CCPA 2.0 (CPRA) and Your Salesforce Org – Part 2
A plain English guide to the latest additions in the California Privacy Rights Act (CPRA) and their implications for Salesforce orgs.
Do you know that 48% of online users in the US stated that they felt they had no control over who could access their online search?
As our personal data is scraped, collected, sold, shared, and then profiled, processed with AI, etc., and weaponized to target us, the need to have stronger data privacy laws has become a rallying cry.
To regulate this unabated technology assault on our personal information, data privacy laws have been enacted around the world.
This includes the GDPR in the EU, CCPA/CPRA in California, LGPD in Brazil, and others on the horizon all over the world. The fundamental idea of most of these laws is simple – Our personal data needs to be treated transparently, lawfully, and with fairness.
Why does it matter?
Pardot and Salesforce Marketers and Technologists are profoundly impacted by these laws, and how you and your company treats personal data can have material implications on your business.
Notably, both GDPR and CCPA are cross-border laws, which means that even if your company is not located in the EU or California, it can still be fined for non-compliance.
GDPR and CCPA have hefty monetary penalties for non-compliance, causing irreparable damage to customer trust, and brand value as well as causing embarrassment.
Why do I need to worry about Consent and Communication Preferences?
Data privacy penalties for Consent and Communication Preferences should not be taken lightly. Companies big and small have paid the price for disregarding these laws.
Therefore, managing Consent and Communication preferences as an integral part of your outreach is a good practice to comply with various Data Privacy laws.
Simply put, your subscribers must be conducive to why you are reaching out to them, and the channel you are reaching them on. If not, then they should have an easy way to let your company know, and your company should accede to their request.
Consent – An overview
Per GDPR Article 4-11, Consent is defined as “..any freely given, specific, informed and unambiguous indication of the data subject’s wishes..”
Data Subjects (AKA Pardot subscribers and/or Salesforce Contacts, Leads, Users, etc.) must understand what they are consenting to and must do so freely.
You must give people a genuine choice and control over how you use their data. If they have no real choice, then consent is not considered to be freely given and it will be invalid.
What are my obligations for Consent?
There are specific considerations to ensure that consent is obtained, managed, and applied correctly – across systems, data, processes, websites, emails, people, and everything else that interacts or accesses this data.
UK’s Information Commissioner’s Office summarizes it succinctly here
Caveat: Consent is one of the 6 lawful bases(basis) for data processing specified by GDPR. You may have other lawful bases, and may not need consent. Please get professional legal advice to determine this.
Is Consent different from Communication Preferences?
Valid consent is required as soon as a Prospect, Lead, or a Contact is created in Salesforce, Pardot, or any other system i.e. as soon as you start processing personal data.
Communication Preferences come into play when you are sending someone an Email or reaching out with other forms of Communication.
Communication preferences are a good way to offer your subscribers a choice to adjust what purposes they want to be communicated about and by what channels.
If implemented correctly, they offer a good middle ground from ‘subscribe’ and ‘unsubscribe’ to both your company and to your subscribers.
Thus it is crucial to think about this holistically and balance both Consent and Communication preferences requirements, to maintain customer trust and comply.
This article uses the terms ‘Communication Preferences’ and ‘Consent’ interchangeably.
Consent and Communication Preference lifecycle
To comply with Data Privacy regulations, a comprehensive lifecycle will address the following:
Should you manage Consent in both Pardot and Salesforce?
To be compliant, your company needs to respect the prospect’s preferences and consent across the enterprise.
This means consent must be managed in both Salesforce and Pardot and utilized to determine if your company can reach out via a particular communication channel and purpose.
Limitation of Pardot’s “Confirmed Opt-in Process” and “Email Preference Pages” is its stand-alone nature. If preferences are only stored in Pardot, your Salesforce users will not be aware and can unknowingly violate them.
For example, your Salesforce users may be sending emails from Salesforce and calling a data subject who has explicitly asked not to be contacted.
Why does a ‘Pardot only’ stand-alone approach not work?
Read more here on Managing Consent
How can you manage Consent in Pardot and Salesforce?
Managing consents across both systems requires building a solution on top of some hooks that are provided by Pardot and Salesforce.
Here is a high-level process flow that shows these various steps:
Common Pardot-Salesforce Consent Management requirements
An important aspect is to weave consent management across the entire subscriber experience – From creation to self-service for updates, and to transparency around how it is used.
Building a Pardot/Salesforce Consent Management Solution
You can address these requirements with a comprehensive solution such as AppExchange native app like Cloud Compliance – GDPR/CCPA Management Suite, or build it in-house.
You will need to consider the following technical capabilities:
Here is an example of Pardot automation that populates Consent and Marketing preference values, which are synced to Salesforce
The following image shows a custom lighting component created by Cloud Compliance to display and manage Consents within Salesforce.
These consents are synchronized with Pardot to ensure that both systems and its users are respectful of the end customer’s preferences at all times.
Here is a rundown of the various tasks that will need to be done if you are building this in-house.
A combination of Pardot and Salesforce is an important marketing capability that builds and nurtures customer trust. It also helps your company stay compliant and prevent fines and reputation loss.
The approach discussed in this article addresses common data privacy requirements that we hear from our customers.
Our focus here is to utilize the best capabilities of Pardot with Salesforce’s Data Privacy and Communication Preference to offer a holistic enterprise-grade offering.
If you decide not to build these yourself, you can consider AppExchange apps like Cloud Compliance – GDPR/CCPA Management Suite which is built on this very design.
Contact us to learn more.
This article was originally published on LinkedIn
Saurabh is an Enterprise Architect and seasoned entrepreneur spearheading a Salesforce security and AI startup with inventive contributions recognized by a patent.
A plain English guide to the latest additions in the California Privacy Rights Act (CPRA) and their implications for Salesforce orgs.
Why should you read this? Data Privacy laws such as GDPR and CCPA bring in a new set of requirements around Consent for the
Why should you read this? Because you are curious if Salesforce can be your consent management platform for GDPR and CCPA compliance. And how can
Why should you read this? Because you are curious to understand how others are meeting CCPA and GDPR data privacy requirements when a lead registers,
In few weeks, you can deliver robust marketing preference capability, that protects your company from privacy fines, and keeps Marketing, Legal & Finance happy.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
This website uses the following additional cookies:
Please enable Strictly Necessary Cookies first so that we can save your preferences!
More information about our Cookie Policy