In this article we summarize how and where GDPR affects users of the Emarsys Marketing Platform and its constituent products.
Emarsys is not a law firm specializing in data security legislation, and we do not offer legal advice. We want to help you to understand how this legislation can affect you as an Emarsys customer, and this article assumes that you are using the Emarsys Marketing Platform properly, according to our documentation.
You should always refer to a qualified legal source when it comes to checking whether or not you are compliant in any given situation.
GDPR and the Emarsys Platform
The most important points of GDPR that affect you as an Emarsys user are described here:
To summarize, it is up to you to ensure that:
- You have robust and compliant methods for collecting and storing permission to send marketing content and to track and collect response and behavior data.
- Your opt-out methods are as simple as your opt-in methods.
- You can collect and process requests to retrieve or delete customer data.
If you are using Web Extend to track visitors on your website, you should also:
- Describe how a customer can opt out of their data being used in this way.
It is important to note that not much has really changed with GDPR in this regard. It is only that the regulations are more clearly expressed, enforcement is expected to be more strict, and the potential fines are considerably larger.
If you were fully compliant with our best practices for opt-in before, we expect that you were already compliant with most of GDPR before it came into force.
Since we cannot provide advice (or even guidelines) to cover all business cases, we recommend that you seek independent legal advice if you are concerned about how GDPR might otherwise impact your business, for example with regard to opt-in for contacts under the age of 16.
GDPR and Predict
Predict bases all of its functionality on the data provided to it by the Web Extend data collection scripts, which are fully explained in the article:
All methods of delivering personalized recommendations are covered by the general guidelines for GDPR and the Emarsys Platform described above.
GDPR and Smart Insight
All other aspects of data management by Smart Insight, including creating segments that can be used to personalize content on Emarsys messaging channels, are covered by the general guidelines for GDPR and the Emarsys Platform described above.
In the case of data provided to it by the Web Extend data collection scripts, this is fully explained in the article:
GDPR and Web Channel
Web Channel bases all of its functionality on the data provided to it by the Web Extend data collection scripts, which are fully explained in the article:
GDPR and CRM Ads
The only time that CRM Ads passes data from Emarsys to a third party is when we send a list of hashed contact identifiers (currently email addresses or mobile phone numbers) to the networks so that they can search for matches among their own user profiles.
These email addresses are sent as cryptographic hashes. Not only are they secure while in transit, but the network receiving them can only use them to identify user profiles for which this data already exists. If this data does not exist (i.e. the email address or mobile phone number have not been given for a profile ), it cannot be uncovered.
The recognized user profiles are then collected into a custom audience by the network.
In other words, no personal data (PII) is passed to a third party.
See also: CRM Ads - FAQ.
Network terms and conditions
As an advertiser, you have guaranteed to the network that you obtained the contact identifiers used in the hashed data lawfully when you agreed to their terms and conditions. At the same time, the network guarantees that they treat this data in accordance with the law.
For example, Facebook states:
- "You represent and warrant, without limiting anything in these Terms, that you have all necessary rights and permissions and a lawful basis to disclose and use the Hashed Data in compliance with all applicable laws, regulations and industry guidelines. "
- "You instruct Facebook to use the Hashed Data for the matching process. Facebook will not share the Hashed Data with third parties or other advertisers and will delete the Hashed Data promptly after the match process is complete. "
As a user of the network, your contacts have also agreed to terms and conditions which cover the use of display ads. It is up to the network to inform the user how they can change their privacy settings.
Beyond this, we currently (June, 2018) have no reason to believe that the use of Emarsys CRM Ads is prohibited by GDPR.
GDPR and SMS
The major difference with SMS as a channel is that we use a network of global carriers to send the text messages. To that end, we send them the mobile phone numbers of contacts along with the message.
Since these mobile phone numbers are essential to the delivery of the message, and you should have obtained explicit consent for all contacts to receive text messages, SMS is covered by the general guidelines for GDPR and the Emarsys Platform described above.
GDPR and Mobile Engage
You should also use pseudonymized data to identify contacts, as described in:
Since Mobile Engage only transmits content from Emarsys to your app, it is otherwise covered by the general guidelines for GDPR and the Emarsys Platform described above.
GDPR and Reply Mails
When a contact replies to one of your email campaigns using the reply mail address, their reply also contains personal data and therefore is covered by GDPR.
If you want to find a reply mail from a specific contact you can manually search through your reply mail inbox or filter it by date. Once you find an email you can open it and copy the contents.
However, the only way that you can export all reply mails from a single contact, or check how many there are (e.g. if your inbox is simply too large to search through) is via a support request to Emarsys.
Emarsys reply mails are automatically deleted after 30 days, which is the window permitted by GDPR to delete personal data. Therefore you do not need to take any action for requests like this other than confirm that is will take place.