General Data Protection Final

GDPR — what We chose to do at Openprise

Before GDPR went into effect, Openprise took steps towards managing GDPR compliance requirements.

  1. Emailed everyone in our database about our updated Privacy Policy: We sent this one out earlier than just about everybody, and positioned it as a model for managing GDPR compliance requirements in the email offer. We didn’t particularly want people to read it so we sent in out on a Saturday. Surprisingly, that page got a remarkable number of hits, all things considered. We hope there was a lot of cutting and pasting going on.
  2. Asked People to Opt-In: We sent an email to the leads in our database that would be subject to GDPR. It asked people to actively opt-in in order to stay in touch with us. As you might expect, we didn’t get a massive response, but we did get some. That was great. When we looked at the lead scores of all those two didn’t respond, we didn’t feel too bad. Very few were MQLs.
  3.  Made our website cookie compliant: Lots and lots and lots of platforms use cookies to track people online and improve their user experience, but cookies also get a bad rap for then enabling advertisers to stalk people on the internet, etc. When you go to our site, you’re asked to opt-in to being cookied. If you select yes, those cookies engage to try to help provide you with more appropriate information. If you select no, obviously, you’re not tracked and your experience won’t be as much fun. Our webmaster installed a WordPress plugin from Weepie, a two-person Dutch company, Worked as advertised. Checked that box.
  4. Created a subscription center: Instead of using the flat “unsubscribe” we’ve been using, we used this as an opportunity to create a subscription center using Josh Hill’s outline on the Marketo Community. There’s no shortage of javascript programmers at Openprise, so we added some tweaks to make the boolean value for the unsubscribe field say “Yes” or “No” instead of “1” or “0”. Feel free to ping us for the code to do that—it was a few minutes of work from some smart product folks. To add to this, I created a couple visible and hidden fields on our form.

a) Privacy Classification. This is a field we already had which distinguishes the GDPR, the CASL, the fine-to-use, and the non-deterministic (read: “we have no idea where they’re located”).
b) Sub-DateTime. This hidden field collects a time/date stamp for whenever the form is submitted
c) Sub-ForgetMe. This field only appears if the lead has a Privacy Classification value of GDPR (see above).

Using Privacy Classification as the method to determine which form values are seen, if the value is anything but GDPR, the user doesn’t see the Sub-ForgetMe field. If the Privacy Classification value is GDPR, the user sees the extra field:


If they select “I want to be forgotten per GDPR,” they then get a special landing page:


Otherwise they, and any non-GDPR users, get the usual subscription confirmation page.

The Sub-ForgetMe field enables us to:

  • Mark the lead for deletion
  • Ensure that their GDPR Opt-In value is FALSE
  • Ensure that they are:
    ○ Marketing suspended
    ○ Unsubscribed
    ○ Marked NO for all the various subscription options

This way we have redundant systems (unsubscribe, marketing suspended, specific subscription fields) to ensure that between the decision to opt-out and the time the records is anonymized or deleted, we do not send to that person no matter what.

So far in testing it’s worked well. We haven’t got a large enough EU audience (yet) to have done more than test.

*We kept the sad puppy graphic from our old unsubscribe page. He still works.

Leave a comment