Skip navigation

The General Data Protection Regulation (GDPR)

The General Data Protection Regulation

Drip is dedicated to maintaining ongoing compliance under the General Data Protection Regulation (GDPR).

This is a complex regulation that should be implemented if you collect and process data of individuals located in the European Union (EU). We suggest you consult with a legal professional who is knowledgeable about these regulations to see if you need to be GDPR compliant.

What is My Business’ Role Under the GDPR?

Data collection is common practice for most business,. especially for those that rely on online revenue streams. Under the GDPR, if you are collecting data, your business assumes the role of Controller. When you collect someone’s data, you need somewhere to store that information so you can recall it later to build effective marketing strategies. That’s where Drip fits in.

Where Does Drip Fit in With My Business and the GDPR?

Drip is a tool you use to store the data you collect to make better marketing decisions. No matter how you use Drip to store data, you should be aware of how it fits into your business under the GDPR. Drip is the service that’s used to process your data, so we take on the role of Processor.

What is Personal Data?

Personal data is any information that can be used to identify an individual person. Some of the common datasets that fall under that category include:

  • Email address

  • Name

  • Phone number

  • Billing/Shipping Address

Your business must remain GDPR compliant if you collect information from people in the EU.

Is Your Business Compliant?

Your email marketing is only a small piece of your business that must be GDPR complaint. This is why we suggest that you consult with a legal expert who is knowledgeable in the following areas:

  • The General Data Protection Regulation

  • Maintaining compliance with GDPR and EU regulations

  • EU privacy laws

Get Consent from People in the EU

While you should always get consent from everyone you send emails to in Drip, the way to get and record consent for people in the EU is a bit different.

Drip has built-in features to help you gain and record consent through your opt-in forms:

2018-04-26_12-53-41-1.png

  1. Click on the settings icon in the upper right-hand corner

  2. Click Account

  3. Click EU Compliance

  4. Enable 

    You are able to attach a hyerlink to your Privacy Policy or Terms of Service or format with markdown code.

How Drip Records and Stores EU Consent

Before getting into how you can display your consent statement, it's important to understand how Drip records and stores the consent status of a subscriber. Just gaining consent from your EU subscribers won't be of much use unless you can recall it at a later time.

In Drip, a subscriber can hold one of the following consent statuses: granted, denied, or unknown. A subscriber’s consent status is not static and immediately updates based on their most recent consent action. This means that if a subscriber who had previously granted consent fails to do so when subscribing in the future, we will update their status to denied. A subscriber can always grant consent again by taking appropriate action on their next subscription.

Once the status of a subscriber is set, Drip records that instance as an event. You can view this event activity on a subscriber’s activity timeline. 

Additionally, if you'll be creating subscribers through the API and then subscribing them to a campaign, you can display your consent message in the double opt-in confirmation email of an individual campaign.

If the subscriber has granted consent, we'll record the EU Consent Granted event and set their consent status to granted.

When someone either grants or denies consent, they can hold the following EU consent statuses in Drip:

  • Granted

  • Denied

  • Unknown

If a subscriber's consent status does not get recorded, we'll set their consent status to unknown. Other common ways a subscriber's status becomes unknown is when the subscriber is created either through a third-party integration or if you will not be using the features outlined in later parts of the article.

2018-04-26_14-01-25-1-1.png

You'll notice that both events consist of the same properties:

  • value holds the consent status of the subscriber (e.g. granted, denied, or unknown)
  • message contains the consent statement that was agreed to by the subscriber
  • source refers to how the subscriber was created

 

Segment for EU Consent Status

EU Consent status filter

By collecting people’s EU consent status and then recording that status, you can use segmentation to handle people based on that data:

  1. Click People

  2. Set the filter to EU Consent > is > status to filter by

  3. Click Refresh

EU Compliance Consent Features

EU Compliance in Drip Forms

When this setting is enabled, your compliance statement will be displayed next to a checkbox. By checking the box, the subscriber is granting their consent to you based on your compliance statement.

