GDPR ViralSweep News

The General Data Protection Regulation (GDPR)

April 26, 2018
Background Image

Disclaimer: This is not intended to be legal advice, but is provided for your general information. To understand the full impact of the GDPR, please consult with a legal professional.

In 2016, the European Union passed a set of rules called The General Data Protection Regulation (GDPR).

GDPR will take effect on May 25, 2018.

These regulations will impact ViralSweep customers and entrants to their campaigns. We have provided an overview of how we are working to become fully compliant before the May 25, 2018, deadline and how your company can work towards becoming compliant as well.

What is GDPR?

GDPR is a new law going into effect on May 25, 2018 in the European Union to protect all EU citizens from privacy and data breaches.

Do I need to worry about GDPR?

If you have customers, clients, or subscribers in the EU, regardless of whether your company resides in the EU, then you will be affected. If your company has no EU customers or does not collect any data from anyone in the EU, then you will not be affected by GDPR.

Is ViralSweep a member of Privacy Shield?

Privacy Shield is an agreement between the EU, Swiss and US government to allow companies in the United States to comply with EU and Swiss data regulations.

ViralSweep is part of the Privacy Shield program and has obtained the Privacy Shield Certification. You can view our certification here: ViralSweep Privacy Shield Certification

By complying with the Privacy Shield Principles, ViralSweep can lawfully collect, receive, and process personal data from the EU and Switzerland in the US and beyond.

Am I a data controller or data processor?

Under GDPR, there are data controllers and data processors. The data controller is the entity that controls the purposes and means of the processing of personal data.

The data processor is the entity that processes personal data on behalf of the controller.

Customers who use the ViralSweep service are considered data controllers.

ViralSweep is considered both a data controller as well as a data processor.

As a data controller, ViralSweep is responsible for protecting our own customers’ data as they use the ViralSweep platform.

As a data processor, ViralSweep is responsible for protecting our customers’ user data as it is stored in our system.

What is my role in GDPR compliance?

As a ViralSweep customer that is in the EU or collects data from users in the EU, you are considered a data controller and ViralSweep acts on your behalf as a data processor. Leading up to the May 25, 2018 deadline, you will want to:

  • Update your Terms of Service and your Privacy Policy.
  • Audit your systems as well as the vendors you use for GDPR compliance.
  • Ensure you have the proper methods in place to respond to data access requests.
  • Ensure you have the proper methods in place to respond to right to be forgotten requests.
  • Ensure that you are obtaining explicit consent when collecting users data.
  • This GDPR Checklist is a great resource to start with.

What are the main GDPR requirements for my promotions?

We’ve prepared an overview below on how our platform is working to become GDPR compliant before the deadline and how you can ensure that your campaigns are also compliant.

1. Requiring explicit consent.

GDPR requires that users provide explicit consent before being able to submit their personal information to you. The request for consent must be clear, easy to understand, and free from legalese.

In addition, explicit consent must be presented as a standalone item, it cannot be looped in with other items like agreeing to rules, age compliance, or terms of service.

Consent must also be as easy to withdraw as it is for users to give.

How ViralSweep can help…

ViralSweep provides the ability to add custom checkboxes to your campaigns as well as additional information to each checkbox to explain what data you are collecting, why you are collecting it, and how it will be used.

2. Right to access.

GDPR requires that you provide a way for users to request access to the data you have collected from them.

This means you should provide them with an easy way to contact you to submit a request for access to this data, and you should respond in a timely manner to these requests.

How ViralSweep can help…

ViralSweep makes it easy for you to search for users on a per campaign basis as well as on an overall basis. You can search by email address and we will return the results just for the users who match that query and all the campaigns their data was stored in. You can then export the data and provide it to the user in order to comply with their request.

3. Right to be forgotten.

GDPR requires that you provide a way for users to withdraw consent and delete all personal data collected from them.

How ViralSweep can help…

ViralSweep makes it easy for you to search for users on a per campaign basis as well as on an overall basis. You can search by email address and we will return the results just for the users who match that query and all the campaigns their data was stored in. You can then select the user and delete their information, which will immediately delete it from our servers.

What has ViralSweep done to become compliant?

ViralSweep has always maintained strict data privacy standards, and in addition, we have audited and updated all of our data processes to ensure compliance with GDPR regulations.

We are putting forth helpful information for all customers to ensure that their promotions are GDPR-compliant.

However, we absolutely recommend you familiarize yourself with the laws and regulations of GDPR to make sure your company is taking all the necessary steps to comply.

ViralSweep has done the following to comply with GDPR:

  • Obtained the Privacy Shield Certification, allowing us to lawfully collect, receive, and process personal data from the EU and Switzerland in the US and beyond.
  • Appointed a Data Protection Officer to satisfy Article 37.
  • Appointed a representative located in the EU to satisfy Article 27.
  • Added a GDPR-friendly content field that can be added to entry forms to explain to users that you use ViralSweep to administer your campaigns.
    GDPR privacy shield certification
  • Ensured the vendors that we use to store data are also part of the Privacy Shield program and are working to become GDPR compliant.
  • Provided the ability to cancel your ViralSweep account at anytime, and all information and data associated with the account will be removed within 30 days. We have a 30 day timeline in place in case you need access your data again. At your request, we can delete it immediately.
  • Provided the ability to delete your ViralSweep promotions at anytime, and all information and data associated with the promotion is removed from ViralSweep servers within 30 days.
  • Provided the ability to delete specific entrants from your campaigns at anytime if you receive a “right to be forgotten” request. You can use our search feature to find your entrants and delete their data immediately, or use our segment feature to delete their data from all campaigns within your account.
  • Provided the ability to export your data at anytime from ViralSweep as long as you are in compliance with our Terms of Service.
  • Provided custom checkboxes that can be added to your campaigns in order to request explicit consent from your users before they can submit their data.
  • Provided content block fields that can be added beneath checkboxes to provide additional information on what data you are collecting, why you are collecting it, and how it will be used.
  • Provided consent records that are stored with your campaign data, so you will know who provided explicit consent, and when.
  • In-app notifications regarding GDPR compliance to ensure customers are setting up GDPR compliant campaigns.
  • Customers who are collecting data from individuals located in the EU can sign a Data Processing Agreement (DPA) with ViralSweep.
  • New data retention policies added to our Privacy Policy where we will no longer store data for users indefinitely. If you cancel your account, data is subject to removal to comply with GDPR Article 5.
  • Notices of non-compliance added to our Refer Friends Via Email feature for customers collecting data from users in the EU/EEA.
  • Updates have been made to our Privacy Policy, Terms, and our Cookie Policy which will clearly state how our service handles and uses data that we collect.

Examples of compliant and non-compliant forms

It can be confusing as to whether your promotion’s entry form is GDPR compliant or not. We’ve provided examples below of different forms, along with an explanation on what is and what is not compliant.

GDPR non-compliant form example

Not compliant: This is not compliant because there is no way for a user to provide explicit consent before entering the promotion.

GDPR non-compliant form example 2

Not compliant: This is not compliant because explicit consent cannot be provided with a pre-ticked box.

GDPR non-compliant form example 3

Not compliant: This is not compliant because consent cannot be provided when a single checkbox is being used for multiple purposes.

GDPR non-compliant form example 4

Not compliant: This is not compliant because consent cannot be freely given when the checkbox to receive marketing materials is set to required (as indicated by the *).

If a user does not check the box they cannot enter the promotion, which can be interpreted as detriment to the end user as consent would not be “freely given”.

GDPR compliant form example

Compliant (Good): This is compliant because there is an unticked box requiring consent to receive marketing emails. The user can still enter the promotion without being forced to receive marketing emails.

GDPR compliant form example 2

Compliant (Better): This is a great example of a compliant form that provides additional information as to what each checkbox does, and how the user’s information will be used.

Which 3rd party services does ViralSweep integrate with, and are they GDPR compliant?

ViralSweep integrates with a wide variety of 3rd party services, including shopping carts, payment services, email marketing services, and marketing tools.

Below we’ve provided a list of our current integrations, links to their websites discussing GDPR, as well as what data may be passed to them.

Please note: This list is only concerning direct integrations that we currently support. We will update this list as we get more information from each service.
Last updated May 23, 2018
ActiveCampaign
GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
AWeber

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
BigCommerce

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, BigCommerce may pass us Name and Email Address when creating an account for you. If you embed a campaign into your store, ViralSweep will collect information on your behalf to administer the campaign. The data we collect will depend upon what fields you add to your campaign entry form.

Bit.ly

Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, we simply overwrite our default referral links to use Bit.ly links instead. No personally identifiable information is shared with Bit.ly.

Bronto

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Campaign Monitor

GDPR Overview

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Cheetah Digital

No documentation yet.

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Constant Contact

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
ConvertKit

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Dotmailer

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Drip

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Emarsys

GDPR Overview

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Emma

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Facebook Lead Ads & Facebook Pixel

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to Facebook Lead Ads, then Facebook will pass us data such as Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday. If a customer uses our Facebook pixel integration, we will simply display the tracking pixel on the campaign, which may initiate retargeting, and or collect pageview or lead information.

