You’re a MailPoet user looking to be GDPR friendly? Follow our guide.
If you’ve had to recently agree to many new terms and conditions for your online services, there’s a good probability that it’s because of a European regulation on privacy.
If you haven’t yet heard, the European Union is introducing a set of common sense laws on May 25th called the General Data Protection Regulation (GDPR).
We certainly think these regulations are a good thing for everyone. Why? Because they give users’ control over their data while being fairly easy to understand.
You can jump straight to our guide on our support website to learn how to implement them on your website.
We asked Heather Burns, a tech policy and regulation specialist based in the U.K., how GDPR will benefit the WordPress community. Here’s what she had to say:
The biggest benefit GDPR brings to the WordPress community isn’t in the code. It’s in the processes it encourages you to go through. Getting to grips with GDPR, for many developers and users, will be the first time they’ll have sat down to really think about questions like “What data do we collect? Why do we collect it? Where do we store it? Who has access to it? How long do we keep it? Who do we share it with?
In short, the regulation gives the right to ask a website or app for their personal identifiable information. Furthermore, users can ask for their data to be anonymized (also known as “the right to be forgotten”.) Moreover, a company is obliged to inform its users in the event of a data security breach.
Everyone agrees that these new laws are simply common sense.
Have European users? GDPR applies to you, too
The regulation applies to any company which processes data of European residents.
For example, an American company will have to process a request from one of their European visitors if he/she leaves comment on a blog post with his name and email address.
For this reason, we recommend all website owners to simply abide to the regulation, regardless if you are in the European Union or not.
In time, people online beyond Europe’s borders will start to expect this “privacy by design” mentality, as Heather Burns suggests:
As your users become more conscious about their personal privacy, you need to be prepared to meet those expectations, and “promises to respect your privacy” just won’t do anymore […] and this is particularly important for people working in countries which have no comparable overarching privacy law, such as the U.S.
What are the penalties?
The penalties can be up to 4% of a company’s annual revenues.
Rest assured, most small website owners will not be hounded or regulated.
Most European countries are not ready to enforce the directive right now, and when they are, they will certainly be concerned with large companies hoarding vast amounts of data or those handling very sensitive information, such as the ones who operate in the healthcare industry.
The biggest risk to site owners outside the EU who don’t abide to the new privacy guidelines will be a loss in public trust and confidence in their services. […] Respecting your users’ privacy will become a selling point for responsible services, as important as the product itself,” says Burns.
Get ready in 15 minutes
The team behind WordPress have made it easy for website owners and plugin authors to abide to the new rules.
Starting in version 4.9.6, there are several tools to help you get GDPR-compliant.
In our GDPR guide, we’ll take website owners through these tools:
- Publish a new Privacy Notice that makes your visitors’ rights clear;
- Ask for consent to collect data in your forms;
- The tool to extract a visitor’s identifiable data;
- The tool to anonymize a visitor’s identifiable data.
We also have other, optional recommendations in our guide.
Hopefully, you’ll see the reasonableness of this new regulation. GDPR will certainly get a big boost from WordPress since it powers 30% of the internet.
More than half of the world’s population will be online this year, for the first time. It’s timely that we finally get the rights to control our own data 29 years after the WWW was created.
What about Mail Poet 2? It must be GDPR compliant too
Cheers from Germany
Hansjörg
Hansjörg, good question.
MailPoet 2 is GDPR compliant too. Read the guides above to follow the steps.
The only drawback is that MailPoet 2 doesn’t use the WordPress tools to find and anonymize subscribers data.
If you ever get a request by a subscriber for this, simply contact our support and we’ll assist you.
Hi, thanks for the article. However, I am not clear on the compliance thing. The GDPR law states that the newsletter provider needs to have a written opt in. Now, if I choose to send a confirmation email in mailpoet 2, and the user confirms, the program updates the status from unconfirmed to confirmed. However, I have NO information when the confirmation occured – something that is necessary to have, to be GDPV compliant.
Please let me know asasp, since I need to sort this out before the 25th. Thank you!
Good question Viktoria because proof of consent in the digital space isn’t always obvious. So, what qualifies as consent?
In MailPoet, these 3 methods together qualify as consent:
1. Add a text and a link to your privacy notice in your forms;
2. Enable Signup Confirmation (aka “double opt-in”);
3. MailPoet also records the source of signup (form or import, for examples) in the database to be shown on export of user data (not shown in UI);
Where can I find your own Privacy Policy? I wish to add all 3rd party Privacy Policy links to my new Privacy Policy.
Margaret, our Privacy Notice can be found here: http://www.mailpoet.com/privacy-notice/
We’ll update our footer today so it can be found easily.
But the Mailpoet Privacy Notice does only affect those who are using your Mailsending Service. If I just use your plugin, there is not Need to link to your page!?
For your own Privacy Notice page, you do not need to link to MailPoet’s own Privacy Notice page.
If you use the MailPoet Sending Service, then you can state in your Privacy Notice page that you are sending with MailPoet.
