FAQ: Consent & Privacy Management for GDPR

Overview

Where can I learn more about the EU General Data Protection Regulation (GDPR)?

For all questions about the regulation, you can visit the official EU GDPR portal to learn more, including an FAQ about the regulation itself: https://www.eugdpr.org/

 

When does GDPR go into effect?

May 25, 2018

 

Is BlueConic considered a data processor or a data controller in relation to the profile data stored in the platform on behalf of its customers?

BlueConic is considered to be a data processor in this context.

 

When were BlueConic’s Consent & Privacy Management capabilities released?

April 2018

 

Will BlueConic’s Consent & Privacy Management capabilities make my organization compliant?

Not necessarily. You should consult your internal legal/privacy experts to determine which of your marketing objectives require implicit or explicit consent, as well as where and when you need to ask for consent. Once you have this determined, you can use BlueConic’s Dialogues to ask for consent and capture individual rights requests.

 

Does BlueConic provide consulting to its customers about how to be GDPR compliant? 

No. BlueConic is not a consulting or law firm. We recommend you consult your organization’s legal and/or privacy experts to determine what is required for your specific organization.

 

Is BlueConic GDPR compliant in relation to the profile data stored in the platform on behalf of its customers?

Yes, all our internal processes are compliant, as well as 3rd parties, like Amazon Web Services.

 

Objectives

What is the Objectives object in BlueConic, and how does it relate to consent management for GDPR?

The BlueConic Objectives object lets you define purposes for personal data collection that require explicit or implicit consent. You can easily add Dialogues, Connections, Listeners and other BlueConic objects to Objectives to enable consent management for those objects.

 

Is it possible to only ask for consent against one overall Objective and remain compliant with GDPR?

This is a question for your internal legal & privacy experts. It depends on what types of data you collect, as well as how many different marketing purposes for which you use it.

 

Consent Management

How can BlueConic help me manage consent for personal data collection?

You can use BlueConic Dialogues to request consent from individual customers for the specific purposes associated with your defined Objectives in the platform. Once consent is given or denied at the individual level, that data is stored in the corresponding profile that is persistently stored in BlueConic. As a marketer, BlueConic Dialogues provide you with complete control and flexibility over how and where you ask for consent, so you can make changes as needed without the help of IT or developers. You can view what percentage of your customers has provided consent for each of your objectives at any time. The article Privacy Management in BlueConic helps you get started.

 

Can I see a demo of how to set up Objectives in BlueConic, as well as Dialogues for requesting consent?

Watch our tutorial video to see how to do this in under 5 minutes.

 

Can I limit the exposure of consent-related Dialogues to only be shown to customers in the EU?

Yes. Based on the IP address of your website visitors, BlueConic can determine the legislation of a user, and only display consent Dialogues to visits with an IP address located in the EU.

 

What if a customer denies or revokes consent for website tracking behavior? How would BlueConic automatically manage that?

Assuming that ‘website tracking behavior’ is defined as a BlueConic Objective, when a customer denies or revokes consent for that Objective, BlueConic will not execute Dialogues, Listeners, Connections and other related objects for that particular customer’s BlueConic profile.

 

Can I synchronize customer-level consent data to my external marketing platforms, such as ESP, CRM, retargeting?

Yes. You can use BlueConic partner Connections to sync with your external platforms. When exporting profiles, you can select to only transfer profiles for customers that have given consent.

 

What if we are capturing consent in other platforms? Can we integrate consent data captured outside of BlueConic into BlueConic profiles?

Yes. As long as the consent is captured at the individual level and can be mapped to a BlueConic profile identifier, you can use BlueConic connections to synchronize this data. When importing profiles, you can select to only transfer profiles that have given consent. 

By using the BlueConic APIs you can maintain the same objectives as that you have ‘purposes’ in the leading system. Using the JavaScript API, the legislation and consented/refused objectives can also be managed for each visitor individually.

By linking the objectives with (global)listeners, connections, trackers and dialogues BlueConic will only execute / show the items for which the visitor has given consent to.

 

Can I also use BlueConic’s consent management capabilities to manage cookie consent?

Cookies are seen within the GDPR as only one way to create an online identifier. With the GDPR, the focus is on getting consent for a specific purpose, of which cookies are only a part. BlueConic will only set an identifier in a cookie when the visitor has given consent to at minimum one consent, before that no identifiers are stored in cookies.

 

When does a visitor get a profile?

