Overview: GDPR compliance
Marketing teams use BlueConic to manage customer data privacy and consent compliance worldwide. BlueConic supports multiple legislation zones, including the GDPR in Europe. For general information on managing privacy with BlueConic see the Privacy section of our Knowledge Base.
This FAQ covers questions specific to GDPR compliance.
Where can I learn more about the EU General Data Protection Regulation (GDPR)?
For all questions about the regulation, you can visit the official EU GDPR portal to learn more, including an FAQ about the regulation itself: EU GDPR site.
When did GDPR go into effect?
May 25, 2018
Is BlueConic considered a data processor or a data controller in relation to the profile data stored in the platform on behalf of its customers?
BlueConic is considered to be a data processor in this context.
When were BlueConic Consent and Privacy Management capabilities released?
April 2018
Will BlueConic Consent & Privacy Management capabilities make my organization compliant?
Not necessarily. You should consult your internal legal/privacy experts to determine which of your marketing objectives require implicit or explicit consent, as well as where and when you need to ask for consent. Once you have this determined, you can use BlueConic Dialogues to ask for consent and capture individual rights requests.
Does BlueConic provide consulting to its customers about how to be GDPR compliant?
No. BlueConic is not a consulting or law firm. We recommend you consult your organization’s legal and/or privacy experts to determine what is required for your specific organization.
Is BlueConic GDPR-compliant in relation to the profile data stored in the platform on behalf of its customers?
Yes, all our internal processes are compliant, as well as third parties, like Amazon Web Services.
Managing privacy and consent with Objectives in BlueConic
What is an Objectives object in BlueConic? How do Objectives relate to consent management for GDPR?
BlueConic Objectives let you define purposes for personal data collection that require explicit or implicit consent. You can easily add Dialogues, Connections, Listeners and other BlueConic objects to Objectives to enable consent management for those objects.
Is it possible to only ask for consent against one overall Objective and remain compliant with GDPR?
This is a question for your internal legal and privacy experts. It depends on what types of data you collect, as well as how many different marketing purposes for which you use it.
Consent management for GDPR
How can BlueConic help me manage consent for personal data collection?
You can use BlueConic Dialogues to request consent from individual customers for the specific purposes associated with your defined Objectives in the platform. Once consent is given or denied at the individual level, that data is stored in the corresponding profile that is persistently stored in BlueConic. As a marketer, BlueConic Dialogues provide you with complete control and flexibility over how and where you ask for consent, so you can make changes as needed without the help of IT or developers. You can view what percentage of your customers has provided consent for each of your objectives at any time. The article Privacy Management in BlueConic helps you get started.
Can I limit the exposure of consent-related Dialogues to only be shown to customers in the EU?
Yes. Based on the IP address of your website visitors, BlueConic can determine the legislation of a user, and only display consent Dialogues to visits with an IP address located in the EU.
What if a customer denies or revokes consent for website tracking behavior? How would BlueConic automatically manage that?
Assuming that ‘website tracking behavior’ is defined as a BlueConic Objective, when a customer denies or revokes consent for that Objective, BlueConic will not execute Dialogues, Listeners, Connections, and other related objects for that particular customer’s BlueConic profile.
Can I synchronize customer-level consent data to my external marketing platforms, such as ESP, CRM, retargeting?
Yes. You can use BlueConic partner Connections to sync with your external platforms. When exporting profiles, you can select to transfer only the profiles for customers that have given consent.
What if we are capturing consent in other platforms? Can we integrate consent data captured outside of BlueConic into BlueConic profiles?
Yes. As long as the consent is captured at the individual level and can be mapped to a BlueConic profile identifier, you can use BlueConic connections to synchronize this data. When importing profiles, you can select to only transfer profiles that have given consent.
By using the BlueConic APIs you can maintain the same objectives as that you have ‘purposes’ in the leading system. Using the JavaScript API, the legislation and consented/refused objectives can also be managed for each visitor individually.
By linking the objectives with (global)listeners, connections, trackers, and dialogues BlueConic will only execute / show the items for which the visitor has given consent to.
Can I also use the consent management capabilities in BlueConic to manage cookie consent?
Cookies are seen within the GDPR as only one way to create an online identifier. With the GDPR, the focus is on getting consent for a specific purpose, of which cookies are only a part. BlueConic will only set an identifier in a cookie when the visitor has given consent to at minimum one consent, before that no identifiers are stored in cookies.
When does a visitor get a profile?
A visitor only gets a profile:
- IF the visitor has legislation “NONE” or:
- IF the visitor has legislation “GDPR” and one or more (global) listeners, connections or trackers are executed for that visitor. These are only executed:
- IF they don’t require consent, or
- IF they do require consent and visitor consented to one or more related objectives
What happens with the consent when two profiles merge?
When two profiles merge the privacy settings for the two profiles are automatically merged.
Consented objectives – The consented objectives from both profiles are added up and placed into the merged profile.
Refused objectives – The refused objectives from both profiles are added up and placed into the merged profile. Refused objectives that also appear in the merged consented objectives list are removed from the refused objectives list.
Privacy legislation – The privacy legislation is set to the value of the first rule that matches:
- If at least one of the profiles has the value “GDPR”, then use “GDPR” as legislation.
- If at least one of the profiles has the value “NONE”, then use “NONE” as legislation.
- Otherwise the value for legislation will be left empty (null).
What happens with profile data when a visitor withdraws consent?
By default, nothing changes to the profile data when a visitor withdraws consent for one or more objectives. You can change this behavior through a setting on the Privacy page (BlueConic settings > Privacy):
By checking the option "After visitor withdraws consent for an objective, clear the related profile properties," the visitor’s profile will be updated after a visitor withdraws consent. Profile properties that are related to the withdrawn objectives will be cleared, except for profile properties that are related to other objectives that the visitor still consents to.
Profile properties are related to objectives by items (such as listeners and import connections) that are contained by the objective and write data into profile properties.
How can I implement multilingual websites?
See our General privacy FAQ for instructions.
On the Privacy page, what's the difference between the Europe (GDPR) and United Kingdom (UK GDPR) legislation zones?
The Europe (GDPR) legislation zone governs consent for visitors from the European Union as per the General Data Protection Regulation (GDPR). Since the United Kingdom adopted its own version of data protection regulations, the United Kingdom (UK GDPR) legislation zone was added to the platform to govern consent for visitors specifically from the UK.
As of the June 2022 release, new UK visitors will be assigned to the UK legislation zone, while existing UK profiles will still be part of the Europe (GDPR) zone.
Note: If United Kingdom (UK GDPR) is NOT enabled on the Privacy page, then any new UK visitor will continue to be assigned to the Europe (GDPR) zone until the UK zone is enabled.