Hi! Is it possible to automate the process for getting a new GDPR compliant consent from existing subscribers?
Greetings
Frank
Hey Frank, you do not need to ask for consent, unless you imported your subscribers without their consent in the first place.
We have a guide available here:
https://beta.docs.mailpoet.com/article/246-guide-to-conform-to-gdpr
Kim,
Thanks for your continued support on this thread. However, you’ve yet to answer the following questions.
How (technically) can one ask for consent again for existing “confirmed” subscribers? I have a segment of confirmed subscribers, but I cannot be 100% certain that all followed our double-consent flow.
This is becoming a blocking issue for my business, and we may need to switch services (Ex: MailChimp) as they have a solution for this problem.
Thanks,
David
Hey David, we don’t recommend to reconfirm your subscribers. Proof of consent is already available in MailPoet if:
– Signup Confirmation enabled;
– You have not imported your subscribers without their consent;
– You have an “unsubscribe” link clearly visible.
MailPoet tracks IP addresses on signup and it will start tracking this week the source of signup (e.g. forms or import) of each subscriber.
All of this information together qualifies as “proof of consent”.
Our legal advise on this matter is pretty firm. Unfortunately, MailChimp’s own recommendations have confused more than one. MailChimp also disables double opt-in by default, if that’s any indication of their contradictory advice.
If you want don’t want to follow our recommendations and wish to reconfirm everyone on our list, you can do so in these steps:
1. Create a new list in MailPoet;
2. Create a new form for this list;
3. Create a new landing page with this form;
4. Send an email to the old list with a link to this new page and ask to sign up again;
5. Stop using the old list and start using the new list.
The peril of this is that many of your subscribers might not see your email. Depending on your open rates, this means loosing up to half of your legitimate subscribers, if not more.
Alternatively, simply send a single email with your new Privacy Notice and ask users to unsubscribe if they don’t consent.
Hi, I would like to clarify your answer: in my case, I have used an opt out form so far, provided by other means. As by your serrvices, every email has a clear unsubscribe link. Do I now need to have them reconfirm “opt in” or not in order to be compliant? Thanks!
Viktoria, I’m not sure I fully understand your question. If you have specific question, we’ll be happy to answer them by email.
You can reach us here: http://www.mailpoet.com/support/sales-pre-sales-questions/
You don’t have to re-establish the consent, only if the initial application form was consistent with GDPR.
Some explanations here: “Do I need to contact my existing subscribers to re-establish consent?”
https://www.signupto.com/news/digital-marketing/gdpr-double-opt-in-and-re-consent/
or here “Send re-permission campaigns”
https://sendy.co/get-updated
Do you see a way to handle this with MailPoet?
Hello,
first of all thank you for extending the new feature of WordPress core – export personal data – with MailPoet data. Very helpful!
There is one thing that is not clear to me, namely whether you store my users’ emails on your servers.
In your policy (https://www.mailpoet.com/privacy-notice/
) you say:
“MailPoet collects data from users’ accounts for security reasons, to monitor deliverability, for internal reporting and for billing purposes, Number of emails sent, Email addresses of recipients, Country of user.”
“Email addresses of recipients” – do you refer to my newsletter subscribers here?
If so, do you sign up a Data Processor Agreement with your customers? This is what my lawer would suggests in this case.
Hey Aga, a separate agreement should not be necessary as that’s already covered in the privacy notice.
Hey Kim, thank you for your support at the comment section! A Data Processor Agreement is exactly what I’m looking for a long time too. Since MailPoet processes personal data on my behalf, such an agreement is mandatory. I do not understand why the privacy notice should be enough. Could you please inform me and send current information here, e.g. with information source. Thank you so much!
Alexandra, our Privacy Notice has the same value as an agreement because you agree with our terms by using our service.
We could sign tens of thousands of agreements with our users, but that wouldn’t make much sense.
You might wonder what data we hoard? MailPoet only logs email addresses that we send to and nothing else. This is used to ensure deliverability for users who send with us. The data we gather about your users is strictly minimal.
The guide says this about the privacy policy text:
“WordPress has created a tool for this purpose in which MailPoet provides example text for you to use.”
Is the example text available separately? I’m using MailPoet 2 and WordPress’s privacy policy tool isn’t displaying any example text specific to MailPoet.
Emily, the recommend text is indeed in MailPoet 3 only. I’ll send it to you by email.
Great article, than you very much.
Hi Kim,
I am using the MailPoet Sending Service.
What do you do with the data of my subscribers? Do I need a DPA?
Maybe it’s a similiar or even the same question like the ones of Aga and Alexandra.
Thank you!
mic
Hello,
I have the same question about which data of my subscribers do you use, how and where my subscribers datas are located ?
Thank you Kim !
Dav
Dav, we only track the emails you sent to and their response (delivered, failed, bounced, etc.) if you send with MailPoet.
You can view the services we use here:
https://www.mailpoet.com/privacy-notice/
Hope this helps!