Convert is committed to assisting its customers in their journey to compliance starting late May 2018 for the GDPR (General Data Protection Regulation) and the upcoming ePrivacy Regulations. At Convert, we’re not only dedicated to adhering fully with GDPR prior to its enforcement date (as you can read here https://www.convert.com/gdpr/) but also adjusting the analytics application of Convert Experiences to assist in compliance for our customers with GDPR and the upcoming ePrivacy Regulations (current draft).
General Data Protection Regulation (GDPR) was passed by the EU Parliament in April of 2016. Replacing the Data Protection Directive from the 90s, it’s the biggest overarching legislative change in data privacy regulation to take place the last 20 years.
In a gist, GDPR was created to standardize data privacy laws throughout Europe—and to put greater protection on the data privacy of EU citizens. The big changes are:
A full list of the key GDPR changes can be found on the EU GDPR website here.
Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive passed as complementary law by the EU Parliament in 2002 and amended by Directive 2009/136 (in 2009). This complementary law to the GDPR is currently being updated and although not in effect the last drafts of October 26, 2017 by Member of the European Parliament Marju Lauristin. The current law is in draft under item 15333/17 but involves important changes to the way cookies and traffic data should be treated.
In a gist, ePrivacy Regulation was created to standardize data privacy & communication laws throughout Europe and for example remove the cookie walls, people in Europe are familiar with, and replace it with clear guidelines that can be adopted in national EU laws. It introduces several changes, especially in what concerns cookies, that are now subject to prior consent but also covers call-center and other forms of communication.
While GDPR is a law and enforceable national versions might differ from the main guidelines slightly, the ePrivacy Regulation is not yet a law and just a proposal in the late stages of approval. It most likely will not become a law until summer 2019 and so on May 25, 2018 there are two laws in place: the new GDPR and the old ePrivacy Directive 2009/136. When the ePrivacy Regulations are adapted we have GDPR and ePrivacy Regulation as complementary laws (expected summer 2019).
Just about anyone dealing with data. If your business is based in the EU, or you ever process the data of citizens from the EU—you’ll want to make sure you’re doing everything you can to comply with GDPR. In addition, it’s wise to start preparing for the ePrivacy Regulation based on the draft law (and approved by the European Parliament on October 26, 2017). Convert is preparing its business—but also, its customers applications—in line with both the GDPR law and ePrivacy Regulation draft of Member of the European Parliament Marju Lauristin.
We’re glad you’ve asked! The chart below breaks down the new GDPR privacy standards as well as the ePrivacy Regulations, and how we’re working to respond to them. We’ll update this article frequently, so you can keep an eye on how far along we are in the process.
Art. in GDPR | Summary | Actions to be taken - Progress | |||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Article 5 |
6 new Data Protection Principles have been introduced:
|
Convert Experiences will change features and settings, the most common should be:
|
|||||||||||||||||||||
Article 6 |
Lawfulness of processing: conditions that must be satisfied for the processing of personal data to be lawful.
|
We will increase trust from website visitors. The cross domain cookie reconnect will be by default turned off for all projects in Convert Experiences. Activating this will create a warning of consent from the individual visitor most likely will be needed. COMPLETED We’ll support customers in transparency. When adding multiple domains in a project, Convert Experiences will give a warning that consents of the individual don’t automatically travel between properties, unless properties are subdomains and related to the main domain. COMPLETED Our historical segmentation option is by default turned off. When turned on for an audience by a customer, we will remind them that in our opinion consent from the individual is needed for this. When additional logging is needed to find problems in the installation or website, the customer—as well as the website visitor within the European Union—will be required to give consent before the debugging tools are loaded (unless ePrivacy Regulation will bring additional clarity on this possible exception). COMPLETED Universal User ID’s used by customers will get a warning that contracts by individuals are needed (for example, paid customer relationships) and consent from the individuals are required. This is in relationship with possible cross device and cross browser tracking. COMPLETED |
|||||||||||||||||||||
Article 7 |
New legislation around the consent of the individual for the organisation to hold his/her personal data. Several aspects need to be addressed:
|
No personal data will be stored in Convert Experiences. GDPR’s definition of personal data is now broader than under the Data Protection Directive. Article 4 of the GDPR states that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”. It adds that: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. COMPLETED Convert Experiences will give warnings to all the custom tags (fields) available in the application for storage or personal data which is forbidden by the Terms of Use https://www.convert.com/terms-of-use/ of Convert Experiences. COMPLETED The opt-out feature https://www.convert.com/opt-out/ will be placed in the app settings page. It will get an input field for the link of the opt-out on the domain matching the project with verification and email reminders. COMPLETED |
|||||||||||||||||||||
Article 8 | Same as article 7 but for children’s data consent in relation to information society services |
Inform customers of this article in the privacy policy of Convert Experiences. COMPLETED |
|||||||||||||||||||||
Article 9 | Sensitive Personal Data which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, health-related information (physical or mental), sexual orientation. |
No Sensitive Personal Data is stored in Convert Experiences but we will inform customers of this article in the privacy policy or terms of use of Convert Experiences. COMPLETED |
|||||||||||||||||||||
