The first and second phases of our GDPR updates are released and include functionality and guidance for:

  • Cookie Control & Policies
  • Positive Consent For Email Marketing 
  • Re-permissioning Subscribers 
  • Form Revision Control 
  • Giving Tooltips / Reasons On Form Fields For Data Collection
  • Granting User Visibility Of Their Form Submissions
  • Adding A Message For The Right To Object To Processing
  • Additional Auditing

What's In Phase 2?

Features added on 22nd May include making Cookie Manager available to non-responsive design sites; allowing the Subscribe link to work with Mailgun integration (updated instructions given in the re-permissioning section); showing 3rd party domains correctly in the non-essential section of the cookie pop-up. 

Will I Need To Do Anything?

YES. Whilst the new features "work out of the box" for GDPR compliance, you will need to read through the notes and apply each area that is relevant to your website or email marketing. 

What If I Need Help To Do This?

We can provide implementation consultancy to help you at our normal hourly rates.  We will then schedule the work on a first-come first-served basis. Contact your account manager. Note: This does not include giving legal advice or opinions on GDPR, please refer to your own legal counsel.

What Are The Next Phases?

Phase 3 introduces a new Script Finder program to help identify where scripts and iframes exist in your site as part of better security and identifying the origins of cookies, and a new "Restrict Processing" flag for users who exercise their right to object/restrict processing.

Phase 4 will extend breach detection to cover internal tasks performed by admins, which is where most breaches actually occur rather than external hacks.

Where Can I View All Your GDPR Information?

You can access our full GDPR section here

Cookie Control & Cookie/Privacy Notices

Under GDPR, individuals visiting websites have the right to control cookies used on the site. Our revised cookie message has customisable text and allows visitors to control cookies via a Cookie Settings link and automatically replaces your site's previous cookie message (whilst inheriting your existing cookie message colour scheme).  Our new Cookie Manager program allows you to enter cookies used on your site and links to your Terms, Privacy and Cookie policies. 

Positive Consent & Re-permissioning For Email Marketing

Marketing emails should only be sent to users who have positively given consent to receive them, rather than implied consent through terms and conditions or automatically ticked boxes for newsletters, sign up forms and checkout registration. This most likely means you will need to re-permission your users to ensure you comply with GDPR.

Sign Ups For Positive Consent 

Most sites have a contact form and newsletter sign up, plus for ecommerce sites there is a newsletter sign up in the registration process. These will be GDPR compliant with this release and you do not need to do anything. However, if you have added custom forms to your site or wish to change your ecommerce sign up process back to automatically subscribe users into your newsletter because you do not need to comply with GDPR, then you will need to follow the steps below. More information can be found in our Consent article

What You Need To Do: Check custom signup forms / change setting to automatically subscribe buyers during the checkout process

  • In Forms & Processes, check which forms use the signup processand whether they have a positive consent tickbox or not. 
    • If the forms have a consent tickbox then you should not need to re-permission users if your privacy policy is also clear. See example privacy policy.
    • If the forms do not havea consent tickbox then:
      • Create new forms which have a positive consent tickbox and keep a record of this. Find out how to add a consent form in this article.
        NB The reason for having a new form is to segregate your data going forward so you know which users have signed up in a compliant way.
      • Re-permission your users
    • If GDPR does not apply to your visitors and you want buyers to be automatically subscribed to your newsletter, then go to Site Settings > General and tick the box "Tick the Newsletter Signup Checkbox by default"
    • If you use Preferential Pricing Manager refer to the section on it in this article.  
    • Configure double opt-in as explained at the bottom of this article.
  • If you use the Newsletter signup app on your site, go into Site Settings > General tick the field "Enable Double/Confirmed Opt-In Newsletter Signup". Go into Page Manager and add text for the right to object on the page "Email Newsletter Double Opt In" e.g. "You have the right to object to our processing of your personal data. See our privacy policy for full details." This means that anyone who signs up when then get an email for them to confirm opt-in which will then display your GDPR compliance text.

Re-permissioning All Subscribers If You Send Marketing Emails Via REC 

Use re-permissioning to collect positive consent from all your existing subscribers if you send email marketing campaigns and cannot rely on legitimate interests for your campaigns (see later section on segmenting your user base and only sending to marketing-only users). This will be a one-time process which involves sending an opt-in email to ask subscribers to sign up again, otherwise they will be set as unsubscribed. 

What You Need To Do: Re-permissioning all your subscribers

  • Create and test your re-permissioning email in Email Manager which will include a re-subscription link using the {{ subscribe_link }} tag OR if you use Mailgun to send emails, use this code instead: {{ directory }}pages/subscribe.php?id={{ id_encoded }}

  • Ensure your privacy policy is up to GDPR standards and link to it in your email. See example privacy policy
  • Send your email to all users and then immediately unsubscribe them via Subscriber Manager > Unsubscribe all
    Tip: If you use Mailgun you can send timed emails to go at the same time as you unsubscribe.
  • Users who re-subscribe via your email subscribe link will be marked to receive newsletters on their user record. 

Example Re-permissioning Email

How Can I Re-permission Marketing-Only Subscribers?