A visitor only gets a profile:

  • IF the visitor has legislation “NONE” and the default permission level is 1 or 2, or:
  • IF the visitor has legislation “GDPR” and one or more (global) listeners, connections or trackers are executed for that visitor. These are only executed:
    • IF they don’t require consent, or
    • IF they do require consent and visitor consented to one or more related objectives

 A profile is also created if the visitor explicitly selects permission level 1 or 2 (this is used for the (deprecated) cookie consent).

 The rules above can be translated to the following table:

Permission level Legislation Items open* Consent given Gets profile
0 NONE n/a n/a No
1 or 2 NONE n/a n/a Yes
0 GDPR n/a No No
0 GDPR n/a Yes Yes***
1 or 2 GDPR No No No
1 or 2 GDPR No Yes Yes**
1 or 2 GDPR Yes No Yes**
1 or 2 GDPR Yes Yes Yes**

 *          An item ((global) listener, connection or tracker) is called “open” if it is not part of an
objective that has consent management switched on.
**        The “GDPR-profile” gets the default permission level.
***      The “GDPR-profile” gets permission level 2.

 

What happens with the consent when two profiles merge?

When two profiles merge the privacy settings for the two profiles are automatically merged.

Consented objectives – The consented objectives from both profiles are added up and placed into the merged profile.

Refused objectives – The refused objectives from both profiles are added up and placed into the merged profile. Refused objectives that also appear in the merged consented objectives list are removed from the refused objectives list.

Privacy legislation – The privacy legislation is set to the value of the first rule that matches:

  1. If at least one of the profiles has the value “GDPR”, then use “GDPR” as legislation.
  2. If at least one of the profiles has the value “NONE”, then use “NONE” as legislation.
  3. Otherwise the value for legislation will be left empty (null).

 

Can I disable consent management for one plugin?

Yes, by adding the following line to the plugin.xml you disable consent management for one plugin: 

<profileindependent>true</profileindependent>

 It’s advised to only add this for plugins that don’t require access to the profile. Items based on a plugin for which the consent management has been disabled can still be placed into all objectives. In this situation BlueConic will not limit the execution of the item based on the objectives with consent management switched on.

 

Can I pass on consent when using an External Tracker?

Yes, for each objective that must be added to the consented objectives for the visitor that follows the tracker, you can add the ID of the objective to the querystring of the tracker. An example where consent is added for objectives with the ID ‘x’ and ‘y’: 

            https://aaa.blueconic.com/s/4?consented_objective=x&consented_objective=y

 

How does BlueConic keep track of consent without a profile?

If BlueConic is set up in a way that the visitor does not get a profile when landing on a website, then a profile is only created after the visitor gave consent for at least one objective. If the visitor only refuses objectives, no profile is created and the information about the refused objectives is stored in the ‘local storage’ of the browser.

You don’t have to do anything special to target these visitors without a profile that refused one or more objectives.

 

 

What happens with profile data when a visitor withdraws consent?

By default nothing changes to the profile data when a visitor withdraws consent for one or more objectives. You can change this behavior through a settings on the BlueConic settings > Privacy tab:

001-gdpr-default-permission-level.png

By checking the option After visitor withdraws consent for an objective, clear the related profile properties the visitor’s profile will be updated after a visitor withdraws consent. Profile properties that are related to the withdrawn objectives will be cleared, except for profile properties that are related to other objectives that the visitor still consents to.

Profile properties are related to objectives by items (such as listeners and import connections) that are contained by the objective and write data into profile properties.

 

Privacy Management

Can BlueConic help me manage individual rights requests, such as requests to access data, rectify data, and delete data?

Yes. You can use BlueConic’s new privacy management capabilities to create a customer-facing privacy center using BlueConic Dialogues. Customers can make these requests in the privacy center, so you can respond in a timely manner. The article Privacy Management in BlueConic will help you get started.

 

How do I implement multilingual websites?

If you want to set up the privacy management for multiple languages, then you can use the option to enter custom text for each objective and profile property. This way you can enter language-specific names and descriptions for all your objectives and profile properties (as used in the profile overview table).

To enter language-specific texts for objectives, click the icon to the right of each of the chosen objective:

008-manage-consent-objectives-tab.png

To enter language-specific texts for profile properties, click the icon to the right of each of the chosen profile property:

009-manage-consent-settings-tab.png

 

Related topics

Here are some other resources on the subject of privacy management: