In this article we summarize how and where GDPR affects users of the Emarsys Marketing Platform and its constituent products.
Contents
Emarsys is not a law firm specializing in data security legislation, and we do not offer legal advice. We want to help you to understand how this legislation can affect you as an Emarsys customer, and this article assumes that you are using the Emarsys Marketing Platform properly, according to our documentation.
You should always refer to a qualified legal source when it comes to checking whether or not you are compliant in any given situation.
Please do take the time to read through and fully understand our Privacy Policy. This policy is valid not only for you, but also for your customers while you are using the services of Emarsys to engage with them. Make sure the relevant parts of your privacy policy are in sync with ours.
GDPR and the Emarsys Platform
The most important points of GDPR that affect you as an Emarsys user are described here:
To summarize, it is up to you to ensure that:
- You have robust and compliant methods for collecting and storing permission to send marketing content and to track and collect response and behavior data.
- Your Privacy Policy is up to date, covering all your methods for collecting and using data and for delivering messages, and is easily accessible and visible at the point of registration for new contacts.
- Your opt-out methods are as simple as your opt-in methods.
- You can collect and process requests to retrieve or delete customer data.
If you are using Web Extend to track visitors on your website, you should also:
- Explain in your Privacy Policy that you use both personal data and web behavior history to provide personalized content for your customers.
- Describe how a customer can opt out of their data being used in this way.
It is important to note that not much has really changed with GDPR in this regard. It is only that the regulations are more clearly expressed, enforcement is expected to be more strict, and the potential fines are considerably larger.
If you were fully compliant with our best practices for opt-in before, we expect that you were already compliant with most of GDPR before it came into force.
Since we cannot provide advice (or even guidelines) to cover all business cases, we recommend that you seek independent legal advice if you are concerned about how GDPR might otherwise impact your business, for example with regard to opt-in for contacts under the age of 16.
GDPR and Predict
Predict bases all of its functionality on the data provided to it by the Web Extend data collection scripts, which are fully explained in the article:
All methods of delivering personalized recommendations are covered by the general guidelines for GDPR and the Emarsys Platform described above.
GDPR and Smart Insight
Smart Insight bases its functionality on the sales data that you upload to Emarsys. You should make it clear in your Privacy Policy that you share this data securely with a third-party service provider in order to be able to offer a better service to your customers through personalized content.
All other aspects of data management by Smart Insight, including creating segments that can be used to personalize content on Emarsys messaging channels, are covered by the general guidelines for GDPR and the Emarsys Platform described above.
In the case of data provided to it by the Web Extend data collection scripts, this is fully explained in the article:
GDPR and Web Channel
Web Channel bases all of its functionality on the data provided to it by the Web Extend data collection scripts, which are fully explained in the article:
GDPR and Digital Ads
The only time that Digital Ads passes data from Emarsys to a third party is when we send a list of hashed contact identifiers (currently email addresses or mobile phone numbers) to the networks so that they can search for matches among their own user profiles.
These email addresses are sent as cryptographic hashes. Not only are they secure while in transit, but the network receiving them can only use them to identify user profiles for which this data already exists. If this data does not exist (i.e. the email address or mobile phone number have not been given for a profile ), it cannot be uncovered.
The recognized user profiles are then collected into a custom audience by the network.
In other words, no personal data (PII) is passed to a third party.
Because of this, there is no legal requirement to obtain explicit opt-in from a contact to use their data in this way. However, you should clearly state in your Privacy Policy that you send hashed email addresses to networks so that they can build custom audiences of your contacts, and that you will target these audiences with adverts. Other than this no personal data is transmitted. Users of the network can manage their own privacy settings in the network.
See also: Digital Ads FAQ.
Network terms and conditions
As an advertiser, you have guaranteed to the network that you obtained the contact identifiers used in the hashed data lawfully when you agreed to their terms and conditions. At the same time, the network guarantees that they treat this data in accordance with the law.
For example, Facebook states:
- "You represent and warrant, without limiting anything in these Terms, that you have all necessary rights and permissions and a lawful basis to disclose and use the Hashed Data in compliance with all applicable laws, regulations and industry guidelines. "
and
- "You instruct Facebook to use the Hashed Data for the matching process. Facebook will not share the Hashed Data with third parties or other advertisers and will delete the Hashed Data promptly after the match process is complete. "
References:
- https://www.facebook.com/legal/terms/customaudience
- https://support.google.com/adwordspolicy/answer/6299717?hl=en
As a user of the network, your contacts have also agreed to terms and conditions which cover the use of display ads. It is up to the network to inform the user how they can change their privacy settings.
References:
Beyond this, we currently (June, 2018) have no reason to believe that the use of Emarsys Digital Ads is prohibited by GDPR.
GDPR and SMS
The major difference with SMS as a channel is that we use a network of global carriers to send the text messages. To that end, we send them the mobile phone numbers of contacts along with the message.
Since these mobile phone numbers are essential to the delivery of the message, and you should have obtained explicit consent for all contacts to receive text messages, SMS is covered by the general guidelines for GDPR and the Emarsys Platform described above.
GDPR and Mobile Engage
It is up to you to ensure that the registration process for downloading and installing your app covers the opt in to receive messages and links to your Privacy Policy.
You should also use pseudonymized data to identify contacts, as described in:
Since Mobile Engage only transmits content from Emarsys to your app, it is otherwise covered by the general guidelines for GDPR and the Emarsys Platform described above.
GDPR and Reply Mails
When a contact replies to one of your email campaigns using the reply mail address, their reply also contains personal data and therefore is covered by GDPR.
Data retrieval
If you want to find a reply mail from a specific contact you can manually search through your reply mail inbox or filter it by date. Once you find an email you can open it and copy the contents.
However, the only way that you can export all reply mails from a single contact, or check how many there are (e.g. if your inbox is simply too large to search through) is via a support request to Emarsys.
Data deletion
Emarsys reply mails are automatically deleted after 30 days, which is the window permitted by GDPR to delete personal data. Therefore you do not need to take any action for requests like this other than confirm that is will take place.
GDPR and Emails
When a contact opens an email including images, the downloaded image contains a tracking pixel, which helps collecting data about the contact. These user-specific information are the following:
- IP address
- User agent information (Browser, Mobile, etc.)
As your customers become data subjects through signing up for your newsletter, please make sure that they understand your privacy policy. We, as Emarsys, have this wording contained in our Privacy Policy:
"We analyze your user behavior in connection with the newsletter. For this analysis the emails sent contain so-called web beacons or tracking pixels, which are one-pixel image files stored on our website. For analysis purposes we link your personal data and the web beacons to your email address and an individual ID. Links received in the newsletter also include this ID. We use these data to create a user profile in order to tailor the newsletter to your personal interests. We track when you read our newsletters and which links you click in them, and we infer your personal interests from this information. We link this information to actions you take on our website. This processing is based on our legitimate interests (Art. 6 (1) lit. f GDPR) in order to provide you with a better usage experience."