Go to Settings  > Account > EU Compliance and turn the setting ON to enable it.2018-04-25_16-23-50.png

Once your consent statement is saved in your account, Drip automatically and immediately updates all of your form widgets (but not your existing embedded forms) to display the checkbox, including those that were already activated at the time this setting was enabled. Here's an example of the compliance checkbox and statement on a form widget:

2018-05-01_09-35-31.png

If you're using embedded forms, we'll update the code that we generate in the Forms > Design section to include the HTML for the checkbox, but because Drip can't access your codebase, you'll need to update any existing embedded forms manually.

Here's an example of the code that gets updated in an embedded form:

2018-04-25_17-05-49.png

If you've already implemented an embedded form live on your own site, you'll need to manually update your own code to include the checkbox field HTML, as Drip does not have direct access to your codebase.

Once the checkbox setting has been enabled, all new forms you create will include the checkbox HTML for the embedded version of the form. Or, if simply need to add the checkbox HTML to your existing form, use the below template:

<div>
<input type="hidden" name="fields[eu_consent]" id="drip-eu-consent-denied" value="denied" />
<input type="checkbox" name="fields[eu_consent]" id="drip-eu-consent" value="granted" />
<label for="drip-eu-consent">Your EU Consent Message Goes Here!</label>
</div>

Bear in mind that the checkbox is not a required field in either form type and that the subscriber will still be able to subscribe to your email list. If you do not wish to maintain subscribers which have denied consent, you can take the optional steps of deleting them from your account as outlined here.

Along with enabling the consent statement checkbox on your forms, you'll notice an additional feature at the bottom of the EU Compliance settings page. When enabled, this feature will only show the consent statement checkbox on your form widgets if the subscriber's browser registers to the EU. This setting will only impact the form widget, and embedded forms will show the checkbox to all visitors regardless of their location.

2018-04-30_11-31-45.png

This feature cannot guarantee all EU residents are caught. For example, if a person is using a browser whose timezone hasn’t been properly updated, they may not be shown the consent checkbox when they should. Please use this feature at your own risk.

You cannot use a pre-checked a checkbox to record a person's consent because it does not comply with current regulations under the GDPR.

EU Compliance in Emails

Double Opt-In Confirmation Emails

When you enable compliance on your double opt-in confirmation emails, all new campaigns and forms will include your consent message at the top of their default double opt-in confirmation email, followed by a colon.

2018-04-27_16-07-23.png

These emails can, of course, be edited.

For any existing double opt-in confirmation emails that need to be compliant, you'll need to add the {{ compliance_html }} Liquid shortcode. This shortcode converts to your consent message. Also, if the shortcode isn’t present in the email, Drip won’t record consent for that subscriber, even if the double opt-in setting is enabled.

  • Go to Settings  Account EU Compliance and turn the setting ON to enable it:

    2018-04-26_17-18-56-1.png

Form Confirmation Emails

If you've set your form's confirmation setting to After every submission or Only to new subscribers, you'll find the confirmation email under the Design Confirmation Settings. Once there, you'll see this message:

2018-04-30_15-38-33.png

In order to display your compliance statement, you'll need to add the {{ compliance_html }} Liquid shortcode to the email. You can include it anywhere in the email, but we suggest making it highly visible so that it is apparent to the reader once the email is opened. Here's an example of how you would add the shortcode:

2018-04-27_16-15-54.png

Campaign Confirmation Emails

If you're using double opt-in confirmation emails for your campaigns, you'll need to take a few steps to ensure that your confirmation email displays the correct consent message. You can include the {{ compliance_html }} shortcode in the confirmation email of an individual campaign under the Emails tab. Once there, you’ll need to select the Confirmation email from the drop-down as seen below:

Screen_Shot_2018-06-21_at_9_45_41_AM__2_.png

When editing the confirmation email, you'll want to be sure to replace any default confirmation message with the {{ compliance_html }} shortcode:

2018-04-30_10-37-08.png

Here's a confirmation email containing the consent statement shortcode:

2018-04-30_10-40-18.png

If you’re subscribing your campaigns via our REST/JS APIs, and you'd like to use the confirmation email method to gain consent, you’ll want to make sure that you have the double-opt-in email setting turned ON within the settings of the individual campaign:

2018-04-27_15-59-38.png

If you’re using automation actions to send your campaigns, make sure that the Send a double opt-in confirmation email setting is turned on when you set the action up.

