Consent

Whenever someone is about to submit personal information (i.e. any form) they have to give affirmative consent for you to process their data.  You cannot infer consent from a form submission alone, or a pre-checked box, or showing them disclosure text.

Right to data portability

Individuals can demand a copy of the data you’ve gathered on them.

Right to be forgotten

Individuals can request you delete the info you’ve gathered on them when the data is no longer needed for its original purpose or when they no longer want you to have that info.

Compliance Requirements for Businesses Processing Data

For companies, GDPR lays out requirements for A LOT of things, including:

• Gathering and using email addresses
• Documenting internal processes to stay GDPR compliant
• Conducting a Data Privacy Impact Assessment for new technologies
• Mandating certain types of businesses hire a Data Privacy Officer
• Creating privacy policies and compliant contract terms
• Reporting obligations when a data breach occurs

5. What does this mean for email marketing, specifically?

Under GDPR, you can only send email to people who’ve  “freely given, specific, informed and unambiguous” consent to be marketed to by you.  This has been the case for several European countries under other laws, but GDPR gets even more specific about it.

In addition, the signup process must inform subscribers about the purposes of collecting personal data.  So if someone signs up for a webinar, and you want to use that info later to send them cat videos, you need to mention that on the form before the user hits submit.

GDPR also requires that you keep a record of when and how you got consent from your subscribers.  And your process for doing so in the future.  So start stretching your documentation muscles.

6. Wait, some of this sounds problematic.

Ding, ding, ding!  

Most companies will have to make major changes to get into compliance, both in terms of the processes they follow and the technology they have in place to support those processes.

Pardot and other marketing automation platforms are not in compliance today out of the box, and in some cases, they actually make it impossible for their customers to comply.  

Take the “right to be forgotten” for example — you can’t actually “forget” or delete someone in Pardot.  That person will go to the recycle bin, but all the info you’ve collected from them sits there.

There’s still time before the May 2018 deadline, and I have faith that the Pardot product and security teams will come through with changes to support us in getting GDPR compliant.

7. What’s the worst possible thing that can happen if I ignore this and just watch Silicon Valley re-runs?

GDPR violations are enforceable with fines of to €20 million or 4% of your company’s annual revenue (whichever is greater).  Woof.

8. Does Brexit mean I don’t have to worry about this if I just do business in the UK?

Nice try.

Yes, the UK is bidding adieu to the EU.  But that’s a long process that won’t be over by May.  So GDPR will apply in the UK, at least for a while.

9. Ugh, fine. What should I start doing to comply with GDPR?

You could stop doing business in the EU.  

If you’re not willing to do that, then there are a few things you can do to get a jump start on meeting the requirements:

a. Work on an affirmative opt-in process

Make the user check a box or complete a field to opt into communications, and add this to all of your forms.  Nebula Consulting did an awesome Topical Office Hours session on this.  

b. Start documenting your marketing and lean gen policies

Work with your legal team to create a privacy policy for your website, a cookies policy, and document your processes for obtaining affirmative consent from your list.

c. Do a compliant permission pass / opt-in campaign stat

There’s no “grandfathering” of subscriber data that you collected pre-GDPR.  So if you have an email list that hasn’t affirmatively opted in (i.e. you email every person who has ever filled out a form on your site) you’re not technically allowed to email them anymore if they’re based in the EU.  

To avoid that landmine, do a permission pass for your European prospects and customers that asks for explicit consent.  A lot of companies may jump on that bandwagon as the compliance deadline gets closer — so beat the rush and get this done ASAP.

d. Stay tuned for updates from Pardot

We will likely see more guidance coming out on this topic, from both Pardot and other thought leading entities in the space, hopefully shedding some additional light on how the regulation will be applied.  

10. Is this going to kneecap my ability to grow a subscriber list?

Not going to sugarcoat it: YEAH.  It’s very likely that by complying with GDPR, your list growth will slow down big time.  

Theoretically, since these regulations apply only in the EU, you could implement one process for your European clientele, and keep things as is for relationships in other parts of the world.  But this adds a lot of complexity and administrative overhead to the mix.

For most businesses, it probably makes the most sense to get GDPR compliant and leverage one set of opt-in and privacy practices.  GDPR is about as strict as it gets — so if you do get into compliance, you’re pretty much good to go globally.

The subscribers who you do capture in a double opt in / affirmative consent model will really want to hear from you, which will have positive ripple effects on metrics like open rate, click through rate, and more.

What other GDPR compliance questions do you have?

If you’d like to learn more about this, Salesforce has a landing page to share what they’re doing to become GDPR compliant.  There’s also a short Trailhead module that dives deeper into the history and intent of the law.

Disclaimer: I am not a lawyer, although I did watch a whole season of the Practice once when I had the flu.  Do not leverage this blog in place of actual legal counsel.  That would be crazy.

But if you’re like me, and asking questions to try to get a better handle on this thing, I’d love to know what else you’re wondering about.  Post your questions in the comments and I’ll see if I can help find some answers!

As you may have heard, Apple made a move that significantly limits the ability advertisers and companies have to place cookies on your devices.  Changes are coming down the pipeline for iPhones, iPads, and Macs.  Cue the advertiser freakout.  

