Is your Pardot/Salesforce setup GDPR-CCPA compliant?

Introduction - The rise of Data Privacy

Do you know that 48% of online users in the US stated that they felt they had no control over who could access their online search?


As our personal data is scraped, collected, sold, shared, and then profiled, processed with AI, etc., and weaponized to target us, the need to have stronger data privacy laws has become a rallying cry.


To regulate this unabated technology assault on our personal information, data privacy laws have been enacted around the world.


This includes the GDPR in the EU, CCPA/CPRA in California, LGPD in Brazil, and others on the horizon all over the world. The fundamental idea of most of these laws is simple – Our personal data needs to be treated transparently, lawfully, and with fairness.


Why does it matter?


Pardot and Salesforce Marketers and Technologists are profoundly impacted by these laws, and how you and your company treats personal data can have material implications on your business.


Notably, both GDPR and CCPA are cross-border laws, which means that even if your company is not located in the EU or California, it can still be fined for non-compliance.


GDPR and CCPA have hefty monetary penalties for non-compliance, causing irreparable damage to customer trust, and brand value as well as causing embarrassment.


Why do I need to worry about Consent and Communication Preferences?

Data privacy penalties for Consent and Communication Preferences should not be taken lightly. Companies big and small have paid the price for disregarding these laws.

Therefore, managing Consent and Communication preferences as an integral part of your outreach is a good practice to comply with various Data Privacy laws.

Simply put, your subscribers must be conducive to why you are reaching out to them, and the channel you are reaching them on. If not, then they should have an easy way to let your company know, and your company should accede to their request.


Consent – An overview

Per GDPR Article 4-11, Consent is defined as “..any freely given, specific, informed and unambiguous indication of the data subject’s wishes..”

Data Subjects (AKA Pardot subscribers and/or Salesforce Contacts, Leads, Users, etc.) must understand what they are consenting to and must do so freely.


You must give people a genuine choice and control over how you use their data. If they have no real choice, then consent is not considered to be freely given and it will be invalid.


What are my obligations for Consent?

There are specific considerations to ensure that consent is obtained, managed, and applied correctly – across systems, data, processes, websites, emails, people, and everything else that interacts or accesses this data.

UK’s Information Commissioner’s Office summarizes it succinctly here

Caveat: Consent is one of the 6 lawful bases(basis) for data processing specified by GDPR. You may have other lawful bases, and may not need consent. Please get professional legal advice to determine this.


Is Consent different from Communication Preferences?


Valid consent is required as soon as a Prospect, Lead, or a Contact is created in Salesforce, Pardot, or any other system i.e. as soon as you start processing personal data.


Communication Preferences come into play when you are sending someone an Email or reaching out with other forms of Communication.


Communication preferences are a good way to offer your subscribers a choice to adjust what purposes they want to be communicated about and by what channels.


If implemented correctly, they offer a good middle ground from ‘subscribe’ and ‘unsubscribe’ to both your company and to your subscribers.


Thus it is crucial to think about this holistically and balance both Consent and Communication preferences requirements, to maintain customer trust and comply.


This article uses the terms ‘Communication Preferences’ and ‘Consent’ interchangeably.

Consent and Communication Preference lifecycle

To comply with Data Privacy regulations, a comprehensive lifecycle will address the following:


  • Begin with prospect creation
    Offer an integrated self-service consent management
  • Automate removal of prospects from subscription memberships
    Request consent renewal before they expire
  • Manage consents across both Salesforce and Pardot

Should you manage Consent in both Pardot and Salesforce?


To be compliant, your company needs to respect the prospect’s preferences and consent across the enterprise.


This means consent must be managed in both Salesforce and Pardot and utilized to determine if your company can reach out via a particular communication channel and purpose.


Limitation of Pardot’s “Confirmed Opt-in Process” and “Email Preference Pages” is its stand-alone nature. If preferences are only stored in Pardot, your Salesforce users will not be aware and can unknowingly violate them.


For example, your Salesforce users may be sending emails from Salesforce and calling a data subject who has explicitly asked not to be contacted.


Why does a ‘Pardot only’ stand-alone approach not work?

Read more here on Managing Consent


How can you manage Consent in Pardot and Salesforce?

Managing consents across both systems requires building a solution on top of some hooks that are provided by Pardot and Salesforce.

Here is a high-level process flow that shows these various steps:

  • Consent is initially recorded via Pardot form (or Salesforce’s Web-to-lead/Email-to-lead)
  • Propagated to Salesforce (for Pardot forms only)
  • Connected with Salesforce’s Data privacy objects (Individual, Consent, etc.)
  • Made accessible in both Pardot and Salesforce
  • Exposed via self-service

Common Pardot-Salesforce Consent Management requirements

An important aspect is to weave consent management across the entire subscriber experience – From creation to self-service for updates, and to transparency around how it is used.

Building a Pardot/Salesforce Consent Management Solution

You can address these requirements with a comprehensive solution such as AppExchange native app like Cloud Compliance – GDPR/CCPA Management Suite, or build it in-house.


You will need to consider the following technical capabilities:

  • Pardot Automation and Form customization
  • Salesforce Apex code to automate Salesforce Individual and Consent creation
  • Sync mechanism to keep Pardot and Salesforce consents updated
  • Communities for self-service
  • Privacy policies either via Communities or via a CMS system
  • Lightning components


Here is an example of Pardot automation that populates Consent and Marketing preference values, which are synced to Salesforce

The following image shows a custom lighting component created by Cloud Compliance to display and manage Consents within Salesforce.

These consents are synchronized with Pardot to ensure that both systems and its users are respectful of the end customer’s preferences at all times.

Here is a rundown of the various tasks that will need to be done if you are building this in-house.

What can you do next? / Conclusion

A combination of Pardot and Salesforce is an important marketing capability that builds and nurtures customer trust. It also helps your company stay compliant and prevent fines and reputation loss.

The approach discussed in this article addresses common data privacy requirements that we hear from our customers.

Our focus here is to utilize the best capabilities of Pardot with Salesforce’s Data Privacy and Communication Preference to offer a holistic enterprise-grade offering.

If you decide not to build these yourself, you can consider AppExchange apps like Cloud Compliance – GDPR/CCPA Management Suite which is built on this very design.

Contact us to learn more.

This article was originally published on LinkedIn

Is your Pardot/Salesforce setup GDPR-CCPA compliant?

Picture of Saurabh Gupta

Saurabh Gupta

Saurabh is an Enterprise Architect and seasoned entrepreneur spearheading a Salesforce security and AI startup with inventive contributions recognized by a patent.

Related Articles