GDPR FAQ

GDPR FAQ

This FAQ is a resource about what we are doing for our customers in the context of the EU’s new General Data Protection Regulation (GDPR), including features we’re building, product changes, and legal documentation.

This FAQ does not constitute legal advice, and we cannot answer questions about how the GDPR applies to customers. Customers should seek independent counsel to answer any legal questions about how to comply with the GDPR. The full text of the GDPR is  here.

Should I panic with the May 25th deadline approaching?

Whenever there is a legislation change the tendency is to mob together in online communities and spread panic. That doesn’t help you grow your business.

You should absolutely take this seriously, but do it in a logical, methodical way. Work to understand the changes you should make, but don’t panic.

Throughout this article we’ll outline the steps needed to get your email marketing compliant with GDPR. Let’s start with the question we get the most often.

Is double opt-in enough to prove consent?

The biggest change about GDPR is that you may need consent to email your subscribers. Many people ask if requiring double opt-in is enough to prove consent to join the list.

The answer is it depends on the purpose of your form. If the primary purpose of your form is to join a newsletter and the language on the form focuses on that then you do not need an additional consent checkbox.

This example from the ICO clearly shows an email opt-in without consent checkboxes:

(Source: The ICO’s consent guidance)

The example above mentions implied rather than explicit consent. The GDPR says consent can be given through “another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.”

Because this form field is unambiguous as to what consent is being given for (emails about products and special offers), the email field is optional, and it is focused on a single thing (making it granular) this example from the ICO is acceptable consent even though it lacks a checkbox.

When is a checkbox needed?

Though some opt-in forms are focused on multiple things. For example a form that gives out an opt in incentive may be focused on giving away a free PDF and joining your newsletter. In that case you need to provide a way for subscribers based in the EU to download the PDF without joining your newsletter.

Think of it like when you are purchasing a product and there is a checkbox to also receive marketing emails. You ought to be able to buy the product without receiving further promotions. In our example above the free PDF is the product, and the newsletter are the additional emails that you can choose to receive or not.

Here is an example of a form with this process implemented:

Does GDPR require double opt-in?

The GDPR does not require double opt-in. However, in addition to consent, the GDPR requires proof of consent, and double opt-in confirmations are one way to prove consent.

We currently offer customers the ability to enable double-opt-in and believe double opt-in is a best practice to maintain cleaner lists and limit potential spam complaints.

How should I store proof of consent?

If you use double opt-in functionality, you can prove consent through double opt-in confirmations.

Proof of consent is another attribute to store about a subscriber. We like to use tags inside ConvertKit to keep track of these attributes. You can have as many tags as you want and it is already built in to all the segmenting, filtering, and sending capabilities of ConvertKit.

When you enable our built in GDPR consent features it will automatically add two consent tags to your account:

  • GDPR: Email consent
  • GDPR: Advertising consent

You can use these to keep track of subscribers and segment the subscribers that you still need to get consent from.

You can also save screenshots of your forms in Dropbox or a similar program each time you make a major change so there is a record of what subscribers signed up for.

(EDIT: a previous version of this article had the tag "GDPR: Newsletter Consent" instead of "Email Consent." The correct Tag is "Email Consent. Sorry for the confusion!) 

Do I need to get new consent from my entire list?

That’s a question for you and your legal team. Some helpful things to ask yourself:

  • Did you previously have a lawful basis for processing personal data?
  • If that lawful basis was consent, did you obtain consent through notice, an affirmative opt-in, and for all of the ways you process subscribers’ personal data?
  • Do you have record of the affirmative opt-in?

If you don’t have clear answers to these questions we recommend talking to your attorney to get their opinion.

Does ConvertKit offer a feature that allows me to obtain consent from an existing list?

Yes, you may create a segment and send this to all of your subscribers or only to those subscribers in the EU/EEA and/or Switzerland (based on IP address) that haven’t provided consent.

Here is an example of how to create that segment:

After that, you’ll just need to send out an email with a link to our new GDPR-consent page. Here is a sample message you can use as a starting point for your own email: 

Hey there,

You may have heard about the new data protection law in the European Union called the GDPR which regulates how personal data is processed. Under GDPR, I need to make sure I have your explicit consent to send you my newsletter and marketing emails.

If you’ve been enjoying my content, just click this link and check the two boxes on the next page:

{{ gdpr_consent_url }}

If this is not for you, just click unsubscribe below, and I won’t email you again.

Thank you so much for reading and have a great day!

