Compliance with GDPR
The EU recently approved the General Data Protection Regulation (GDPR) and will begin enforcing on May 25, 2018. This regulation will impact ConvertKit Customers and Subscribers, so we are currently auditing all of our processes to make sure we will be compliant on or before the deadline.
What is the GDPR?
From the official website:
"[The GDPR] was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy."
In short, it will streamline data privacy across the EU, and put in place new privacy protections for EU citizens. We are officially a Certified Privacy Shield Member, which is an agreement that allows certified US companies transfer data in and out of the EU/EEA and Switzerland.
What is Privacy Shield?
Privacy Shield is an agreement between the EU, Swiss and US government to allow US companies to comply with EU and Swiss data regulations.
Privacy Shield was created specifically for US companies, and may have a different set of regulations or requirements than a company operating in the EU.
We are working toward our Privacy Shield certification and once we have it, we will have what is considered "adequate privacy protection for the transfer of personal data outside of the EU and Switzerland".
Will I be affected?
Likely, yes. If you currently reside in the EU, or have subscribers that reside in the EU, you need to be GDPR-compliant. We are taking care of what we need to on our end, and we would absolutely recommend you familiarize yourself with the regulation to make sure you are taking all necessary steps as well!
What we have done to get compliant:
We are already compliant in many areas:
- We are Privacy Shield Certified
- You may close your ConvertKit account at anytime, and request that we remove all of your information and data associated, and we will delete it in it's entirety
- You may opt-out of our marketing emails and product updates at any time by clicking "unsubscribe" or by sending an email to firstname.lastname@example.org
- You may access and update your ConvertKit account settings at any time, or send us an email at any time requesting we update that information
- You own your list--you can export your subscribers at any time, as long as you are compliant with our terms of service
And we also have measures in place to protect your subscribers' privacy:
- You may delete subscribers at any time at their request, or we may honor their request to be removed from your list or any list if we are contacted by them directly
- You may access and update your Subscribers' data at anytime
- We provide an unsubscribe link automatically at the bottom of each email sent from ConvertKit, allowing them to opt out at anytime. Additionally we'd encourage you to use custom unsubscribe links to allow Subscribers to update their preferences
New ConvertKit features to help customers comply with GDPR
Find your EU subscribers, establish explicit consent, and comply with the GDPR
- Find my EU subscribers — You can now select your subscribers by country, and region!
- Data Processing Agreement — Our Data Processing Agreement (DPA) offers contractual terms that meet GDPR requirements and reflect our data privacy and security commitments to our customers. Each customer processing personal data on behalf of EU/EEA individuals can sign this contract with ConvertKit and keep it on file for their records.
- Custom form checkboxes if the visitor is within the EU — This feature can be enabled on the account level and adds an unchecked checkbox to each opt-in form (or a page after the form is submitted) for subscribers to verify that they are consenting to receive marketing emails. If it remains unchecked the subscriber would receive the opt-in incentive (e.g. a free guide), but would not be subscribed to any lists.
To see what features we provide, click here.
Our recommendations for you:
First, consult with a lawyer for specific recommendations for your business. Please take the following as suggestions, and understand they should not be considered legal advice.
On any Forms or Landing Pages you use, whether our ConvertKit Forms or another app, you should make your intentions specific and very clear. Will you send them regular newsletters, occasional offers, or share this list with anyone else? If someone purchases your product on another platform, will they be added to ConvertKit? Your subscribers should be aware of how their sensitive information (email and any other data you collect) will be handled.
It should be very easy for your subscribers to give you permission to send them email. Some suggestions would be: state it clearly on your form, use a double opt-in process on your Forms, or remind them where they subscribed in the footer of your emails.
Perform regular backups of your list. Keeping up to date information, especially showing proof of consent from your subscribers can be helpful if required.