[GDPR] additional Obtain Consent for tracking permission

[Alex7311]

Hi there,

in the last days I have intensivly engaged with the GDPR issue. GDPR is a problematic issue, because data protectionist and lawers have often different views.

Because I think GDPR is a matter of general interest for the MW community here some of my important findings:

To cut a long story short - @twisted1919 has created a good and brief overview here.

If I have understood everyone correctly, than I think that an important feature is missing: Besides the consent checkbox (permission to send newsletter regulary) you need a addional consent checkbox for tracking permission.

Tracking permission means tracking individual subscribers. (User Behaviour Tracking) e.g. the opens and clicks of the subscribers with the timestamps.
If MW is proper configured with a tracking domain and this feature is enabled User Behaviour Tracking is activ.
In this case you need a addional consent checkbox for tracking-permission.

But things get even more complicated: If subscripter have given permission for:
case 1: consent checkbox + consent checkbox for tracking --> URL/Open Tracking permitted
case 2: only consent checkbox --> URL/Open Tracking not permitted

Thus, you have to handle both cases with MW. It is not allowed to force the subscriber into the tracking-feature. You have to offer both options, if you use user behaviour tracking. I do not know how to implement this with MW?
Here further information how ElasticMail implements this feature.

A simple workaround to fix this: Do not use URL/Open Tracking. So you only need one consent checkbox, but you do not get tracking statistics. (it is similar with Google Anaytics with anonymizeip, Here is also no addional consent necessary, because no direct assignment of user and user data is possible.)

An Alternative: if it would possible to track the subscripter anonymously (without individuell user behaviour tracking) to get only the total numbers of opens, clicks and the percentage figures than a consent for tracking would not be necessary.

Greetings

 

[frm.mwz]

tracking permission

Simply put a link to your privacy policy on the subscription form with the consent checkbox, which could go to your website, and you should be set. In the priv pol you can then explain all about any other data you gather/process/control re your customers/subscribers/etc.

Google Anaytics

Another thing that has to be pointed out, if used, in the priv pol.

 

[twisted1919]

@Alex7311 - You do not have to ask for special permissions to track the opens and clicks. I advise to consult a lawyer if in doubt, but my understanding is you don't.

 

[Alex7311]

Simply put a link to your privacy policy on the subscription form with the consent checkbox, which could go to your website, and you should be set. In the priv pol you can then explain all about any other data you gather/process/control re your customers/subscribers/etc.

EU data protection (EUDataP) Article 21
1) The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on points (e) or (f) of Article 6(1), including profiling based on those provisions. [...]
2) Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing
4) At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
source: https://www.iitr.us/eudatap/21.html

--> This means that the interested subscriber must already be informed of his right to object at the time of registration. To ensure this, the checkbox above is recommended.

EU data protection (EUDataP) Article 7
4) When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
source: https://www.iitr.us/eudatap/7.html

--> This means that it is not absolutely necessary for the fulfillment of the service, in our case the sending of newsletters, to personally record mail openings and link clicks. Therefore, shipping must not be tied to the consent to tracking.

 

[Alex7311]

@Alex7311 - You do not have to ask for special permissions to track the opens and clicks. I advise to consult a lawyer if in doubt, but my understanding is you don't.

Some e-mail marketing providers have already implemented this. (e.g. ElasticMail) Others do not.

I am not a lawyer. I researched this information on german websites of lawyers and privacy advocates.
I have repeatedly found this information on several websites.

 

[twisted1919]

@Alex7311 - As i said, consult a lawyer, they know best. You can add additional consent boxes as needed for any permission you require from your customers. Just beware to not end up with an email field and 10 consent boxes asking the user even if he likes commas in their emails

 

[frm.mwz]

(from what i found out, as non-lawyer)

EU data protection (EUDataP) Article 21
1) The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on points (e) or (f) of Article 6(1), including profiling based on those provisions. [...]
2) Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing
4) At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
source: https://www.iitr.us/eudatap/21.html

--> This means that the interested subscriber must already be informed of his right to object at the time of registration. To ensure this, the checkbox above is recommended.

# "right to object" = unsubscribe link + request to erase all data, and such options mentioned in the priv pol
# "first communication...right...explicitly...attention...presented clearly...separately" = consent check box

EU data protection (EUDataP) Article 7
4) When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
source: https://www.iitr.us/eudatap/7.html

--> This means that it is not absolutely necessary for the fulfillment of the service, in our case the sending of newsletters, to personally record mail openings and link clicks. Therefore, shipping must not be tied to the consent to tracking.

"assessing...consent...freely given...inter alia...performance of a contract...provision of a service...conditional on consent...not necessary for the performance of that contract" = linked offer
# wrong: 'we give free ebook for your email subscription'
# right: 'we give ebook for your email sub' (since ebook not free and email not free), same for anything else, like webinar, etc
# this is similar to misleading headlines, which are forbidden since a looong time, and that's logical, since they destroy trust

 

[Alex7311]

Last week, I participated in a 4-hour webinar by a German lawyer who is a privacy expert advising major German email marketing companies.

That was his bullet proof advice on newsletter marketing for "Consent and Approval":

1) Registration form with hint "Please read our Privacy Policy before registering!" plus a link to the Privacy Policy. Checkbox is not necessary.
2) use doube optin method; e-mail with confirmation link also contains above hint plus link to the privacy policy.
This email will also be sent via CC to a pop3 mailbox for archiving. This email is the approval of the subscriber's consent. All important data are included in the email (timestamp, email, link to privacy policy, ...)

The pop3 mailbox for archiving approvals is a great idea!

Unfortunately, I do not know how to implement this with MW?
I think this is not possible at the moment!

 

[twisted1919]

2) use doube optin method; e-mail with confirmation link also contains above hint plus link to the privacy policy.
This email will also be sent via CC to a pop3 mailbox for archiving. This email is the approval of the subscriber's consent. All important data are included in the email (timestamp, email, link to privacy policy, ...)

I do not think this is correct. The action is not made by the subscriber. Regardless of the fact you keep this record or not, you still have to ask the subscriber for consent directly, and he must answer by checking a checkbox.
Everything else is non-sense, keep this in mind, the subscriber must give you explicit consent, keyword here is explicit.

 

[frm.mwz]

I do not think this is correct. The action is not made by the subscriber. Regardless of the fact you keep this record or not, you still have to ask the subscriber for consent directly, and he must answer by checking a checkbox.
Everything else is non-sense, keep this in mind, the subscriber must give you explicit consent, keyword here is explicit.

The whole 'consent thing' is for when you buy noodles and the seller wants to use your email address for her regular newsletter (not the noodle receipt by email), then the additional consent is needed (checkbox for marketing) since the noodles were the normal consent (e.g. via order/payment), and the newsletter was the previously (before GDPR) implied consent, which now needs the checkbox for explicit consent.