2018-04-27_14-20-44.png

EU Compliance Through CSV File and API

EU consent status can be sent into your account with a  CSV file, as well as through the REST and JavaScript APIs. 

When uploading your subscribers to your account with a CSV file, you can use these reserved fields to record the consent of a subscriber:

  • eu_consent should hold a value of either granted, denied, or unknown
  • eu_consent_message accepts a string containing your consent statement
  • eu_consent_timestamp should include a timestamp in ISO-8601 format

Here's an example of how those fields can be set in a CSV file:

2018-04-30_12-58-43.png

When updating EU consent through the REST or JavaScript APIs, both the eu_consent and the eu_consent_message can be passed through to your account. It's important to note, however, that the eu_consent_timestamp is not accepted by either of the APIs.

In regards to eu_consent and eu_consent_message, both of these fields are accepted by these REST and JavaScript API methods:

  • Create / Update a Subscriber 
  • Subscribe someone to a campaign 
  • Start someone on a workflow 
  • JS Identify method 

Use a Broadcast Email to Regain the Consent of Existing People in the EU

To determine whether or not you need to ask your existing EU subscribers for their consent to market to them, we recommend consulting with a lawyer. In general, subscribers who already granted consent in a GDPR-compliant way don’t need to be asked again.

If you do need to reach out to existing EU subscriber on your list, however, you can create a new broadcast email and include the {{ compliance_html }} shortcode. The EU Compliance setting for double opt-in confirmation emails must be enabled for this to work. Along with the compliance shortcode, the email must also include either the {{ confirmation_link }} shortcode or the {{ confirmation_url }} shortcode.

2018-05-07_10-41-24.png

When a subscriber consents, Drip will set their consent status as granted. Keep in mind that existing subscribers will automatically have a consent status set to unknown.

When building up the recipient list for the broadcast, you can select to only send the email to subscribers currently in the EU. Here’s how you would build that recipient list:

Time zone > is in > Europe

2018-05-07_11-07-41.png

NOTE: This consent method only needs to be taken if you haven’t already gained the consent of your existing EU subscribers in a GDPR-compliant way. We suggest consulting a lawyer if you’re unsure whether or not your previous consent methods are still in compliance with current GDPR policies.

 

Non-Consenting EU People

As mentioned before, subscribers will be added to your account even if they do not consent at the time of their subscription. In some cases, this may just be an error on the subscriber’s end. When that happens, you can consider sending the non-consenting subscriber a one-off email offering them another opportunity to consent.

You can build this type of automation with a workflow.

  1. Go to Automation > Workflows > New Workflow to create a new workflow.
  2. Set the entry trigger as Performed a custom event.
  3. Input “EU Consent Denied” into the event name field and click Update trigger:
    2018-09-11_16-29-19.png

With the entry trigger set, add an action step to send a one-off email:

  1. Click the + icon directly below the trigger we set in the previous steps.

  2. Add an Action step.

    2018-06-03_14-53-43.png

  3. Select the Send a one-off email action from the second drop-down to the right and click Edit email settings to complete your email setup.

When you write your email, you’ll want to explain that unless they grant consent, you won't be able to send them marketing content of any kind. You might also include a hyperlink leading to a form where the subscriber can modify their consent status by way of the checkbox consent feature found in forms.

Once the email is sent to the subscriber, we’ll need to give them a window of opportunity to consent before removing them from your list. To do that, set a delay for the amount of time in which the subscriber should grant their consent:

  1. Click the + icon directly below the one-off email action.

  2. Add a Delay step.

    2018-04-29_11-31-38.png

  3. Set the amount of time you’d like to give the subscriber to consent and click Update Delay. The example below will give the subscriber a full day to grant consent from the time they reach the delay:

    2018-09-11_16-34-30.png

If the subscriber fails to grant their consent by the time the delay runs out, the method we'll implement consists of deleting the subscriber from your Drip account in order to remain GDPR compliant. Keep in mind that this is only a suggestion.

