FAQ: GDPR and privacy with BlueConic

Overview: GDPR compliance

Marketing teams use BlueConic to manage customer data privacy and consent compliance worldwide. BlueConic supports multiple legislation zones, including the GDPR in Europe. For general information on managing privacy with BlueConic see the Privacy section of our Knowledge Base.

This FAQ covers questions specific to GDPR compliance.

Where can I learn more about the EU General Data Protection Regulation (GDPR)?

For all questions about the regulation, you can visit the official EU GDPR portal to learn more, including an FAQ about the regulation itself: https://www.eugdpr.org/

When did GDPR go into effect?

May 25, 2018

Is BlueConic considered a data processor or a data controller in relation to the profile data stored in the platform on behalf of its customers?

BlueConic is considered to be a data processor in this context.

When were BlueConic’s Consent and Privacy Management capabilities released?

April 2018

Will BlueConic’s Consent & Privacy Management capabilities make my organization compliant?

Not necessarily. You should consult your internal legal/privacy experts to determine which of your marketing objectives require implicit or explicit consent, as well as where and when you need to ask for consent. Once you have this determined, you can use BlueConic’s Dialogues to ask for consent and capture individual rights requests.

Does BlueConic provide consulting to its customers about how to be GDPR compliant?

No. BlueConic is not a consulting or law firm. We recommend you consult your organization’s legal and/or privacy experts to determine what is required for your specific organization.

Is BlueConic GDPR compliant in relation to the profile data stored in the platform on behalf of its customers?

Yes, all our internal processes are compliant, as well as 3rd parties, like Amazon Web Services.

Managing privacy and consent with Objectives in BlueConic

What is the Objectives object in BlueConic, and how does it relate to consent management for GDPR?

The BlueConic Objectives object lets you define purposes for personal data collection that require explicit or implicit consent. You can easily add Dialogues, Connections, Listeners and other BlueConic objects to Objectives to enable consent management for those objects.

Is it possible to only ask for consent against one overall Objective and remain compliant with GDPR?

This is a question for your internal legal & privacy experts. It depends on what types of data you collect, as well as how many different marketing purposes for which you use it.

Consent management for GDPR

How can BlueConic help me manage consent for personal data collection?

You can use BlueConic Dialogues to request consent from individual customers for the specific purposes associated with your defined Objectives in the platform. Once consent is given or denied at the individual level, that data is stored in the corresponding profile that is persistently stored in BlueConic. As a marketer, BlueConic Dialogues provide you with complete control and flexibility over how and where you ask for consent, so you can make changes as needed without the help of IT or developers. You can view what percentage of your customers has provided consent for each of your objectives at any time. The article Privacy Management in BlueConic helps you get started.

Can I see a demo of how to set up Objectives in BlueConic, as well as Dialogues for requesting consent?

Watch our GDPR and privacy tutorial video to see how to do this in under 5 minutes.

Can I limit the exposure of consent-related Dialogues to only be shown to customers in the EU?

Yes. Based on the IP address of your website visitors, BlueConic can determine the legislation of a user, and only display consent Dialogues to visits with an IP address located in the EU.

What if a customer denies or revokes consent for website tracking behavior? How would BlueConic automatically manage that?

Assuming that ‘website tracking behavior’ is defined as a BlueConic Objective, when a customer denies or revokes consent for that Objective, BlueConic will not execute Dialogues, Listeners, Connections and other related objects for that particular customer’s BlueConic profile.

Can I synchronize customer-level consent data to my external marketing platforms, such as ESP, CRM, retargeting?

Yes. You can use BlueConic partner Connections to sync with your external platforms. When exporting profiles, you can select to transfer only the profiles for customers that have given consent. 

What if we are capturing consent in other platforms? Can we integrate consent data captured outside of BlueConic into BlueConic profiles?

Yes. As long as the consent is captured at the individual level and can be mapped to a BlueConic profile identifier, you can use BlueConic connections to synchronize this data. When importing profiles, you can select to only transfer profiles that have given consent.

By using the BlueConic APIs you can maintain the same objectives as that you have ‘purposes’ in the leading system. Using the JavaScript API, the legislation and consented/refused objectives can also be managed for each visitor individually.

By linking the objectives with (global)listeners, connections, trackers and dialogues BlueConic will only execute / show the items for which the visitor has given consent to.

Can I also use BlueConic’s consent management capabilities to manage cookie consent?

Cookies are seen within the GDPR as only one way to create an online identifier. With the GDPR, the focus is on getting consent for a specific purpose, of which cookies are only a part. BlueConic will only set an identifier in a cookie when the visitor has given consent to at minimum one consent, before that no identifiers are stored in cookies. 

When does a visitor get a profile?

A visitor only gets a profile:

  • IF the visitor has legislation “NONE” and the default permission level is 1 or 2, or:
  • IF the visitor has legislation “GDPR” and one or more (global) listeners, connections or trackers are executed for that visitor. These are only executed:
    • IF they don’t require consent, or
    • IF they do require consent and visitor consented to one or more related objectives

A profile is also created if the visitor explicitly selects permission level 1 or 2 (this is used for the (deprecated) cookie consent).

 The rules above can be translated to the following table:

Permission level Legislation Items open* Consent given Gets profile
0 NONE n/a n/a No
1 or 2 NONE n/a n/a Yes
0 GDPR n/a No No
0 GDPR n/a Yes Yes***
1 or 2 GDPR No No No
1 or 2 GDPR No Yes Yes**
1 or 2 GDPR Yes No Yes**
1 or 2 GDPR Yes Yes Yes**

*          An item ((global) listener, connection or tracker) is called “open” if it is not part of an
objective that has consent management switched on.
**        The “GDPR-profile” gets the default permission level.
***      The “GDPR-profile” gets permission level 2.

What happens with the consent when two profiles merge?

When two profiles merge the privacy settings for the two profiles are automatically merged.

Consented objectives – The consented objectives from both profiles are added up and placed into the merged profile.

Refused objectives – The refused objectives from both profiles are added up and placed into the merged profile. Refused objectives that also appear in the merged consented objectives list are removed from the refused objectives list.

Privacy legislation – The privacy legislation is set to the value of the first rule that matches:

  1. If at least one of the profiles has the value “GDPR”, then use “GDPR” as legislation.
  2. If at least one of the profiles has the value “NONE”, then use “NONE” as legislation.
  3. Otherwise the value for legislation will be left empty (null). 

What happens with profile data when a visitor withdraws consent?

By default nothing changes to the profile data when a visitor withdraws consent for one or more objectives. You can change this behavior through a settings on the BlueConic settings > Privacy tab:

How to use a CDP to manage privacy and consent for GDPR, CCPA, California Consumer privacy act

By checking the option After visitor withdraws consent for an objective, clear the related profile properties the visitor’s profile will be updated after a visitor withdraws consent. Profile properties that are related to the withdrawn objectives will be cleared, except for profile properties that are related to other objectives that the visitor still consents to.

Profile properties are related to objectives by items (such as listeners and import connections) that are contained by the objective and write data into profile properties.

How can I implement multilingual websites?

See our General privacy FAQ for instructions.

Learn more about privacy and consent compliance with BlueConic

Here are some other resources on the subject of privacy and consent management: