What does GDPR have to do with Geniuslink, a US based company? Well, two things:
First, we see roughly 35% of our clients, and 55% of the clicks we process, coming from Europe so it’s very important that we pay attention to GDPR and be in compliance.
Second, one of the key elements of our original thesis is that a global perspective is key to maximizing revenue so paying attention to major updates in international compliance is an important piece to that.
In the bigger picture, we are actually big fans of what GDPR is trying to do, at least the underlying theory. However, the ambiguity makes preparing for it more of a challenge than we’d like to admit. But at the end of the day, we agree that your personal information should belong to you and companies should respect that and step up when you give them consent to collect it.
We wanted to take you through how GDPR is affecting us (Geniuslink), and more importantly how it’s affecting you (our clients) and ultimately the people clicking on our links.
How This Impacts You (TL;DR)
Our goal through this whole process is to first ensure the collective “we” are in compliance for GDPR and second to make the process as easy as possible for you. However, there are a few things we are going to need your help with.
After some tweaks and upgrades on our side the only functionality that Geniuslink offers that will be affected by GDPR is around retargeting pixels. If you are a regular user of that functionality I definitely would encourage you to keep reading.
Besides that, I think we’ve got things pretty well ironed out to ensure that GDPR doesn’t impact your regular use of our service!
Now, if you are up for it, let’s really dig in!
Our “Legal” Stance for Clients
One of the core frameworks for GDPR is the requirement to have a “legal” reason to collect and process personally identifiable information. There are six different options that are laid out, however only three of them apply to your relationship with Geniuslink – Contract, Consent and Legitimate Interest. Let me break them down.
From the Consent perspective – When you sign up for Geniuslink, then opt into our terms of service, you are providing us with personal information (your name and email) and authorizing us to use it for the duration of our relationship (which, of course, you can end at any time). You want us to contact you when important things happen (for example, when your account is verified, we billed your credit card, etc.) and further, when you need support you probably prefer we greet you with your name.
From the Contract perspective – In order to uphold our obligation to you, we’ll need to use your name and credit card during our monthly billing cycles, for example.
From the Legitimate Interest perspective – We believe that the onboarding and coaching messages for new signups, the monthly alerts to you about to the performance of your account, and answering your questions via our chat widgets throughout the website and dashboard easily fell under the “Legitimate Interest”.
Our “Legal” Stance for Consumers
But that’s just one side of the story — What about Geniuslink storing personal information about the people that are actually clicking the links?
This was actually one of the most challenging aspects of GDPR compliance for us — how to responsibly come into compliance without putting undue burden on our clients when a core piece of the information we need to use is now considered “identifiable” information.
Previously we’d considered the IP address as “Potentially Personal Information”, a convenient title that allowed us to hold onto the IP address associated with our clicks indefinitely and still be eligible for “Safe Harbor” (the predecessor of “Privacy Shield” and certification for being a good internet citizens in the eyes of the EU and Switzerland). The IP address was ultimately one of the most important pieces of information we gleaned from a click as it not only allowed us to do our geo-targeting but is also super helpful in forensic reviews of click behavior to identify new bots and bad actors, as well as working with clients to diagnose both internal and external issues.
For better or worse, an IP address, under GDPR, is now considered “identifiable” information and if we wanted to hold onto it we would first need a legal stance to do so, but also we’d need to grant a number of “Data Subject Rights” to each person that clicked a link. Through a “Legitimate Interest Test” (that includes identifying a legitimate interest, then carrying out a “Necessity Test”, as well as carrying out a “Balancing Test”) we thought we had good grounds to use “Legitimate Interest” as a legal grounds to collect the data. But that was only part of the problem, our bigger concern was around honoring the “Data Subject Rights”.
Again, we fundamentally believe that “Data Subject Rights” is a huge step in the right direction but we were having a hard time figuring out how to continue in that direction without putting significant burden on you, our clients. We love our clients and didn’t want to throw you under the proverbial “GDPR Bus” by taking the easy way out and making you solely responsible to uphold those rights. Simply put, we couldn’t think of a good way, for either you or us, on how to collect the information necessary to provide people clicking on those links the “Data Subject Rights” that they deserve.
So, we ultimately made the hard decision to stop storing the IP address of clicks, effective immediately.
