Introduction to GDPR
Please Note: Nothing contained herein is intended to be or constitutes legal advice. Please consult your legal team for any legal advice.
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is a policy that affects how companies must handle data about contacts who reside in the European Union or were located in the EU. GDPR went into effect on May 25, 2018, replacing the existing data protection framework under the EU Data Protection Directive.
What does GDPR protect?
GDPR allows for your contacts in the EU to withdraw their consent for you to store their personal data.
Examples of personal data that may be stored about contacts include:
Names
ID numbers
Locations
Online identifiers, like Internet Protocol (IP) numbers and addresses
Cultural and economic classifications
Data Protection Principles
There are six key principles about data protection.
Lawfulness, Fairness, and Transparency: Information about how data is being used must be legal, fair, and clear.
Purposeful Limitation: When collecting data, the purpose of collecting this data must be stated clearly. Once the data is collected it can only be used in the ways that were specified during collection.
Data Minimization: For those in your organization who have access to data they should only view data that is relevant to their current task.
Accuracy: Data collected should be accurate and kept up to date. If data is no longer up to date it should be removed.
Storage Limitation: Data that is no longer needed should be removed. Developing a data retention process can help ensure you are removing data that is no longer needed or relevant.
Integrity and Confidentiality: Data should be kept and maintained securely. This includes employing techniques such as encryption as well as making sure that it is only accessible to those who would need it to do their jobs.
Data Breaches
If you discover the personal data of your contacts in the EU has been breached, you are required to report it to regulators within 72 hours of discovering the breach. When reporting the breach to regulators include what data was breached, how many contacts may be affected, possible consequences of the data breach, what actions you have taken, and contact information for the Data Protection Officer in your organization.
Contact's Privacy Rights
Contacts in the EU have the following rights:
Right to be informed
Right of access
Right of rectification
Right to erasure or deletion, or Right to be forgotten
Right to restrict processing
Right to data portability
Right to object
Data Protection Officers
Data Protection Officers are a specially appointed employee within a company that is responsible to maintaining processes and resources related to GDPR. Data Protection Officers are in charge of the regulations as well as contacting regulators in the event of a breach.
What is Listrak's Role Under GDPR?
Listrak is a Processor, which is an entity that processes personal information (PI) on behalf of a business, or Controller, and to which the business discloses a consumer’s PI for a business purpose pursuant to a written contract. The Processor shall not retain, use or disclose the PI for any purpose other than for the specific purpose of performing services specified in the contract.
As a Processor, Listrak collects and processes PI pursuant to the contract(s) between us and our clients. Accordingly, Listrak has no direct relationship with any consumers whose PI may be processed through our Services. Listrak is only able to process data as directed by the Controller, therefore Listrak must deny any requests received from consumers while acting as a Processor. The consumer will be directed to submit the request directly to the Listrak client. Listrak will also notify the applicable Listrak client about such requests and denials.
Privacy Rights
Right to Know
The right to know involves contacts' right to know what data a company collects.
The right to know includes:
The right to know who will contact them
The right to know if data is being shared
What types of data are being processed
This information should easily be accessible in your company's Privacy Policy. Consult your legal team if you have questions about your company's Privacy Policy compliance with GDPR.
Right to Access
The Right to Access includes:
Acknowledgement of whether data is being collected or not
A copy of the data collected
If you receive a request from a contact for access to his/her data, you can email [email protected] to request the data regarding such contact within Listrak's application.
Right to Rectification
The right to rectification provides contacts with the opportunity to correct data if they believe it is incorrect.
Right to Erasure, or the Right to be Forgotten
The Right to Erasure, or the Right to be Forgotten, allows contacts to request a company remove their data from its database.
If you receive a request from a contact to remove his/her data, you can email [email protected] to request removal of the data within Listrak's application. Listrak will anonymize data that is used in reporting, such as conversions, and Listrak will delete the personal data from the Listrak application.
Right to Restrict Processing
The right to restrict processing allows contacts to request a company does not do something specific with their data.
Right to Data Portability
The right to data portability gives contacts the right to obtain the data that your company holds and provide that data to another company. If you receive a request from a contact for access to his/her data, you can email [email protected] to request the data regarding such contact within Listrak's application and Listrak will provide the data in an appropriate format.
Right to Object
The right to object allows contacts to object to using their data for direct marketing. If a contact objects to receiving direct marketing you must ensure he/she no longer receives marketing content, but you are not required to remove his/her personal data.
Acquiring Consent
Elements of Consent
There are five (5) qualifications that must be met if you collect contacts' data:
Freely given: You cannot pressure contacts into providing consent to collect their data;
Specific: If data is processed using multiple methods, you must inform contacts the methods being used
Informed: You must provide contacts with information about what they are consenting to, such as receiving marketing messages
Unambiguous: The language used to collect consent must be clear and simple to understand
Clear affirmative action: Contacts must do or say something in order to give consent, such as checking a box on a web form
Examples of collecting consent include: a banner informing contacts that your site uses cookies and provides an opportunity to block cookies, or the ability to check a box on a web form confirming a contact wishes to sign up for marketing messages.
Turning Off Data Processing for Opted-Out Contacts
Disabling Collection of Information
If a contact declines to have his/her data collected and used in this way, Listrak allows you to turn off data processing. Disabling data processing may change how some Listrak solutions function.
The data processing code consists of two different lines of code that can be added to your Listrak integration.
_ltk.Session.setPersonalizedStatus(true)
_ltk.Session.setPersonalizedStatus(false)
The data processing call is set to true (ability to process data) by default, but if a contact opts out of data processing, send the updated data processing call with the false value (stop data processing) to Listrak. A false value is stored in a cookie for the contact and will stop data processing for any additional page visits.