Fomo

No documentation yet.

If a ViralSweep customer connects a campaign to Fomo, then we may pass through the following fields: Name, campaign name or title.

GetResponse

GDPR Overview

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
HubSpot

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
iContact

GDPR Overview

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Infusionsoft

GDPR Overview

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Klaviyo

GDPR Overview
Privacy Shield Certification Pending

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Listrak

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Madmimi

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
MailChimp

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Maropost

Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Omnisend

GDPR Overview

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Ontraport

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Sailthru

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Salesforce

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
SendGrid

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer uses our email notifications or referral features, then we may pass through the following fields: Name, Email Address, Referral URL.

Sendlane

GDPR Overview

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Sendy

GDPR Overview

Sendy is a self-hosted solution. If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Shopify

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, Shopify may pass us Name and Email Address when creating an account for you. If you embed a campaign into your store, ViralSweep will collect information on your behalf to administer the campaign. The data we collect will depend upon what fields you add to your campaign entry form.

Stripe

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email, Payment information.

Please note, all payment information is handled through Stripe, and ViralSweep does not handle or process any payment information.
Vero

GDPR Overview

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
VerticalResponse

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, Referral URL.

Please note, we will only pass through data for fields that are on the campaign entry form.
Zapier

GDPR Overview
Privacy Shield Certification

If a ViralSweep customer connects a campaign to this service, then we may pass through the following fields: Name, Email Address, Address, City, State, Zip, Country, Phone, Birthday, IP address, campaign ID, entry time, Referral URL.

Please note, we will only pass through data for fields that are selected during the Zapier setup process.

FAQ

1) What emails will ViralSweep send to my users?

ViralSweep will never contact your users unless you have configured our email notifications feature, or you have enabled automated emails to be sent to alert users to prizes they have won via our Instant Win and Referral apps.

These emails are never sent from ViralSweep, but rather, a 3rd party transactional email service called SendGrid. We have confirmed SendGrid is working to be GDPR compliant and is a member of Privacy Shield.

In addition, these emails are sent on your behalf, and use your company name and email address that you provide to us. In order for us to dispatch the email to the user on your behalf, the user would have had to enter your promotion, so we are not storing any data for this user other than what they provided when they entered the promotion. The only information that is passed to SendGrid is the user email address and name, which is used only to dispatch the email.

2) Is “double opt-in” mandatory under the GDPR? What is and is not allowed with checkboxes?

No, “double-opt-in” is not required for consent under GDPR, however, some countries like Germany do require it. In a “double-opt-in” process, the user provides opt-in consent and is then sent an email to confirm their consent before any marketing can be sent to them.

With GDPR, it simply states:

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.

This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.

Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

Consent should cover all processing activities carried out for the same purpose or purposes.

When the processing has multiple purposes, consent should be given for all of them.

So in short, you must have a checkbox that…

  • Cannot be pre-ticked
  • Cannot contain consent for multiple activities (each activity the user consents to must have a separate checkbox)
  • Must be clear and concise on what the user is providing consent for, and what you are going to use their data for.

3) Are referral features still allowed under GDPR?

Yes and no.

Our Refer Friends feature is acceptable under GDPR, because users are manually sharing a referral link with their friends. We never collect the information of a friend the campaign is shared with unless that friend enters the campaign.

Our Refer Friends via Email feature is not acceptable under GDPR, because users are providing us with their friends information to send an email on their behalf in order to invite that friend to the campaign.

Even though ViralSweep does not collect or store this information (it is solely used to dispatch an email inviting the friend to the campaign) it is not compliant because the friend did not provide consent to receive that email from us.

This feature will contain a notice of non-compliance for customers that add this to their campaigns if they are collecting data from users in the EU.

GDPR is a good thing.

In the end, we see GDPR as a good thing for the world.

While it puts more restrictions on the usage of personal data and how it can be collected, it is a great foundation for companies to start building stronger relationships with their customers.

At ViralSweep, we encourage our customers to build a high quality, engaged email list. The new GDPR rules systematically align with our interests in helping brands grow an honest business with technology that helps them accomplish this.

Avatar for Giancarlo Massaro

Giancarlo is the co-founder of ViralSweep, the viral marketing platform for businesses. Connect with him on Twitter.
2 Comments
  1. […] takes data privacy seriously. We are GDPR compliant, adhering to the strictest data protection rules in the world. Our clients can be assured that […]

  2. […] which may have participants from Europe requires you to post a privacy policy. Refer to our GDPR overview for more […]

Comments are closed.

Leave a comment