Article 10 | Sensitive Personal Data relating to criminal convictions and offences or related security measures. |
No Sensitive Personal Data is stored in Convert Experiences but we will inform customers of this article in the privacy policy or terms of use of Convert Experiences services. COMPLETED |
|||||||||||||||||||||
Article 11 | Processing which does not require identification: A controller that cannot identify the data subject is absolved from having to respond in detail to a data subject’s requests — except to tell the data subject (“if possible” to do so) that it cannot comply due to lack of identification. |
Convert Experiences cannot identify the data subjects based on any identifier since they are not stored. Data subject’s rights will be limited to the deletion of cookies. COMPLETED |
|||||||||||||||||||||
Articles 12-14 | Privacy Notices must be given at the time that the data is obtained from the data subject, or if the data was received from a third party, within a reasonable period after obtaining the data but at the latest within one month. |
When third-party data could be used to build audiences, using either javascript or cookie conditions in audiences, or any other location in Convert Experiences, the customer will get a warning. The warning will state: individuals consent is needed and the privacy policy of that tool must be presented, where consent must be unbundled, obtained with active opt-in, be granular, clearly named, easy to withdraw, documented and no imbalance in the relationship must be present. COMPLETED |
|||||||||||||||||||||
Articles 15-23 |
Expanded Individual's’ Rights:
|
Convert Experiences does not store any information about an individual user on the system. Upon deletion of the cookie individuals user’s history on which buckets he or she fell into are erased, although total unique visitor counts is available on Convert Experiences per bucket but do not contain individual user information. COMPLETED Convert Experiences don’t offer direct marketing options. COMPLETED On the summary pages of 1:1 Personalization option we will inform our customers of the possible privacy implications. Even though we don’t store individual users in our system, its buckets of users might be smaller than one hundred unique visitors which we consider enough for an additional consent warning to our customers. COMPLETED No individual user data is stored on Convert Experiences servers so there is no data-portability option or erase option for website visitors is available. COMPLETED |
|||||||||||||||||||||
Article 24 | Definition of a Controller |
Convert acts as a controller and will comply with all corresponding regulations. COMPLETED |
|||||||||||||||||||||
Article 25 | Data Protection by design and by default |
Several guidelines will be applied during the software development circle:
|
|||||||||||||||||||||
Article 28 | Definition of a Processor |
Convert Experience acts as a processor and will comply with all corresponding GDPR regulations. COMPLETED |
|||||||||||||||||||||
Article 30 | Record keeping all personal data processing activities shall be recorded. |
Article 30 says that these requirements don’t apply to organizations of under 250 employees, in addition Convert Experiences also does not manage personal data at the finish of this roadmap. COMPLETED |
|||||||||||||||||||||
Articles 33-34 | Data breaches |
Convert Experiences does not contain any personal information yet will ensure that there are procedures in place to detect, investigate and report on application data breaches within 72 hours of becoming aware of it. COMPLETED |
|||||||||||||||||||||
Articles 35-36 |
Privacy Impact Assessment (PIA): If you are using "new technologies" which process personal data which is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall carry out an assessment of the protection of personal data. Prior Consultation: Data controllers should consult the supervisory authority every time a PIA identifies an inherently high risk processing activity. |
Not strictly necessary as the type of processing Convert Experiences does is unlikely to result in a high risk, but Convert Experiences will put a simple PIA in the applications settings page anyway. COMPLETED |
|||||||||||||||||||||
Articles 40-43 | Codes of Conducts and Certifications: GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate that you comply. |
Convert will find the appropriate Codes of Conducts and Certifications and comply with them. The most “popular” are:
|
|||||||||||||||||||||
Articles 44-50 | Cross-border data transfer: As a general rule, transfers of personal data to countries outside the EEA may take place if these countries are deemed to ensure an “adequate” level of data protection. A current list of “approved countries” is available here. |
Convert Experiences does not know any cross-border data transfer from to or from outside EEA borders in its infrastructure. COMPLETED |
|||||||||||||||||||||
Articles 51-99 | Article on Independent Supervisory Authorities too the Final provisions |
We have read these articles. COMPLETED |
Art. in ePrivacy Regulations Draft 6543/2020 | Extract | Actions to be taken - Progress |
---|---|---|
Articles 2 and 14 |
“These metadata includes the numbers called, the websites visited, geographical location, the time, date and duration when an individual made a call etc.” |
On targeting of geographical locations for regional and city level as well as targeting time (zones) of user terminals, Convert Experiences will signal a warning of individual consent needed. COMPLETED |
Article 8 | "This Regulation should also apply to natural and legal persons who use electronic communications services to send or present direct marketing commercial communications or make use of processing and storage capabilities of terminal equipment or collect information related to processed by or emitted by or stored in end-users’ terminal equipment. Furthermore, this Regulation should apply regardless of whether the processing of electronic communications data or personal data of end-users who are in the Union takes place in the Union or not, or of whether the service provider or person processing such data is established or located in the Union or not." |
Convert Insights Inc. a Delaware USA incorporated organization, with its datacenter Frankfurt, Germany, will store and process no personal data of end users. We have this article and will respect its content. COMPLETED |