Now that the delay is set, we’ll set the action to delete the subscriber if they don’t consent by the end of the delay.

  1. Click the + icon directly beneath the Delay step.

  2. Add an Action step.

  3. Select the Delete subscriber action.

    2018-09-11_16-36-03.png

The automation up to this point will delete non-consenting subscribers after a certain period of time. If they do go ahead and complete the methods for giving consent, we’ll need a way to pull them out of the workflow so they don’t get deleted. For this, we’ll use a goal.

  1. Click the + icon directly below the delete action.

  2. Add a Goal step.

    2018-04-29_11-33-50.png

  3. Select the Performed a custom event goal.

  4. Enter “EU Consent Granted” into the event name field and click Update trigger.

    2018-09-11_16-38-16.png

Here’s the finished workflow:

2019-03-06_16-37-09.png

When your workflow is ready, be sure to activate it so that it will start accepting subscribers. To do so, click Start Workflow in the top right of the workflow editor.

 

My Business Will Not Become GDPR Compliant

For those who find the cost of compliance is higher than not doing business with EU citizens at all, please continue reading.

Before we get into the details, however, please take note that neither Drip nor any service provider can completely prevent EU citizens from subscribing. Providers like Drip use time zone and IP address data to attempt to locate subscribers, but there are a number of reasons why this data could be either unavailable or inaccurate (e.g. the person is traveling outside the EU, using someone else’s device, etc.). So while the methods below reduces the chance of an EU subscriber landing on your list, it does not remove it entirely.

Here are some different suggestions on how you might handle EU subscribers:

 

Remove Existing EU Subscribers From Your List

If you think you might already have EU subscribers on your list, you can perform an account query to find out. Keep in mind that his method will only work if you have your subscribers' time zones already stored in Olson format (also known as “tz database”) in your account. 

  1. To query for existing EU subscribers, go to Subscribers > List.

  2. Set your filters to return any subscriber with a time zone in Europe: 

    Time zone > is in > Europe:

    Screen_Shot_2018-02-05_at_5.24.18_PM.png

  3. Click the Refresh button.

Take note that the Europe filter includes all time zones in this TZ time zone tablein Olson format.

Your segmented list will now only contain subscribers that have time zones in the EU. Unless you'll be managing your EU subscribers in another way, we recommend removing them from your list.

  1. Click the Perform an action link to the right of your subscriber list:

    2018-02-06_10-14-11.png

  2. Select the Delete subscriber action from the drop-down and click Next:

    2018-02-06_10-15-47.png

  3. Click the Schedule Operation button to complete the operation:

    2018-02-06_10-17-08.png

Block EU Subscribers From Your Account

If you're using Drip forms, a subscriber's time zone is automatically determined. You can create a Rule that will automatically delete any subscriber with a European time zone.

Before proceeding, we should note that there are a few downsides to this approach:

  • Countries outside of the EU that share a time zone (such as Egypt) may be deleted, as well.
  • Non-EU citizens who happen to be in Europe when they subscribe may be deleted.
  • Subscribers legitimately interested in your content may be turned off when they don’t receive what they expect.

As an alternate approach to deleting subscribers, you might send them a one-off email informing them of why you plan to delete them. If you'd like to go a bit further, you might also add a text warning on your form that you won't be accepting EU subscribers in order to protect your business under GDPR restrictions.

Here's you can block EU form subscriptions:

  1. Create a new Rule under Automation > Rules > New Basic Rule:

    2018-02-06_10-19-01.png

  2. For the rule's trigger step, select the Submitted a form trigger:

    2018-02-06_10-21-15.png


  3. Choose the Any form option from the drop-down.2018-02-06_10-22-10.png

  4. In the rule's trigger, click Change to add filter criteria to the rule:2018-02-06_10-26-16.png
    The rule should only trigger if the subscriber's time zone is in the EU, otherwise, it would delete every subscriber that submitted a form.