Your user database might contain a mix of people who have differing types of lawful basis for sending emails to them, including legitimate interests, contract and consent, which you can understand in more detail in this ICO article. Users who you market to will normally fall into the "Consent" category are the ones you need to re-permission if you did not get demonstrable positive consent previously.

What You Need To Do: Re-permissioning a subset of your marketing subscribers

  • Work through your user base and identify the different types of users by their lawful basis and either put them into their own User Group ideally, otherwise use User Tags to tag their lawful basis as consent and build an 'Unsubscribe' CSV list as you go along. This means you will have a segmented list of users who need to re-consent. 
  • Follow the previous steps but: 
    • Only send the email to the User Group or Tag Group containing the users who need to re-consent
    • In Subscriber Manager use either Unsubscribe By Group for the consent group or Unsubscribe By List using the 'unsubscribe' list you created, instead of Unsubscribe All

How Can I Store Consent For Other Marketing Channels & Not Just Email Newsletters?

GDPR requires you have granular consent if you market to people through multiple channels, for example email, direct mail, phone calls etc.

REC covers one aspect of marketing which is email marketing. Marketing permission for multiple channels is something that you would normally record and control via your CRM system and marketing processes. 

How Could REC Help Me To Identify Multi-Channel Marketing Permissions?

NB REC is not designed to be a multi-channel marketing permission system. However, you could set up a form for people to complete with their marketing preferences for each channel and bring this to their attention via a link on your website or in your correspondence to them. When they submit the form you would then update your CRM to store their preferences and market to them accordingly. If people then wanted to change their preferences they could re-submit the form with their revised choices. Every time the form was completed it would automatically appear in the User Area for the person when they log in, so there would be an audit trail of when permissions were altered.

If I've Imported Users From Marketing Lists, How Do I Set Their Password So They Can Log In To View Their Data?

You can use the Invite System to send them an invite. Read how to do it in this article.


Revision Control

GDPR requires you keep a record of your page/form content so you can prove what was asked at the time consent was given.

What You Need To Do: Keep records of your forms when they change

  • If your page/form content doesn't change, then your web page could be the effective record 
  • If you change the page/form content, then set up a new page/form and add a comment to the page detailing what is different and the date it went live. This provides an audit. You will turn off the previous page and make this one live instead. Make sure any links or navigation to the page are updated.
  • You can consider taking screen grabs of relevant web pages if you prefer using tools like Awesome Screenshot (Chrome Plug-in) or Firefox Screenshots

Displaying Reasons For Data Collection On Form Fields

The introduction of GDPR has promoted new good practice whereby you collect only the minimum data really needed, and that form fields display the reason why particular form field data is being collected, where that data is more intrusive or over an above what might be required as a minimum.

What You Need To Do: Check and update forms with more intrusive data giving a reason why you need it / advise how long data is kept

  • In Forms & Processes, review your forms and determine whether some of the fields need to have tooltips or explainer text for why that particular piece of data is needed. These new fields show when you click on a form field name:
    • Tooltip - this text appears when you hover over a form field

    • Explainer text - this text is displayed to the side of the field  
  • For each form, update the Caption field and enter how long you intend to keep data before deleting it.

User Visibility Of Their Form Submissions

GDPR promotes showing people what information is held on them by you. This update will automatically show their submitted form responses and you do not need to do anything unless there are specific forms you do not want included.

How Do Users See Their Form Responses?

Registered users log in to the site to access their User Area and click on the Your Form Response link in the Custom Links sidebar. Some users may have been imported rather than registered, or forgotten their passwords. Read how to handle granting access in this article.

The submitted form responses include all forms they completed either:

  • When they were either logged in, or;
  • Where their email address appears in the email address field of a submitted form

Does This Include Forms Not Built In REC?

This does not include forms from 3rd party apps or forms manually added to the site. In these circumstances, you will need to find and provide that information manually if requested.

What You Need To Do: Configure forms you do not wish to be viewed by people or turn off all forms from showing

  • In Admin, go to "Customise User Area" and untick "Show Your Form Responses", so that the User Area does not show a way to view their form submissions
  • In Forms & Processes, edit the form and untick "Show In Customer Area" 

Adding The Right To Object On Forms & In Emails Sent Via Prospect Manager

Under certain circumstances, individuals have the right to object to processing on first contact with you. This will normally be via contact forms you have on the site, but you may also decide to include outbound emails from Prospect Manager if you use it.

What You Need To Do: Check contact forms and create text advise of the right to object 

Additional Auditing

The following programs will now automatically record extra information onto the audit logs, which can be accessed via the Admin Comments program:

  • User Manager > Add User & Edit User: Record changes in Group, User Level, Status and Send Emails 
  • Manage Subscribers: Record email subscribes and unsubscribes via the 'Send Emails' field
  • Registration: Record user added or changed, email subscription, status and level
  • Preferential Pricing: Adds user group to the other registration data above
  • Checkout: Record user email subscription, status and level
  • Newsletter sign up app: Record user subscription
  • Form process to add to Prospect Manager: Records whether a user was created or updated
  • Site Setup: Records which user made a change
  • Connect: Records which user made a change