This blogpost is initially published on May 23rd, 2018, when GDPR came into force. With the CCPA law coming into force per January 1st 2020, we have updated this post and made sure it covers all privacy laws Foleon adheres to.
No matter what type of business you have or where in the world you’re located, you’ve probably heard a lot about the EU’s data privacy law, the GDPR that came into force per May 25, 2018. The EU was the first to bring this law into practice, with more countries and states to follow in the near future, such as most recently the CCPA in California. In this blog post, we’ll touch on the basics of these privacy laws and bring you up to speed on how we ensure compliance, both for Foleon itself and for those who use our tool.
Disclaimer: We wrote this blog to provide general information, it isn’t intended to provide legal advice. To understand the full impact of privacy laws on your company please consult an independent legal and/or privacy professional.
The General Data Protection Regulation (GDPR) is a new set of laws aimed at enhancing the protection of EU citizens’ personal data and increasing the obligations of organizations to deal with that data in transparent and secure ways. The GDPR applies not only to EU-based businesses but also to any business that controls or processes data of EU citizens. It came into force on the 25th of May, 2018. Foleon is fully GDPR compliant, both from a controller’s as processor’s perspective, and it is applied globally. If you’d like to know more about the new rights and regulations, you can read the GDPR in full here: https://gdpr-info.eu/.
The California Consumer Privacy Act (CCPA) is a privacy bill that applies to companies that serve residents of the State of California. GDPR, in most aspects that are relevant for Foleon’s activities, has a broader scope than the CCPA. Any regulations that are different in CCPA than in GDPR and may be relevant for Foleon, have been reviewed and Foleon is compliant with those regulations.
At Foleon, we’ve worked hard ensuring all of our own business practices are Privacy Law-compliant. But even more important to us is helping you, our users, understand what the Privacy Law means for your business.
GDPR terms in a practical example
There are a number of important terms related to the Privacy Law that you’ll see a lot: the controller, the processor (Alternative term: service provider), the data subject and personal data.
Let's explain these terms with a practical example:
Meet Annabel, an EU citizen. Let’s say Annabel’s data has been recorded in your CRM. In this case, Annabel is a “data subject” and your company is the “controller” of her “personal data” (any information that could be used to identify Annabel). If you acquired Annabel’s contact information via Foleon (e.g. through a form), then Foleon acts as the “processor” of Annabel’s data on behalf of your company.
With the introduction of Privacy Law such as GDPR and CCPA, data subjects like Annabel are given an expanded set of rights, and controllers and processors are required to adhere to an expanded set of regulations.
We’ve developed a number of new features to help you comply with Privacy Law regulations. Here’s a rundown of the new features:
IP address anonymization
Under the GDPR (and sometimes under the CCPA), an IP address is considered personal data because it can be used to identify a person. If you’ve connected your publication(s) to Google Analytics, you may want to anonymize IP addresses so they will not be recorded in Analytics. This new feature allows you to do so.
In order to analyze the performance of our platform we also include our own UA code in every published publication. IP addresses are anonymized per default for this property.
The Cookie Consent feature in the Drag & Drop editor allows you to obtain cookie consent from those who visit your publication. We’re leaving the cookie wall feature in the original editor as is.
Keep in mind that this new feature might evolve based on the upcoming EU ePrivacy Regulations.
Deleting form submissions
Privacy Law empowers individuals to exercise their right to be forgotten, meaning that you’ll need to delete their data without undue delay if they ask you to do so. If you collect personal data using Foleon (e.g. through a form), this new feature allows you to delete form submissions and all the included data from your account (and our servers) completely.
When this feature goes live, you’ll find it under Dashboard > Account > Form management.
Existing product features
We’d also like to touch on some existing product features that are either already compliant or where conflicts could potentially arise.
Personalization and Google Analytics
Be aware that if you’re using personalization tokens that include data like names or email addresses, and have also connected Google Analytics to your publication(s), these tokens will appear as parameters in the URL and therefore will also be recorded in Google Analytics.
Collecting this data in Google Analytics breaks Google’s Terms of Service. You can ensure personal data is not recorded in Analytics by adding appropriate variables to the ‘Exclude URL Query Parameters’ field in your Google Analytics’ view settings.
If you use Foleon to generate leads using forms or social login, be sure to follow these best practices with regards to collecting personal data so that you adhere to the Privacy Law.
Request as little data as possible
Privacy Law states that organizations shouldn’t process or retain extraneous personal data. This means that all data collected should be intended for a specific purpose, used only for that purpose, and retained for only as long as it meets that purpose. For the purpose of lead generation, you’ll typically need names and contact information at the very least, but you must decide what other information, if any, is necessary.
Provide clear and transparent information
Always obtain consent before using the data you've collected to contact leads
Our forms allow you to add checkboxes that are unchecked per default. Use this to get explicit consent from your visitors. This applies both to forms within publications and the access control form that allows you to gate publications for lead generation purposes.
Be aware that if you use social login to gate your publications, it’s not yet possible to ask for explicit consent from visitors to contact them in the future.
In addition to product updates, we’ve also updated and expanded our legal documentation.
Data Processing Agreement
We've created a Data Processing Agreement which defines how we process data. It covers the nature and purpose of processing, the duration for which data is kept, the types of personal data that is stored, and the obligations and rights involved — both of our customers as controllers and of Foleon as the processor.
We believe the new regulations will lead to better experiences for everybody. At its most basic level, Privacy Law requires companies to provide consumers with clear and transparent information about how their personal data will be stored and used, while also granting them quick and easy access to this data. All of this will lead to better relationships between organization and consumers, built on a solid foundation of trust.