💡 If a contact clears his/her cookies or visits your website from another device or uses an incoginito mode the cookie will not be present, and he/she would need to re-opt out of data processing.
How Disabling Collection Impacts Listrak Solutions
Disabling Listrak Data Collection may impact solutions that collect data from customers and contacts to provide personalized and relevant content. Learn more about how Listrak solutions can be impacted when data collection is turned off.
Orders and Conversions
Orders and conversions are collected on the Listrak website when customers place an order. When data collection is turned off conversions will not be sent to Listrak.
💡 If you send conversions to Listrak via your ecommerce platform or Orders flat files these orders will still be reflected in Listrak.
Pop Ups
The Listrak Pop Up collects a contact's email address, and can collect additional data, when a contact comes to the website. Visitors to the website will still be able to subscribe via the Pop Up if data processing is turned off.
To prevent EU contacts from receiving the Pop Up:
Add additional data collection to a Pop Up to identify EU contacts
Give contacts the opportunity to opt out of data processing by delaying the Pop Up and then only display it to contacts who have not opted out
Preference Center
The Preference Center allows a contact to provide additional information, such as interests, to personalize emails. Preference Centers are not impacted when a contact turns off data processing.
Abandonment Solutions: Page Browse, Product Browse, and Cart Abandonment
Listrak's Abandonment solutions use information from the Listrak Integration as well as cookies to collect information about what site visitors are browsing, abandoning, and purchasing.
When data processing is turned off:
Cart, browse, and purchase information is not collected about a contact. These contacts will not be entered into any abandonment automated campaigns.
If a contact disables their data processing mid-session, no new data will be collected. Data that was collected previously can still be used to trigger automated campaigns and personalize content.
If a contact was entered into an abandonment campaign prior to disabling their data collection they will continue to receive messages from these campaigns.
Predictive Content
Listrak's Predictive Content solution use information from the Listrak Integration as well as cookies to collect information about what site visitors are browsing, abandoning, and purchasing. This data can then be used to provide relevant content from your website in an email.
When data processing is turned off:
Cart, browse, and purchase information is not collected about a contact.
If a contact disables their data processing mid-session, no new data will be collected. Data that was collected previously can still be used to personalize content.
Product Recommendations
Product Recommendations in both email and on-site use information about what a contact is browsing, abandoning, or purchasing. Data can be used to display relevant products on your website or in emails.
When data processing is turned off:
Cart, browse, and purchase information is not collected about a contact.
If a contact disables their data processing mid-session, no new data will be collected.
Data that was collected previously can still be used to personalize content.
Some on-site product recommendations can use the information about a contact's location on the site (eg: the SKU of the product) to still personalize information.
Contacts will still receive product recommendations in email and on-site but will not be based on personalized activity.
Listrak Exchange
Listrak Exchange allows you to target your subscribed contacts on social sites, such as Facebook and Google, or target contacts who look similar to your subscribed contacts. These look-a-like audiences can be targeted via lead ads, which prompt look-a-like contacts to subscribe to your marketing programs.
When data processing is turned off:
Listrak Exchange is not impacted by data processing.
Some audiences targeted by Listrak Exchange, such as contacts who abandoned a cart, may be impacted if data is not collected.
Lead Ads are only available to target US contacts.
SMS
Listrak's SMS program allows contacts to opt into marketing SMS programs, transactional messages, or other provisioned campaigns. SMS campaigns are only available to US or Canadian subscribers. Disabling data processing will not impact SMS campaigns.
Implicit Product Alerts
Implicit Product Alerts, such as Back-In-Stock, automatically sign users up for these campaigns in they are identifiable on your website via email address based on the products visitors have browsed.
When data processing is turned off:
Product Browse information is not collected about a contact. These contacts will not be entered into any product alert automated campaigns.
If a contact disables their data processing mid-session, no new data will be collected. Data that was collected previously can still be used to trigger automated campaigns.
If a contact was entered into a product alert campaign prior to disabling their data collection they will continue to receive messages from these campaigns.
Explicit Product Browse Alerts
Explicit product browse alerts collect information about the products that a contact has browsed. Contacts must specifically sign up for notifications, such as when a product is back in stock, in order to receive emails.
If data processing is disabled contacts can still receive these campaigns because they are explicitly opting in to these messages.
Replenishment
The Replenishment solution uses order history data to calculate the average time between reordering products. Customers will receive emails as they approach that average time between reorders.
When data processing is turned off:
A customer's order data is not processed and not factored into the average reorder time.
A customer will not be eligible to receive Replenishment messages.
If you are sending orders via your ecommerce platform or Order flat files order data will be used to calculate average reorder time.
If you are sending order information with a customer's email address, they can still be entered into the Replenishment campaign.
Advanced Retail Segmentation
Advanced Retail Segmentation uses order data to build a profile for a customer, such as average reorder cadence.
When data processing is turned off:
A customer's order data is not processed and not used to build a profile of a contact.
If you are sending orders via your ecommerce platform or Order flat files, order data will be used to calculate average reorder time.
Advanced Browse Segmentation
Advanced Browse Segmentation collects information about the products contacts are browsing, such as SKU or product category, to build a profile of a contact.
When data processing is turned off:
A customer's browsed data is not processed and not used to build the contact's profile.
Unsubscribing Contacts
Using Listrak's Unsubscribe tool in the List Import Wizard will unsubscribe a contact from the list you are currently viewing. Unsubscribing a contact can remove their profile data by using the Unsubscribe and Delete Personal Data option. Other data collected about a customer, such as order information, will not be removed using the Unsubscribe option of the List Import Wizard. You can learn more about the ways to subscribe or unsubscribe contacts in the Import List Wizard.
To remove all data associated with a contact, email [email protected]. Data about a customer's order will be anonymized in reporting and when calculating data for averages and trends.