This change now means that there is no personally identifiable information that Geniuslink stores for people clicking a geni.us link. That means that no decision is necessary on which legal grounds are needed, no Data Subject Rights are necessary to protect and no issues with GDPR for those clicking a link.*
To be perfectly clear, when someone clicks a link, an IP address is still transferred to us (that’s a fundamental piece of how the internet works!) and we use that IP for a very short time period in order to do our click process, geo-targeting, and filtering of junk clicks, but that IP address isn’t stored. Once that clicks’ been processed the IP address is forever gone!
While this will make it a bit harder for us to diagnose new bot based IPs and troubleshoot issues with clients but we think it’s the “right” thing and we’ll get through it.
Retargeting Pixels in Links
However, it appears to be a common belief that with GDPR you must get the person’s consent before setting a pixel or adding them to a retargeting pool. It seems to be pretty explicit that “Legitimate Interest” won’t fly in this situation as a legal grounds for collecting data.
This creates a bit of a challenge as the links with retargeting and pixelign functionality are often used from social media and email where getting and logging consent simply isn’t possible. But deprecating this feature from our links wasn’t an option, it’s one of the most used features by our power users!
By default, starting on May 25th, all links that include pixels will include this functionality. You can, however, override this behavior and make sure your links always fire the pixels, regardless of the location of the click by opting into this via the dashboard. Just be sure you are getting consent before someone clicks the link!
The controls to opt into having your pixels always fire is available now in the dashboard on the Tools page.
Choice Pages, our mobile and conversion optimized landing pages differ from our intelligent links in few ways but with regards to GDPR there is one major difference – they provide us an opportunity to actually interface with the user, instead of swiftly and seamlessly directing them on to the appropriate destination.
Because of this pause in the user journey our concern about having little or no opportunity to ask for consent disappears. We now have the chance to prompt the user to provide consent with regards to allowing consumers to choose if they are okay with retargeting or pixels to fire while they decide on which retailer or destination they would prefer.
This will make Choice Pages a great option for you, our clients, when building a retargeting pool of European based consumers is important to you
It’s important to note that we’ll not only provide the interface for consumers to make a granular decision about pixels but we’ll also be logging these to ensure we are GDPR compliant and should a consumer wish to exercise their “Data Subject Rights” we’ll have the opportunity to comply in full.
Please note that this functionality will likely not be available until June 2018. In the interim the preference made in regards to serving retargeting pixels to EU visitors, as described above, will be in effect for Choice Pages as well.
We don’t actually do any “tracking” of people. All of our “tracking” is click based, not user based. Therefore we don’t actually need, or use, cookies at all with regards to our redirecting a click on one of our links.
We do use “session cookies” when you are using our dashboard (keeps you from having to log in for every page you visit), but those are “essential” cookies (as they are “essential” for using our service) and are covered with our Consent/ Contract/ Legitimate Interest legal basis of supporting you as a client.
Controller vs. Processor
Another major framework of GDPR is assigning the role you take in dealing with personal data. This often boils down to who is the “Controller” and who is the “Processor”.
A Controller is an entity that decides the purpose and manner (or “means”) that personal data is used, or will be used they also state how and why personal data is processed. Controllers are often a SaaS company’s client.
In contrast, a Processor is the entity that processes the data on behalf of the controller. Typically most SaaS companies are processors.
However, instead of taking the traditional role of being a Processor, we’ve elected to take the role of a “Joint Controller” for a couple reasons.
First is in regards to roles. On one hand, the decision where to place a link is yours, and the purpose of us processing that link is for you. However, we are making the decisions about which information is being collected in order to provide the service, how that information will be stored, and the length of time for which that information will be stored (click data, sans-IP is stored indefinitely, client data is stored for seven years post account closure).
Second is in regards to burden. We can reduce our risk and liability by making some minor tweaks to our service, such as providing a couple options along how long data might be stored and which reports you want, and then take the role of Processor. However, we feel that puts a significant burden on you, our client. That felt like that was a cop out. We work hard to make our service easy and friendly to use. Taking the role of a “Joint Controller” alongside you, our client, fit much better with our values and how we like to approach business.
