The EU's General Data Protection Regulation (GDPR) went into effect on May 25, 2018 and the UK General Data Protection Regulation (UK GDPR) went into effect on January 1, 2021.
These regulations impact ConvertKit's Customers and Subscribers, so we've audited all of our processes to make sure we are compliant.
What is the EU’s GDPR and the UK GDPR?
The EU’s GDPR and the UK GDPR are regulations that streamline data privacy across the EU/EEA and UK, and put in place new privacy protections for individuals in the EU/EEA and UK.
What is Privacy Shield?
The EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield were frameworks between the EU, Swiss and US governments to allow US companies to transfer personal data in and out of the EU/EEA and Switzerland.
The EU-U.S. Privacy Shield was invalidated on July 16, 2020, and the Swiss-U.S. Privacy Shield was invalidated on September 8, 2020. We maintain our certifications to both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks as Privacy Shield negotiations continue between the EU, Swiss, and US governments.
How does ConvertKit lawfully transfer personal data from the EU/EEA, UK, and Switzerland to the United States without the Privacy Shield frameworks?
We rely on Standard Contractual Clauses (SCCs) that we’ve incorporated into our Data Processing Agreement (DPA).
The European Commission adopted new EU SCCs on June 4, 2021. We will update our EU SCCs to comply with the changes starting on September 27, 2021.
The UK data protection authority (ICO) is currently consulting on UK SCCs (UK International Data Transfer Agreement or UK IDTA) and plans to adopt the UK IDTA before the end of 2021. We will incorporate the new UK IDTA in our DPA when it is adopted. Until then, the ICO has said that U.S. companies may rely on the EU SCCs pursuant to Decision 2004/915/EC and 2010/87/EU for international data transfers for Customers in the UK.
Will I be affected by the EU’s GDPR and the UK GDPR?
Likely, yes. If you currently reside in the EU/EEA or UK, or have Subscribers that reside in the EU/EEA or UK, you need to be GDPR-compliant.
We've taken care of what we need to on our end, and we would absolutely recommend you familiarize yourself with the regulations to make sure you are taking all necessary steps as well!
What we have done to get compliant:
We are fully compliant in all areas including:
We rely on SCCs to lawfully transfer personal data from the EU/EEA, UK, and Switzerland to the US
We comply with the data subject rights of individuals in the EU/EEA, UK, and Switzerland including the right to be forgotten and access requests
You may close your ConvertKit account at anytime, and request that we remove all of your information and data associated, and we will delete it in its entirety
You may opt-out of our marketing emails and product updates at any time by clicking "Unsubscribe" or by sending an email to [email protected]
You may access and update your ConvertKit account settings at any time, or send us an email at any time requesting we update that information
You own your list--you can export your subscribers at any time, as long as you are compliant with our terms of service
And we also have measures in place to protect your Subscribers' privacy:
You may delete Subscribers at any time at their request, or we may honor their request to be removed from your list or any list if they contact us directly
You may access and update your Subscribers' data at anytime
We provide an unsubscribe link automatically at the bottom of each email sent from ConvertKit, allowing them to opt out at any time. Additionally we'd encourage you to use custom unsubscribe links to allow Subscribers to update their preferences
New ConvertKit features to help customers comply with GDPR
Find your EU/EEA, UK, and Swiss Subscribers, establish explicit consent, and comply with the GDPR
Find my EU/EEA, UK, and Swiss Subscribers — You can now select your Subscribers by country, and region!
Data Processing Agreement — Our DPA offers contractual terms that meet EU’s GDPR and UK GDPR’s requirements and reflect our data privacy and security commitments to our customers. Each customer processing personal data on behalf of EU/EEA, UK, and Swiss individuals can sign this contract with ConvertKit and keep it on file for their records.
Custom form checkboxes if the visitor is within the EU/EEA, UK, and Switzerland — This feature can be enabled on the account level and adds an unchecked checkbox to each opt-in Form (or a page after the Form is submitted) for Subscribers to verify that they are consenting to receive marketing emails. If it remains unchecked, the Subscriber would receive the opt-in incentive (e.g. a free guide), but does not receive any tags in the platform indicating consent to email them.
To see what features we provide, click here.
Our recommendations for you:
First, consult with a lawyer for specific recommendations for your business. Please take the following as suggestions, and understand they should not be considered legal advice.
On any Forms or Landing Pages you use, whether our ConvertKit Forms or another app, you should make your intentions specific and very clear. Will you send them regular newsletters, occasional offers, or share this list with anyone else? If someone purchases your product on another platform, will they be added to ConvertKit? Your Subscribers should be aware of how their sensitive information (email and any other data you collect) will be handled.
It should be very easy for your Subscribers to give you permission to send them email. Some suggestions would be: state it clearly on your Form, use a double opt-in process on your Forms, or remind them where they subscribed in the footer of your emails.
Perform regular backups of your list. Keeping up to date information, especially showing proof of consent from your Subscribers can be helpful if required.