Is your Pardot/Salesforce setup GDPR-CCPA compliant?

Data Privacy laws such as GDPR and CCPA have a direct impact on your Pardot and Salesforce solution, especially on consent and communication preference management.

How can you ensure that your company is compliant with these laws and safeguard it against data privacy risks, fines, and embarrassment, yet offer a great experience and build customer trust?

Disclaimer: this post discusses activities that may be useful for complying with Data Privacy laws such as GDPR and CCPA. It is based on my own interpretation and experience, is meant for informational use only, and is NOT legal advice.

Introduction – The rise of Data Privacy

Do you know that 48% of online users in the US stated that they felt they had no control over who could access their online search? Ref here

As our personal data is scraped, collected, sold, shared, and then profiled, processed with AI, etc., and weaponized to target us, the need to have stronger data privacy laws has become a rallying cry.

To regulate this unabated technology assault on our personal information, data privacy laws have been enacted around the world.

This includes the GDPR in the EU, CCPA in California, LGPD in Brazil and others on the horizon all over the world.

The fundamental idea of most of these laws is simple – Our personal data needs to be treated transparently, lawfully, and with fairness.

Why does it matter?

Pardot and Salesforce Marketers and Technologists are profoundly impacted by these laws, and how you and your company treats personal data can have material implications on your business.

Notably, both GDPR and CCPA are cross-border laws, which means that even if your company is not located in the EU or California, it can still be fined for non-compliance. 

GDPR and CCPA have hefty monetary penalties for non-compliance, cause irreparable damage to customer trust, and brand value as well as cause embarrassment.

Why do I need to worry about Consent and Communication Preferences?

Data privacy penalties for Consent and Communication Preferences should not be taken lightly. Companies big and small have paid the price for disregarding these laws.

Therefore, managing Consent and Communication preferences as an integral part of your outreach is a good practice to comply with various Data Privacy laws.

Simply put, your subscribers must be conducive to why you are reaching out to them, and the channel you are reaching them on. If not, then they should have an easy way to let your company know, and your company should accede to their request.

Consent – An overview

Per GDPR Article 4-11, Consent is defined as “..any freely given, specific, informed and unambiguous indication of the data subject’s wishes..” 

Data Subjects (AKA Pardot subscribers and/or Salesforce Contacts, Leads, Users, etc.) must understand what they are consenting to and must do so freely. 

You must give people a genuine choice and control over how you use their data. If they have no real choice, then consent is not considered to be freely given and it will be invalid.

What are my obligations for Consent?

There are specific considerations to ensure that consent is obtained, managed, and applied correctly – across systems, data, processes, websites, emails, people, and everything else that interacts or accesses this data.

UK’s Information Commissioner’s Office summarizes it succinctly here

Is Consent different from Communication Preferences?

Valid consent is required as soon as a Prospect, Lead, or a Contact is created in Salesforce, Pardot, or any other system i.e. as soon as you start processing personal data.

Communication Preferences come into play when you are sending someone an email or reaching out with other forms of Communication.

Communication preferences are a good way to offer your subscribers a choice to adjust what purposes they want to be communicated about and by what channels.

If implemented correctly, they offer a good middle ground between ‘subscribe’ and ‘unsubscribe’ to both your company and your subscribers.

Thus it is crucial to think about this holistically and balance both Consent and Communication preferences requirements, to maintain customer trust and compliance.

This article uses the terms ‘Communication Preferences’ and ‘Consent’ interchangeably.

Consent and Communication Preference lifecycle

To comply with Data Privacy regulations, a comprehensive lifecycle will address the following:

  1. Begin with prospect creation
  2. Offer an integrated self-service consent management
  3. Automate removal of prospects from subscription memberships
  4. Request consent renewal before they expire
  5. Manage consents across both Salesforce and Pardot

Should you manage Consent in both Pardot and Salesforce?

To be compliant, your company needs to respect the prospect’s preferences and consent across the enterprise.

This means consent must be managed in both Salesforce and Pardot and utilized to determine if your company can reach out via a particular communication channel and purpose.

The limitation of Pardot’s “Confirmed Opt-in Process” and “Email Preference Pages” is their stand-alone nature. If preferences are only stored in Pardot, your Salesforce users will not be aware and can unknowingly violate them.

For example, your Salesforce users may be sending emails from Salesforce and calling a data subject who has explicitly asked not to be contacted.

Why does a ‘Pardot only’ stand-alone approach not work?

Read more here

How can you manage Consent in Pardot and Salesforce?

Managing consents across both systems requires building a solution on top of some hooks that are provided by Pardot and Salesforce.

Here is a high-level process flow that shows these various steps:

  • Consent is initially recorded via Pardot form (or Salesforce’s Web-to-lead/Email-to-lead)
  • Propagated to Salesforce (for Pardot forms only)
  • Connected with Salesforce’s Data privacy objects (Individual, Consent, etc.)
  • Made accessible in both Pardot and Salesforce
  • Exposed via self-service

Common Pardot-Salesforce Consent Management requirements

An important aspect is to weave consent management across the entire subscriber experience – From creation to self-service for updates, and to transparency around how it is used.

Building a Pardot/Salesforce Consent Management Solution

You can address these requirements with a comprehensive solution such as an AppExchange native app like Cloud Compliance – GDPR/CCPA Management Suite, or build it in-house. You will need to consider the following technical capabilities:

  • Pardot Automation and Form customization
  • Salesforce Apex code to automate Salesforce Individual and Consent creation
  • Sync mechanism to keep Pardot and Salesforce consents updated
  • Communities for self-service
  • Privacy policies either via Communities or via a CMS system
  • Lightning components

Here is an example of Pardot automation that populates Consent and Marketing preference values, which are synced to Salesforce

The following image shows a custom lighting component created by Cloud Compliance to display and manage Consents within Salesforce.

These consents are synchronized with Pardot to ensure that both systems and their users are respectful of the end customer’s preferences at all times.

Here is a rundown of the various tasks that will need to be done if you are building this in-house.

What can you do next? / Conclusion

A combination of Pardot and Salesforce is an important marketing capability that builds and nurtures customer trust. It also helps your company stay compliant and prevent fines and reputation loss.

The approach discussed in this article addresses common data privacy requirements that we hear from our customers.

Our focus here is to utilize the best capabilities of Pardot with Salesforce’s Data Privacy and Communication Preference to offer a holistic enterprise-grade offering.

If you decide not to build these yourself, you can consider AppExchange apps like Cloud Compliance – GDPR/CCPA Management Suite that is built on this very design. 

Contact us to learn more here

This article was originally published on LinkedIn

Leave a Reply

Your email address will not be published.