Tegrita Email Compliance Methodology – Implementing GDPR in Oracle Eloqua

Tegrita's GDPR and CASL Compliance Model

There has been a trend, as of late, concerning data privacy and data security. The general population is becoming more aware of whom they provide their data to and the possible risks associated with sharing that data. Governments are starting to enact legislation to encourage companies to be transparent with what data they have about you, how that data is used, how is it shared (and with whom), and ensuring that your data remains your data – that you can request your data be removed from the organization that you shared it with. For example, companies like Facebook are making an effort to bring awareness to the amount of data that they have about users and how that data is being used (to the users benefit).

In the European Union (EU), the legislation regulating data privacy is known as “General Data Protection Regulation” (GDPR). This blog post is not intended to advise you on the GDPR laws but rather, the intention is to address the impact of GDPR from a marketing operations standpoint as these laws impact your process for obtaining data, how you store it and what you can do with the data.

DISCLAIMER: The information in this blog and our Framework are provided for information purposes only. They are not and should not be taken as legal advice. You should not rely on, or take or fail to take any action, based upon this information. Your use or reliance on this Framework, the contents of this Framework or the information provided in this blog will be at your sole risk. Tegrita Corporation and its legal counsel make no representation or warranty of any kind regarding this Framework, the contents of this Framework or the information provided through this Framework. Subject to applicable law, in no event will Tegrita Corporation or its employees, consultants, members, or legal counsel be liable for damages of any kind arising out of your use of or reliance on this Framework.

DATA

In the most simplistic terms, the objective of the marketing function is to identify potential buyers and identify which are potentially interested in your product or service (essentially moving them from the beginning stages of the buyers journey through purchase and beyond). Data allows you to do that. This includes data about the individual, the individual’s online browsing habits and interests, their company and any other data your organization collects.

Data is a key part of the foundation on which your marketing initiatives are built. That means, as marketers, you are stewards of user data, and this is why the trend in legislation designed to protect user data impacts marketers. It boils down to two things: where did you get the data (i.e., your contacts), and when did you get consent to contact your contacts for marketing purposes.

GDPR addresses “where did you get my data?” and other anti-spam legislation such as The Privacy and Electronic Communications Regulations (PECR) and The Canadian Anti-Spam Law (CASL) addresses “when did I give consent to having you contact me?”.

Although there is some overlap, these legislations are different, but they all impact how we, as marketers, can market to our list of contacts.

Consent

Consent – What does it mean? What are the different Types?

I’d like to address the word ‘consent’ for a moment as this is where we’ve seen confusion, disagreement and misunderstanding in the past.

Our interpretation of the Email Compliance laws indicates that there are 2 categories of consent:

  1. Data
  2. Email marketing communication

The consent category we reference in our framework relates to email marketing communication consent. For Data consent, you can collect it, but it may be redundant because if you don’t have a legal basis or explicit consent for the data, you shouldn’t have it in the first place. The legal text associated with data and consent should be part of your privacy policy and/or included wherever you capture it (e.g., your forms). Whatever you decide to do, it should be consistent and approved by your legal team.

Here are the standard email marketing consent types

  • Explicit Consent: This is also known as “Expressed consent” and this consent is given when users take actions such as checking a box or selecting the ‘Yes’ option when asked to opt into marketing communications.
  • Implicit Consent: This is also known as “Implied consent” and applies to situations where it would be reasonable for you to assume that users want to receive marketing communications. Examples include existing customers, partners, people that stopped by your booth or attended one of your events.
  • Double Opt-in: We refer to this as “Double/Verified” and this is when users takes two separate actions to confirm interest (e.g., someone who gave explicit consent is then sent an email with a link to re-confirm the consent for marketing communications).
  • Unsubscribed: This is for users who globally unsubscribe from all marketing communications.
  • Refused Consent: This is for users who explicitly say ‘No’ when you ask them for Explicit Consent.
  • No Data: This is a fictional consent status that we created to indicate that no data was collected one way or the other. This is useful for those use cases where you have a consent checkbox. Check means ‘Explicit’ consent and unchecked means ‘No Data’ since no action was taken.

In addition, if you communicate over other channels like phone, text message, or direct mail, you may want to include consent types for all channels.

The Tegrita GDPR Framework Outlined

As Consultants in the marketing automation space, we see our clients work through interpreting the laws, and determining how their organization wants to solve for the new email compliance laws. To help our clients, we developed a framework to support modern marketers implement a solution to align with data privacy regulations as well as anti-spam regulations.

It is a framework, and not a solution, there is no one way to interpret the law. If you ask 100 lawyers, you will have 100 different opinions and interpretations – and to that end, nothing in this article should be taken as legal advice as per our disclaimer notice above.

Our framework is designed to be flexible and can be customized to align to your specific business use case, and with every implementation, we have revised, adapted and expanded the framework to support a wide range of clients across multiple industries.

The framework was developed to implement in Eloqua but is likely adaptable for other marketing automation platforms. This framework tracks the following:

  • Consent Source (most likely the same picklist as your lead source)
  • Consent Source Campaign / Detail (free text description or Campaign name/ID)
  • Consent Date
  • Consent Type

Below is a high-level diagram showing how the process works:

Tegrita's Email Compliance Model - High LevelMany of the steps in this diagram consist of multiple steps in the configuration. For a deeper understanding of the framework please take a moment to watch a recording that I have created specifically explaining the various parts of this diagram. It’s about 20 minutes and you can access the recording here.

Our framework consists of three Phases:

  • Phase 1: Create the custom tables, programs, emails, and other assets necessary to activate the framework. (Note: after personalizing the framework, it becomes a solution, so this will henceforth be referred to as a solution).
    • Optional: Preference Center. This is not included in the diagram, and not a requirement, but I highly recommended having a custom preference center and including consent capture for a good user experience and transparency.
  • Phase 2: Backfill your database so that everyone is flagged accordingly so you could look up where this contact came from and what consent they have provided. (If you don’t have the answer here, you should delete those records)
  • Phase 3: Ensure all future data that’s coming in from external sources (forms, webinars, syndicated content sites, etc.,) contains the necessary data per the solution requirements.

If you’re starting to panic a little, good. None of this is easy. It’s not supposed to be, but by the end, you’re going to be in a much better place with knowing where your data comes from and that you’re able to communicate with your contacts based on clearly defined rules.

Data Rights

What about the right to be forgotten and right to data? Our framework does not include these additional features, but we have developed an Oracle Eloqua app for that called Contact Archiver. The Cloud App allows you to automate contact deletion, generation of contact and activity data in a single file, or both. The App is an Action step that can be added to any Campaign Canvas and generates an email that can be sent to the data privacy officer with the contact data after contact deletion takes place (for audit purposes). The app is currently in Controlled Availability and free to all of our clients. If you are interested, please contact us for more information.

Right-to-be-forgotten and right-to-data can be handled by a form request and automated through a Campaign Canvas (Note – for right to data, I recommend that you have someone on the marketing team receive the data output file and then send it to the requesting party). Click here to obtain a sample file output.

Screenshot of rights formIf you have any questions around our framework, the App, or this article in general, contact us today and we’ll help you get started on your custom compliance solution in Eloqua.

The following two tabs change content below.
Mike Geller has been working in the marketing technology industry for more than 10 years, with the last 8 being on the agency side. He started his career with direct marketing, using CRM data as a source for segmentation and analytics. Later, his experience grew to include marketing automation and Eloqua. Mike's area of expertise is developing creative solutions to solve complex business problems - enabling marketers to imagine and execute highly personalized campaigns.