You might not wake up each morning thinking about data privacy and security but, like it or not, Facebook’s recent move makes it an issue you can’t dismiss. Long before Mark Zuckerberg sat before congress in the face of the Cambridge Analytica scandal, explaining how Facebook uses personal data, the European Union started getting especially serious about data protection and privacy.
And so, on May 25 2018, the EU’s General Data Protection Regulation (GDPR) goes into effect.
In a nutshell, the GDPR legislation gives everyone in the EU greater privacy rights, and introduces new rules for marketers and software providers to follow when it comes to collecting, tracking, or handling EU-based prospects’ and customers’ personal data.
Moreover, the GDPR applies to anyone who processes or stores data of those in the EU (i.e. you don’t need to be physically located in Europe for this to apply to your business and can incur fines up to 4% of your annual global turnover or €20 million [whichever is greater] for non-compliance).
But Beyond Potential Fines, Here’s Why You Need to Care
On Tuesday April 3rd, Zuckerberg said that Facebook had no plans to extend the GDPR regulations globally to all Facebook users. But, fast-forward a few weeks later and Facebook completely changed its tune, now planning to extend Europe’s GDPR standards worldwide.
This move sets a precedent, showing all of us that no matter where we are in the world, personal data and privacy laws aren’t optional. Compliance is table stakes.
If you’re located in Europe, process lead and customer data from Europe — or just happen to believe in high standards for data privacy and security, this post will help you navigate:
- What Unbounce has done to become GDPR compliant, and
- Some of what you need to do to make sure your landing pages, sticky bars, and popups adhere to the new rules.
Note: This post isn’t the be-all-and-end-all on EU data privacy, nor is it legal advice. It’s meant to provide background information and help you better understand how you can use Unbounce in a GDPR compliant way.
Data Protection by Default for You and Your Customers
For several months now, Unbounce has been investing heavily in the necessary changes to be GDPR compliant as a conversion platform. We believe that to build trust and confidence with your customers, you need to make their privacy your priority.
As of the day of GDPR enforcement, you can be sure we’ve got your back when it comes to processing and storing your data within Unbounce, and giving you the tools you need to run compliant campaigns.
To see exactly what Unbounce has been doing, why it matters and where we’re at in development, check out our GDPR FAQ page.
But while we’re a GDPR compliant platform with privacy and security safeguards built into our business practices and throughout our platform, this is only part of the equation. There are still a few things you are responsible for to use Unbounce in a compliant way, including:
- Obtaining consent from your visitors (lawful basis of processing)
- Linking to your privacy policy (informing visitors of your data protection policies)
- Deleting personal data if requested (right to erasure)
- Encrypting lead data at transit and in rest (using SSL) and
- Signing a data processing addendum (DPA) with Unbounce
Here’s what you’re gonna want to watch for as you build landing pages, popups, and sticky bars.
Obtaining Consent From Your Visitors
Before collecting someone’s data the GDPR states you must first have a legal basis to do so. There are six lawful bases of processing under the GDPR, but if you’re a digital marketer, your use case will most likely fall into one of the following three:
- Consent (i.e. opt-in)
- Performance of a contract (eg. sending an invoice to a customer)
- “Legitimate interest” (eg. Someone is an existing customer and you want to send them information related to a product or service they already have.)
If you are using Unbounce for lead gen, then you must gather consent via opt-in to collect, use, or store someone’s data. When building your landing pages in Unbounce, you can easily add an opt-in field to your forms with the Unbounce form builder:
Keep in mind: Your visitors must actively check your opt-in box to give consent. Pre-checked checkboxes are not a valid form of consent.
Related But Different: Cookies And The ePrivacy Regulation
In many posts you’ll see Europe’s ePrivacy regulations tied in with GDPR, but they are, in fact, two separate things. While the GDPR regulates the general use and management of personal data, cookie use is core to the ePrivacy regulation (which is why you’ll sometimes see it called the “cookie law”). ePrivacy regulations are still in the works, but it’s certain they will be about visitor consent to cookies on your site.