Article 17b | "Processing of electronic communication metadata for scientific research or statistical purposes should be considered to be permitted processing. This type of processing should be subject to further safeguards to ensure privacy of the end-users by employing appropriate security measures such as encryption and pseudonymisation. In addition, end-users who are natural persons should be given the right to object." |
Automatic anonymize visitor’s ID by grouping hundreds of website end-users in visitor groups that only count the presence of the total number of end-users. Individual end-users are not stored in Convert Experiences. It will not be possible to reconnect group counts to individual visitors in any way and the anonymized groups will be used for statistical purposes only and is permitted processing. Each customer of Convert Experiments needs to have an opt-out form on the site assisting website visitors to express the right to object to this statistical research. COMPLETED |
Articles 20 and 21 | "Furthermore, the so-called spyware, web bugs, hidden identifiers, tracking cookies and other similar unwanted tracking tools can enter end-user’s terminal equipment without their knowledge in order to gain access to information, to store hidden information and to trace the activities. Information related to the end-user’s device may also be collected remotely for the purpose of identification and tracking, using techniques such as the so-called ‘device fingerprinting’, often without the knowledge of the end-user, and may seriously intrude upon the privacy of these end-users. Techniques that surreptitiously monitor the actions of end-users, for example by tracking their activities online or the location of their terminal equipment, or subvert the operation of the end-users’ terminal equipment pose a serious threat to the privacy of end-users. Therefore, any such interference with the end-user’s terminal equipment should be allowed only with the end-user’s consent and for specific and transparent purposes.” as well as “Exceptions to the obligation to obtain consent to make use of the processing and storage capabilities of terminal equipment or to access information stored in terminal equipment should be limited to situations that involve no, or only very limited, intrusion of privacy. For instance, consent should not be requested for authorizing the technical storage or access which is necessary and proportionate for the legitimate purpose of enabling the use of a specific service requested by the end-user. This may include the storing of cookies for the duration of a single established session on a website to keep track of the end user’s input when filling in online forms over several pages, authentication session cookies used to verify the identity of end-users engaged in online transactions or cookies used to remember items selected by the end-user and placed in shopping basket. Cookies can also be a legitimate and useful tool, for example, in assessing the effectiveness of a delivered information society service, for example by helping to measure the numbers of end-users visiting a website, certain pages of a website or the number of end-users of an application. This is not the case, however, regarding cookies and similar identifiers used to determine the nature of who is using the site. Information society providers that engage in configuration checking to provide the service in compliance with the end-user’s settings and the mere logging of the fact that the end-user’s device is unable to receive content requested by the end-user should not constitute access to such a device or use of the device processing capabilities. Consent should not be necessary either when the purpose of using the processing storage capabilities of terminal equipment is to fix security vulnerabilities and other bugs, provided that such updates do not in any way change the functionality of the hardware or software or the privacy settings chosen by the end-user and the end-user has the possibility to postpone or turn off the automatic installation of such updates. Software updates that do not exclusively have a security purpose, for example those intended to add new features to an application or improve its performance, should not fall under this exception." |
Recital 21 of ePrivacy Regulations draft 1533 says: "Exceptions to the obligation to obtain consent to make use of the processing and storage capabilities of terminal equipment or to access information stored in terminal equipment should be limited to situations that involve no, or only very limited, intrusion of privacy." with the removal of all personal data from Convert Experiences in the default settings we there is a very limited to no privacy implication of using the software. We do recommend customers to ask for consent when specific settings are turned on. COMPLETED |
CHAPTER II -PROTECTION OF ELECTRONIC COMMUNICATIONS OF END-USERS AND OF THE INTEGRITY OF THEIR TERMINAL EQUIPMENT, Article 8, Protection of information stored in terminal equipment of end-users and related to or processed by or emitted by such equipment. | "1. The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds: (d) it is necessary for audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user or by a third party on behalf of the provider of the information society service provided that conditions laid down in Article 28 of Regulation (EU) 2016/679 http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf are met." |
Article 28 of Regulation (EU) 2016/679 describes the relationship of the controller, the contracts between the customers of Convert Experiences, and Convert. Customers can request additional contract clauses for European customers, for this reason we have a DPA and DPIA online. COMPLETED |
CHAPTER II -PROTECTION OF ELECTRONIC COMMUNICATIONS OF END-USERS AND OF THE INTEGRITY OF THEIR TERMINAL EQUIPMENT, Article 10, Information and options for privacy settings to be provided, Protection of information stored in terminal equipment of end-users and related to or processed by or emitted by such equipment. | "3. In the case of software which has already been installed on [25 May 2018], the requirements under paragraphs 1 and 2 shall be complied with at the time of the first update of the software, but no later than [25 August 2018]." |
Inform customers of Convert Experiences to share their privacy settings to all end-users before 25th of August 2018 with features like opt-out. COMPLETED |
Have questions about how Convert’s actions, and GDPR, will affect your business? Contact us at: support@convert.com