GDPR FAQ

A resource for GDPR questions.

Updated over a week ago

GDPR FAQ

This FAQ is a resource about what we have put into place, for our customers, in the context of the EU’s General Data Protection Regulation (GDPR) including features we’re building, product changes, and legal documentation.

This FAQ does not constitute legal advice, and we cannot answer questions about how the GDPR applies to customers. Customers should seek independent counsel to answer any legal questions about how to comply with the GDPR. The full text of the GDPR is here. For more information about the UK GDPR and other international and U.S. state privacy laws, please see our Privacy Policy.

How does ConvertKit lawfully transfer personal data from the EU to the United States?

ConvertKit may use the following to transfer personal data to the United States and elsewhere:

  • The EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK extension to the EU-U.S DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF); or

  • The Standard Contractual Clauses (SCCs) approved by the European Commission or the International Data Transfer Agreement (IDTA) approved by the UK Government.

Both the SCCs and IDTA are included in ConvertKit's Data Processing Agreement (DPA). For customers processing personal data on behalf of EU/EEA, UK, Swiss, and other individuals, you can access and sign our DPA here. ConvertKit's certification to the EU-U.S. DPF can be viewed here.

We will keep you updated on all related legal developments.

The biggest change about GDPR is that you may need consent to email your Subscribers. Many people ask if requiring double opt-in is enough to prove consent to join the list.

The answer is it depends on the purpose of your Form. If the primary purpose of your Form is to join a newsletter, and the language on the Form focuses on that specifically, then you do not need an additional consent checkbox.

This example from the ICO clearly shows an email opt-in without consent checkboxes:

The example above mentions implied rather than explicit consent. The GDPR says consent can be given through “another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.”

Because this Form field is unambiguous as to what consent is being given for, (emails about products and special offers), the email field is optional, and it is focused on a single thing (making it granular). This example from the ICO is acceptable consent even though it lacks a checkbox.

When is a checkbox needed?

On the other hand, some opt-in Forms are focused on multiple things. For example a Form that gives out an opt-in incentive may be focused on giving away a free PDF and joining your newsletter. In that case, you need to provide a way for Subscribers based in the EU to download the PDF without joining your newsletter.

Think of it like when you are purchasing a product, and there is a checkbox to also receive marketing emails. You ought to be able to buy the product without receiving further promotions. In our example below, the free PDF is the product and the free articles are additional emails subscribers can choose to receive or not.

Here is an example of a Form with this process implemented:

Does GDPR require double opt-in?

The GDPR does not require double opt-in. However, in addition to consent, the GDPR requires proof of consent, and double opt-in confirmations are one way to prove consent.

We currently offer customers the ability to enable double-opt-in and believe double opt-in is a best practice to maintain cleaner lists and limit potential spam complaints.

If you use double opt-in functionality, you can prove consent through double opt-in confirmations.

Proof of consent is another attribute to store about a Subscriber. We like to use Tags inside ConvertKit to keep track of these attributes. You can have as many Tags as you want, and it is already built in to all the segmenting, filtering, and sending capabilities of ConvertKit.

When you enable our built-in GDPR consent features, it will automatically add two consent Tags to your account:

  • GDPR: Email consent

  • GDPR: Advertising consent

You can use these to keep track of Subscribers and Segment the Subscribers you still need to get consent from.

You can also save screenshots of your Forms in Dropbox, or a similar program, each time you make a major change so there is a record of what Subscribers signed up for.

NOTE: a previous version of this article had the Tag "GDPR: Newsletter Consent" instead of "Email Consent." The correct Tag is "Email Consent."

That’s a question for you and your legal team. Some helpful things to ask yourself:

  • Did you previously have a lawful basis for processing personal data?

  • If that lawful basis was consent, did you obtain consent through notice, an affirmative opt-in, and for all of the ways you process Subscribers’ personal data?

  • Do you have record of the affirmative opt-in?

If you don’t have clear answers to these questions we recommend talking to your attorney to get their opinion.

Yes, you may create a Segment and send this to all of your Subscribers, or only to those Subscribers in the EU/EEA and/or Switzerland (based on IP address) that haven’t provided consent.

Here is an example of how to create that Segment:

Next Steps

From here, you’ll just need to send out an email with a link to our new GDPR-consent page. Here is a sample message you can use as a starting point for your own email:

Hey there,

You may have heard about the new data protection law in the European Union called the GDPR which regulates how personal data is processed. Under GDPR, I need to make sure I have your explicit consent to send you my newsletter and marketing emails.

If you’ve been enjoying my content, just click this link and check the two boxes on the next page:

{{ gdpr_consent_url }}

If this is not for you, just click Unsubscribe below, and I won’t email you again.

Thank you so much for reading and have a great day!

-Customer


You can use the liquid short-code {{ gdpr_consent_url }} to point to the URL. You could use an html block to manually write the link like this: <a href="{{ gdpr_consent_url }}">Your GDPR text here</a> or you can add it in the link editor.

That link will take them to a consent page that looks like this:

From here, they can opt-in to give explicit consent to receive either your promotional content, add personalization, or both.

To find the Subscriber consent options, click on your Account (in the upper left of the blue nav bar) > Settings > Email > scroll to the bottom of the page. Or just click here 😃

No, GDPR requires affirmative opt-in so pre-checked boxes or any other method of default consent is not sufficient for consent. A Subscriber must take that specific action to provide consent in all cases, whether that is clicking a double opt-in link or checking a box.

This feature was built directly into our New Form Builder

We are also building a feature that allows you to obtain consent after Subscribers subscribe, as mentioned above. That way you don’t need to change anything directly with the Form’s look on your site.

Do I need to add a checkbox to my Forms for every Tag in my account?

Generally no. You should consider adding a checkbox for every distinct way you use a Subscriber's data. Most likely, the Subscriber won’t see a difference in most of the segmenting, and would just be confused by excessive checkboxes.

One example where multiple checkboxes are useful is to separate the consent for marketing/promotional emails from using email addresses to personalize advertising on third-party platforms. In that case, we think it makes sense to offer granular consent.

Since every business is unique in how they might use a Subscribers data we like to ask two questions:

  • How do we make the subscription process clear and easy for the Subscriber?

  • Would the Subscriber be surprised to find their data was being used in this way?

By asking practical questions like that you can find an implementation that respects the privacy of your Subscribers while not overcomplicating your opt-in process.

What happens if I get audited?

The biggest concern from the GDPR is that if you get audited you won’t have proof that Subscribers gave consent for your emails. In the event that you do get audited, we have our Audit Concierge team ready to help.

Use this form to get in touch with our Audit Concierge Team. From there a member of our team will reach out to you to get you the proof of consent that you need, in order show the auditor you complied with best practices.

What type of data can I not store in ConvertKit?

ConvertKit processes “personal data” under the GDPR, including identification and contact data, financial information, and IT information such as an IP address.

ConvertKit does not process “sensitive personal data” under the GDPR, including data revealing:

  • Racial or ethnic origin

  • Political opinions

  • Religious or philosophical beliefs

  • Trade union membership

  • Genetic data

  • Biometric data

  • Data concerning health or a natural person’s sex life and/or sexual orientation

Most bloggers and content creators don’t have any reason to store this information, so this rule shouldn’t affect you. Just know that you are not allowed to store any of this type of information in ConvertKit.

A Subscriber asked me to delete their data. How do I do that?

As part of GDPR, Subscribers have a right to be forgotten. That means, as a business owner, you need to be able to delete their data. While you are going through the process of deleting their data you will need to contact us to request we do the same on your behalf. To do that fill out this right to be forgotten form.

If one of your Subscribers asks us to delete their data, we will refer them back to you as all of these requests need to be handled by customers, not ConvertKit (since we are the just a data processor). This ensures that you are responsible for removing all of the Subscriber's data from everywhere you may store it, in addition to ConvertKit.

If you have a privacy policy, or another document, that you want to link to in your Forms, you can do that by adding it to the main content area, highlighting the text, and clicking the link icon in the toolbar.

If your Form doesn’t have that text area, you can add it above or below the Form on your website, just like you would any other link.

Do I need to have my own Privacy Policy?

A Privacy Policy is a legal document describing how you collect, use, and disclose user data in compliance with the law. You should contact independent legal counsel for legal advice regarding your Privacy Policy.

Should I delete Subscribers or unsubscribe them?

An upset Subscriber may want to be completely deleted from your database, rather than just unsubscribe (they have the option to unsubscribe in the footer of every email). This is becoming more common through the right to be forgotten in GDPR. You should respect the wishes of the Subscriber, but ultimately it is better for the Subscriber to unsubscribe themselves, rather than for you to delete them.

This is because, if you delete them, there is no longer a record and of them existing and it may be easier to accidentally re-add them from another source (importing a CSV of customers, connecting a new integration, etc).

Instead, if you unsubscribe them, that status will be retained and the import or Subscriber being pushed in from a new integration will not create a new subscription.

If they insist on being deleted, do that, but know that you will need to be careful to not add them back in to your list on accident.

Did this answer your question?