Unless you have been living under a rock, you'll be well aware of the advent of the European Union's General Data Protection Regulation (GDPR) on 25th May 2018.
Our DPA is pre-signed and you can download this and fill it out yourself for your own record keeping. You can find out more by reading the Data processing, privacy and your data rights section of our Terms & Conditions.
Here I'd like to explain how the GDPR affects you as a customer, the relationship between you, us and your tracked users, and the changes we have made to make FunnelFlux (and its tracking) extremely compliant.
The low down on GDPR roles
There are a lot of terms thrown around in GDPR and it can be confusing to know who is doing what and who is responsible for what.
To put it very simply... there are controllers and processors. Controllers collect data and determine how they might process it, processors may process the data on behalf of a controller (and don't necessarily collect the data themselves. A data owner/subject is then the person the data comes from or is about.
FunnelFlux (the company) and You - in this relationship we are a Data Controller as we collect your personal data as part of visiting our site, using our product, and generally being our customer. At the same time, we process this data in various ways, and do so through other platforms, which would be Data Processors (or our subprocessors).
We are compelled by GDPR to protect your data, keep records of our processing, ensure data is not transferred in the future to third-parties without consent (or declaration in our T&C/DPA), and so on. The basic stuff.
In our basic relationship with you, you are a data subject/owner, so have rights to know how your data is being used, update it, ask to be deleted, etc.
FunnelFlux Software and You - lets now look at your usage of FunnelFlux. In this case, you become the Data Controller as you control the collection of data and decide how to process it. As your software provider we are a subprocessor.
FunnelFlux may be hosted on your own server, but in the case of the managed version, we are definitely a Data Processor who supplies software/systems to help you process the data.
One important note - when you provide support access for us to help you fix issues, troubleshoot etc., this could potentially constitute a data breach if you have sensitive personal data of users stored in your system, and if you have no consent/agreement with the data subjects.
Note our DPA contains some text aorund this access and that we agree to make it secure, not transfer/download data without consent, train staff, etc.
You and people you track - when it comes to tracking people there are two main issues to keep in mind, cookies and collection/storage of personally identifiable data.
Technically you need to ask for consent to use FunnelFlux cookies although if your page links depend on the system and cookies, you could argue these are mandatory. We have made updates (below) to help address this caveat of tracking systems.
On the other hand, you do need to be careful with storing personal data like email, name, etc. which you could pass to FunnelFlux in the URL of links or using the API.
This is a more serious issue than cookies and is something you should definitely be weary of when capturing user data, as it would be in beach of GDPR to store this (in the case of EU individuals) without consent.
Changes we have made to FunnelFlux
Now, the good stuff.
FunnelFlux wants to make "compliance by default" as true as possible and create a system that lets you track effectively without needing to ask for consent or cripple your analytics endeavors.
To this end we have made some changes to the way we store your data in the software, have added features to assist with compliance with subject data rights, and are working to make cookies a requirement of the past.
Here's a quick bullet point list of our compliance-related changes:
- We have added IP anonymisation so that all IP's by default have the D-class (last digits) anonymised. This is skipped for IPs we believe are from datacentres so that you can still use traffic filters fine, and you can turn off this anonymisation at the funnel level. Keep in mind that then constitutes collecting personal data with your tracking codes and may make it subject to consent.
- We have updated our reset stats feature to let you remove data for a specific Visitor ID. You can use reporting to find the Visitor ID associated with some information, then delete all related hits/visits.
- Our JS tracking no longer returns visitor IP in the response
- Our JS tracking now supports a no cookies mode where you can track completely without needing cookies but appending a
flux_session=sessionIDparam to links and URLs
More information on the JS updates will be added shortly and linked from here.
So what do these changes mean?
Basically, by using our tracking by default you will not be collecting personally identifiable information on users. IP unfortunately falls into this category hence the anonymisation (Google Analytics has had this for a long time for example).
Additionally, you can reconfigure your tracking approaches to avoid cookies entirely, something that very few trackers will be able to do, and this lets you avoid having to ask for consent to have your tracking work. Awesome!
Keep in mind that if you log personal info like name, email etc. then all of the above is a irrelevant as you would be directly collecting personal information that EU data subjects should provide explicit consent for.
Overall, we don't think you have to worry too much about GDPR compliance if all you are doing is basic advertising campaigns and tracking of visits, controlling user flow and so on.
GDPR is really about protection of private, personal data, which includes things like profiling of site visiting activities (hence the scrutiny on cookies).
With our cookie-less tracking you will be able to focus on consent requirements in other areas and let FunnelFlux track basic site visits and anonymous data without interruption.
Of course, if you collect and store personal data, be more careful and look at employing consent mechanisms.
The most likely example of this will be email opt-ins. For these, either add checkboxes to landers that ask for explicit consent when opting in, or use DOI where the confirmation email explains what you'll use their email for and what you may mail them, and be particularly careful if you mail out about other products/services or share that users email with other senders (a no-go for sure under GDPR without consent).
ActiveCampaign has a convenient guide on GDPR here.
Note that you also only have to do this for EU individuals. Technically it can be difficult to assess if someone is an EU individual, but you could always have "I am an EU resident" as an optional checkbox, and you can use FunnelFlux to discern if they are from an EU country and accordingly send to a different page, or just have JS on your page control whether or not a form includes other elements, changes the opt in process and so on.
We haven't added it yet, but our JS will soon return country and other data in the response so that you can consume and use this on your page.
That's all our advice for now, no doubt we'll see how GDPR affects the marketing, tracking and analytics industry in the months to come!