-Customer


You can use the liquid short-code {{ gdpr_consent_url }} to point to the URL. You could manually write the link like this: <a href="{{ gdpr_consent_url }}">Your GDPR text here</a> or you can add it in the link editor.

That link will take them to a consent page that looks like this:

From here, they can opt-in to give explicit consent to receive either your promotional content, ad personalization, or both. 

To find the subscriber consent options, click on your account gravatar > Account Settings > Account Info > scroll to the bottom of the page. 

Can consent checkboxes be pre-checked?

No, GDPR requires affirmative opt-in so pre-checked boxes or any other method of default consent is not sufficient for consent. A subscriber must take that specific action to provide consent in all cases whether that is clicking a double opt-in link or checking a box.

How do I add consent checkboxes to my forms?

Currently, adding checkboxes to a ConvertKit form requires hiring a developer to write custom code or use one of our third-party integration providers. We are currently working on a rebuild of our form builder which will allow you to easily add checkboxes to any ConvertKit form.

We are also building a feature that allows you to obtain consent after subscribers subscribe as mentioned above. That way you don’t need to change anything directly with the form’s look on your site.

Do I need to add a checkbox to my forms for every tag in my account?

Generally no. You should consider adding a checkbox for every distinct way you use a subscribers data. Most likely the subscriber won’t see a difference in most of the segmenting you are doing and would just be confused by excessive checkboxes.

One example we think multiple checkboxes is good for is to separate the consent for marketing/promotional emails from using email addresses to personalize advertising on third-party platforms. In that case we think it makes sense to offer granular consent.

Since every business is unique in how they might use a subscribers data we like to ask two questions:

  • How do we make the subscription process clear and easy for the subscriber?
  • Would the subscriber be surprised to find their data was being used in this way?

By asking practical questions like that you can find an implementation that respects the privacy of your subscribers while not overcomplicating your opt in process.

What happens if I get audited?

The biggest concern from the GDPR is that if you get audited you won’t have proof that subscribers gave consent for your emails. In the event that you do get audited we have our Audit Concierge team ready to help.

Use this form to get in touch with our Audit Concierge Team. From there a member of our team will get in touch with you to get you the proof of consent that you need in order show the auditor you complied with best practices.

What type of data can I not store in ConvertKit?

ConvertKit processes “personal data” under the GDPR, including identification and contact data, financial information, and IT information such as an IP address.

ConvertKit does not process “sensitive personal data” under the GDPR, including data revealing:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Data concerning health or a natural person’s sex life and/or sexual orientation

Most bloggers and content creators don’t have any reason to store this information, so this rule shouldn’t affect you. Just know that you are not allowed to store any of this type of information in ConvertKit.

A subscriber asked me to delete their data, how do I do that?

As part of GDPR subscribers have a right to be forgotten. That means as a business owner you need to be able to delete their data. While you are going through the process of deleting their data you will need to contact us to request we do the same on your behalf. To do that fill out this right to be forgotten form.

If one of your subscribers asks us to delete their data we will refer them back to you as all of these requests need to be handled by customers, not ConvertKit (since we are the just a data processor). This insures that you are responsible for removing all of the subscribers data from everywhere you may store it in addition to ConvertKit.

Do I need to link to my privacy policy on my form? How do I do that?

If you have a privacy policy or another document that you want to link to in your forms you can do that by adding it to the main content area, highlighting the text, and clicking the link icon in the toolbar.

If your form doesn’t have that text area you can add it above or below the form on your website, just like you would any other link.

Do I need to have my own Privacy Policy?

A Privacy Policy is a legal document describing how you collect, use, and disclose user data in compliance with the law. You should contact independent legal counsel for legal advice regarding your Privacy Policy.

Should I delete subscribers or unsubscribe them?

An upset subscriber may want to be completely deleted from your database rather than just unsubscribe (they have the option to unsubscribe in the footer of every email). This is becoming more common through the right to be forgotten in GDPR. You should respect the wishes of the subscriber, but ultimately it is better for the subscriber to unsubscribe them rather than delete them.

This is because if you delete them there is no longer a record and of them existing and it may be easier to accidentally re-add them from another source (importing a CSV of customers, connecting a new integration, etc).

Instead, if you unsubscribe them that status will be retained and the import or subscriber being pushed in from a new integration will not create a new subscription.

If they insist on being deleted, do that, but know that you will need to be careful to not add them back in to your list on accident.

Reach out to our team for additional support 

Choose between Live Chat or Email. Either way, we're here for you. 

CLICK HERE TO START CHATTING
   CLICK HERE TO SEND US AN EMAIL

Still need help? Contact Us Contact Us