Or, maybe you haven’t heard — it hasn’t gotten all that much coverage, and when I Googled “new apple cookie,” the first result was for Pillsbury Salted Caramel Apple Cookies.

So now, I’m hungry.  But setting snacks aside for a moment, let’s think through what this means for Pardot users.

Start from the beginning — what’s a cookie?

Cookies are small files that are dropped on a website visitor’s computer to capture/store information about their behavior.  It’s what keeps the items in your cart when you go away for a while.  It pre-fills your data on forms.  It’s also what makes those shoes stalk you everywhere, no matter how far you run and hide.

In Pardot, cookies are what allow us to get all kinds of awesome analytics of who is engaging with what content.  A cookie is dropped as soon as a visitor engages with a Pardot asset — a tracked webpage, a custom redirect, a downloadable file, etc.  

At first, we / Pardot may or may not know who that user is, but when they fill out a Pardot form or click on a link we sent directly to their inbox, voila!  We can connect the dots and say THIS device belongs to THAT dude, and associate all of the information that Pardot’s been gathering about that visitor behind the scenes.

And old cookies are still delicious

Pardot can track cookies for a LONG. LONG. TIME.  This means if Joe Schmo visits your website (with a Pardot tracking code in place, of course) and then comes back months later and buys something, we have a rich history of data on him we can consider when analyzing what influenced his purchase.

This is really helpful for B2B companies with a long sales cycle, where buyers may pick up / put down the buying process, consider vendors seasonally, or just take their sweet time to make a purchasing decision.  

The default (and maximum) duration of Pardot tracking cookies is 3650 days — 10 years!  If Joe finally buys from us 10 years later, we can tie him back to his initial interaction with us on MySpace, Vine, or [insert other dead platform here.]  This is assuming that Joe hasn’t wiped his browser history or deleted his cookies, in which case, we lose this data.

The duration of this tracking window can be manually adjusted, but the minimum number of days Pardot allows is 180 days.

What is Apple changing about cookies?

In Safari 11, which is included as the default browser on the new macOS High Sierra, Apple is saying “we’re watching our figure, please hold the cookies.”  

They’re calling it “Intelligent Tracking Prevention,” and long story short, they’re deleting 3rd party cookies after 24 hours, and they’re deleting 1st party cookies after 30 days.

This only affects Safari users, so your cookies dropped via Explorer, Chrome, etc. are safe.  But Safari accounts for roughly 55% of US mobile browser usage, and of 10.5% desktop browser usage — so no small potatoes.

Hold up, what’s the difference between a 3rd party and 1st party cookie?

Good question. I had to spend some time researching this to try to really understand it.

Cookies that a website uses to track visitors on its own site (like the ones we use from Pardot) are first party cookies. 3rd party cookies are those by advertisers and other aggregators of data to achieve cross-site tracking and ad retargeting.  

This may be a bit more nuanced, but that’s the basic distinction.  If any readers have some specialized knowledge of the intricacies of cookies and can share some inside intel, PLEASE chime in via the comments.  

Why are people hot and bothered?

Advertising platforms depend heavily on cookies to allow them to do their thing.  In an open letter, a lot of the big organizations teamed up to give Apple a piece of their mind, accusing them of “sabotaging the economic model for the Internet” with an “amorphous set of shifting rules.”  

They’re not wrong.  This impacts a lot of businesses, and unsurprisingly, stock immediately plummeted for several major ad platforms.

Another negative consequence is that this further consolidates the power of Facebook and Google. Because their ad platforms are so widely used, you’re likely going to stumble across their cookies on the majority of sites you visit — meaning their cookies won’t expire.

Comparatively small ad firms (like Criteo or Adroll) are getting hurt the most by this.  90 cents of every dollar spent on digital ads goes to Google and Facebook, so the litte guys are going to have a hard time getting the volume of traffic they need to keep their cookies fresh.  (More detailed explanation of why this is here.)

Okay, so get to the point — what do I need to do with Pardot?

Apple is going to do Apple.  Unless you have millions to invest in lobbying for a change, we have to play by their rules.

For starters, I’d recommend checking Google Analytics to see how much of your traffic comes from Safari in the first place.  This is a useful data point when deciding how much to care about this.

But mostly importantly, give users a reason to keep coming back to your site.  30 days is the number to beat — so what content, email offers, or other things can you share with your audience to keep them engaged?  

What’s your cadence for content?  If the answer is “monthly,” you need to step up your game or risk losing some really valuable data.

How this impacts other platforms… pure speculation

I’m interested to see how advertisers shift their strategies.  Would it be fruitful to change campaign targeting criteria to block or show different content in Safari?  Or would that just incent users to flock to Safari to get a reduced-ad experience?

You could also show dynamic content on your own website based on the browser that the visitor is using.  I’m curious to see if anyone comes up with something creative to target those visitors differently and/or entice them to switch devices.

What do you think of all this?  What questions did you have?  Did I miss anything in this breakdown that impacts how we should be thinking about this?  Please share in the comments!