The General Data Protection Regulation (GDPR) is a European Union law that went into effect in May 2018. This privacy act gives consumers more control over the personal information that businesses collect and store about them. If you are looking for Privy's Data Processing Addendum, click here.
Note: This article is provided as a resource to help you understand what Privy has done to assist its customers in their efforts to ensure GDPR compliance. This is not legal advice, and abuse or use of the Privy platform other than as described herein can still lead to non-compliance concerning GDPR. Your legal team remains the best resource for compliance advice for your specific situation as data controllers under GDPR.
Key GDPR Takeaways
When utilizing Privy under GDPR, there are a few key areas to note:
- GDPR is centered around processing, storing, using, transmitting, and deleting the personal information of EU citizens.
- If consent is the basis for processing, the regulation requires that EU citizens take affirmative action to explicitly consent to the specific use of their information.
- If a customer of yours asks, you will need to be able to share with them the personal information you have stored and be ready to delete that information in a timely manner.
How Privy addresses GDPR
Various updates were made so that Privy is able to address the takeaways identified above:
- The Privy platform allows users, even those on the free plan, to handle their customer data in a GDPR-compliant manner. For example, Privy collects the opt-in timestamp, IP address, and display of each of your contacts who register through a Privy-powered form.
- Visitors to your site who are presented with a Privy form can only submit their personal information by intentionally taking the action of typing in their information and submitting the form. Our GDPR-friendly templates include consent text next to the form submission buttons for additional transparency.
- Privy collects the opt-in timestamp, IP address, and display of each of your contacts who register through a Privy-powered form. This and any other collected analytics information are easily reviewable on the contact's profile.
If you need to respond to an individual’s deletion request, Privy makes it incredibly quick and easy for you to access that customer’s data in your Privy account, and if requested, delete it with the click of a button. If your customer would like a fully GDPR-compliant removal from Privy or has a different data subject request, please refer to this article.
In addition to GDPR-compliant feature updates, Privy's Terms and Conditions, Acceptable Use Policy, and Data Processing Addendum are available for you to review. These documents are maintained to ensure that Privy follows best practices and complies with any changes in legislation.
Additional recommended actions
To provide the most transparency to your customers, consider adding a customized disclaimer to your forms stating what will occur following the signup. For example, by registering via your form, the contact agrees and understands that you will do any of the following:
- Store their contact info in your marketing database
- Send them marketing emails
- Track interactions with your website for your marketing displays.
If you would like to take things a step further, consider including an opt-in checkbox as part of your form so that contacts can explicitly and affirmatively consent to the collection and use of their personal data as described above.