Please note that in taking this role we now have an important addition to our “contract,” the Terms of Service that govern our relationship. A “Data Processing Addendum” can be found in our updated Terms of Service and defines the division of our roles as the Controller. We’ll be asking you to reconfirm this updated Terms of Service when you log into the dashboard next.
As a focused, and growing, SaaS company we rely on other best in class services to help us with various functions of the business, including our messaging, emailing and support operations, all of which also require some personal data to be functional. This makes it important that we define them as our processors. These tools include HubSpot, Intercom and Drift.
HubSpot is used to manage our monthly newsletters as well as various other educational and marketing emails about using our service or getting the most out of your links.
Intercom is used for our onboarding and support related messaging. When you are signing up and verifying your email address you are interfacing with us via Intercom. When you click on the messaging tool inside the dashboard that’s also Intercom.
Drift is the messaging tool we use on our website (www.geni.us vs. my.geni.us which is our dashboard).
Stripe is the payment processing service we use to process credit and debit cards each month.
Other Housekeeping Items
Besides the hard decisions about deprecating the IP address from our record keeping, moving to become a joint controller, determining the legal grounds for which we could store personal information, building out the ability to turn on/off retargeting pixels for clicks coming from Europe and adding consent management to our Choice Pages we’ve also had a number of internal projects that affect you, our clients, more indirectly. For those that are curious, here is a quick run down of those items.
Privacy Shield is the sequel to Safe Harbor and is a more strict framework for how personal data should be dealt with at a company. As the US doesn’t, by default, have any legislature that covers personal data privacy to the level that is required by EU, the Privacy Shield framework was put in place by the US State Department. Having “Privacy Shield” set up allows us to store personal data (from our clients based in Europe) on servers here in the US and allow our team (US based) to use that data in our work. More info about Privacy Shield can be found here.
In the initial process of getting set up for Safe Harbor, back in 2015, we documented a number of different processes related to data processing and security in general. In prep for Privacy Shield we did a thorough review to ensure everything was up to date and accurate. These internal documents outline processes for employee hiring and discipline, security and incident responses, policies and procedures as well as defining roles, systems and the life cycles for data and privacy. All very important but quite monotonous!
We also updated our Terms of Service, as we periodically do. We put together a separate blog running through the minor updates we made but the biggest piece was the inclusion of a Data Processing Addendum.
The Data Processing Addendum defines who (you or us or both of us) is responsible for things like dealing with access requests, record keeping, breach notification, audits, etc. All the fun stuff you’d expect is necessary to have a clear understanding of the relationship. The best part is that it’s only about two pages so I’d definitely encourage you to read through it.
The GDPR framework also suggests the addition of a new role to a business, especially those that have businesses where personal data is a key component. That role is a “Data Protection Officer” and they are intended to be an independent entity inside the business with the sole focus of ensuring good compliance to rules and regulations around privacy. Due to our size, business focus and location, we’ve elected not to employee a “DPO”. Rather we’ve collectively decided to make me, Jesse Lakes, the CEO and Co-Founder of Geniuslink, the point of contact for all data privacy and GDPR related issues. Further, we’ve elected our other co-founder and CTO, Jesse Pasichnyk as our Security office to ensure top down “data protection by design”. We felt it was best that the two people that have the most to lose by getting this wrong were the ones who spent the time and resources to double check everything and be held accountable.
Finally, while not part of GDPR, ePrivacy, or even Privacy Shield related, but in the spirit of dotting all of our “i”s and crossing all of our “t”’s, we’ve also rolled out an Affiliate Disclaimer and a Spam Policy. I know, I know, pretty exciting stuff!
If you are still reading you’ve probably gathered that we are taking this seriously. To further back that I’m looking at our some of invoices for legal advice and they are adding up to an excess of $20,000 and we we aren’t even done yet. For a bootstrapped startup, that’s a significant one time hit (but that we are happy to take on for the awesome help we got!). Further, while the engineering projects to ensure our compliance aren’t huge they are still taking all of our engineering resources and incurring us additional “costs”.
It’s been a busy few months (and likely to be at least one more crazy month before everything is wrapped up) getting our heads around what GDPR means, working out our game plan, consulting with the pros, then working through the details to ensure that you, our clients, and ourselves are in a rock solid place moving forward.
Thank you for all of your continued support over the years and for continuing down this path with us a
partner, err I mean “joint controller”.