We know the ePrivacy directive requires “prior informed consent” to store or access information on your visitors’ device. In other words, you must ask visitors if they consent to the use of cookies before you start to use them.
Last year Unbounce launched sticky bars (a discreet, mobile-friendly way to get more conversions), but they do double duty as a cookie bar, notifying your visitors about cookies.
You can design and publish a cookie bar using Unbounce’s built-in template, as shown below, embed the code across all of your landing pages using script manager, then promptly publish to every landing page you build in Unbounce. You can even have it appear all across your website.
Informing Visitors of Your Data Protection Policies
It’s not enough to just obtain consent, the GDPR also requires you to inform your customers and prospects what they are consenting to. This means that you need to provide easy access to your privacy and data protection policies (something Google AdWords has required for ages).
Sharing your privacy and data protection policies easily and transparently can help you earn the trust and confidence of your web visitors. Every visitor may not read through it with a fine tooth comb, but in a web littered with sketchy marketing practices, sharing your policies shows that you’re legit and that you have nothing to hide.
In the Unbounce landing page builder you can have any image, button or text link on your page open in a popup lightbox window. This means that you can link to the privacy policy already hosted on your website in a popup window on-click, and still keep visitors on your page to boost engagement and conversion rates.
This is a great example of how doing right by your customers can also help you achieve your business goals.
Here you can see a button being added to an Unbounce page linking through to a privacy policy. Something you need to do going forward to be compliant.
The Right To Be Forgotten
At any point in time a customer or lead whose data you have collected can request that you erase any of their personal data you have stored. There are several grounds under which someone can make this request and the GDPR requires that you do so without “undue delay”.
As an Unbounce customer, simply submit an email request to our support team who will ensure that all information for a specific lead or a group of leads are deleted from our database.
As part of our ongoing commitment to supporting data privacy and security, we are inspecting alternate solutions to deletion requests, but you can rest assured that even as of today, we will fulfill deletion requests within the time limit enforced by the GDPR.
Preventing Unauthorized Access to Data
Unbounce has supported SSL encryption on landing pages for years, and we’re proud that we made this a priority for our customers before Google started calling out non-https pages as not secure and giving preferential treatment to secure pages.
Presently Unbounce customers can already adhere to the GDPR requirement to process all data securely.
When you build and publish your landing pages with Unbounce, you can force your web visitors to the secure (https) version of your pages, even if they accidentally navigate to the unsecure (http) version.
In the upper right corner you can toggle to force visitors to the secure HTTPS version of your page.
This forced redirect will ensure proper encryption of your visitor lead data in transit and at rest. And as an added bonus, it’ll keep you in Google’s good books and prevent ‘not secure’ warnings in Google Chrome.
Signing a Data Protection Addendum (DPA) With Unbounce
According to the GDPR, when you collect lead information with Unbounce, you are the data controller while Unbounce serves as your data processor. To comply with GDPR regulation when using a tool like a landing page builder or conversion platform, you need a signed DPA between you (the data controller) and the service provider (your data processor).
Without getting too deep into the weeds on this one, let me just say that if you’re using Unbounce, we’ve got you covered and that you can complete a form on our GDPR overview page to get your DPA by email.
Privacy = Trust = Great Marketing
At Unbounce we view data privacy and security as two cornerstones of great marketing. At their core they are about a positive user experience and can help make the internet a better place.
The GDPR puts more control in the hands of users to determine how their information is used. No one wants their personal data falling into the wrong hands or being used in malicious or intrusive ways. Confidence and trust in your brand is at stake when it comes to privacy, so we aren’t taking any chances. Using Unbounce as your conversion platform, you can assure your customers that you take their privacy and data security seriously.
Increased regulation around data privacy may provide short term challenges for marketers as we establish new norms, but long term they can provide a more positive experience for users — something we should always strive for as marketers.