  5. Use the filter to only recognize subscribers in the EU by using these filter criteria:

    Time zone > is in > Europe:

    2018-02-06_10-27-21.png

  6. Click the Update Criteria button and your rule should now display this text: This trigger applies to subscribers who have a time zone in Europe.2018-02-06_10-28-39.png

  7. Next, set the rule's action (step 2) to Delete subscriber:2018-02-06_10-24-55.png

  8. Activate the rule

    2018-02-06_10-30-47.png

 

Add Text Warning to Your Forms

When designing your forms, you can add text to inform possible EU subscribers that they will not be allowed to subscribe in order to protect their GDPR privacy rights.

To do that, go to the form's Design tab and add whatever text to the bottom of the description that you’d like to use:

2018-02-06_13-16-27.pngThis method can potentially deter EU subscribers from subscribing to your list.

 

Exercising My Subscribers’ Data Subject Rights

The GDPR grants several rights to EU residents around their data. While it is your responsibility as the controller to exercise these, you may need assistance from Drip to do so depending on the request. Please note that, as a data processor, we can only provide assistance on behalf of your subscribers if the Drip account owner directly requests it via privacy@drip.com. Your subscribers are not allowed to reach out to Drip directly.

Right of Access and Portability (GDPR Article 15)

A subscriber may request access to all data you have stored on them, which would include data stored in Drip.

If you receive a legitimate request for this from your subscriber (please consult with your lawyer on this - EU subscribers simply curious for their data do not necessarily qualify), you may email privacy@drip.com. Exporting your subscriber data to CSV is possible, but will be incomplete without a subscriber’s activity feed data, which we can provide.

Please note the following:

  • For security purposes, this request must come from the Drip account owner, not any member of the account.
  • The email address of the subscriber requesting access must be provided, and that subscriber must be present on your Drip account.
  • Drip will respond to data subject right requests within 30 days, as required by the GDPR. 

Right of Rectification (GDPR Article 16)

EU subscribers have the right to update the information you have stored on them. They can do this in Drip today on their subscription management page.

Right to Be Forgotten (GDPR Article 16)

A subscriber may request to have all data you have stored on them erased, which would include data stored in Drip.

If you receive a legitimate request for this from your subscriber, delete the subscriber on the Subscribers tab of your Drip account to prevent any further data from being collected, then email privacy@drip.com to have the full deletion of their data expedited. Please note the following:

  • For security purposes, this request must come from the Drip account owner, not any member of the account.
  • The email address of the subscriber requesting to be forgotten must be provided, and that subscriber must be present on your Drip account.
  • Drip will respond to data subject right requests within 30 days, as required by the GDPR. 

Right to Restrict Processing (GDPR Article 18)

A subscriber may request that their data no longer be processed by you.

If you receive a legitimate request for this from your subscriber, you may delete the subscriber on the Subscribers tab of your Drip account. This will prevent the customers’ data from being processed.

Right to Object to Processing (GDPR Article 21)

Not to be confused with the Right to Restrict Processing, this article relates to the legal basis on which you are collecting their data (for example, if that legal basis is something other than that subscriber’s consent).

This objection will most likely be focused on you as a controller, not Drip as a processor. As such, you will need to involve your legal counsel to determine the legitimacy of your subscribers’ request and facilitate a resolution with them.

If the objection is focused on Drip as a processor, you may email privacy@drip.com.

  • For security purposes, this email must come from the Drip account owner, not any member of the account.
  • Drip will respond to data subject right requests within 30 days, as required by the GDPR.

 

Drip's Data Processing Agreement + Additional Resources

x A browser window showing the Drip Swag Shop

Wanna see Drip from a fresh angle?

Craving a more hands-on experience? Take 2 minutes and see what your shoppers see when you use Drip with this interactive experience.

Start my experience