Any list data that covers a European Union (EU) citizen is covered under the GDPR, as are (in general) any activities that take place on your website from within the EU, even if your business, site and other services are not based in the EU at all.
In general terms, under the GDPR FeedBlitz is a processor; you, our clients (list and feed owners), are the controllers directing FeedBlitz in your legitimate business interest of email marketing.
FeedBlitz Helps You Comply with the GDPR
Important Basic Information
- FeedBlitz is a US-based company.
- Our application and database servers (and therefore all controller and subscriber data) are entirely based in the US.
- We have no data storage or cloud computing resources in any other location.
- Some of our static assets (e.g. image and CSS files) may be available via our CDN's edge servers (Amazon CloudFront) based in the EU.
- Your use of FeedBlitz is governed by our terms of service and privacy policies. We welcome feedback on these documents as GDPR and similar regulations roll out and enforcement actions (and subsequent case law) become clearer.
- We have provided an exhaustive list of cookies we use for your to include in your own GDPR resources or reference in your own privacy statement.
- You can update your personal cookie consent settings at any time.
- We will update applicable data retention policies to fully comply with the right to be forgotten.
- In general, the tools we currently provide (such as subscriber management and export capabilities), enable you to support the rights of access, portability and deletion.
Proof of Consent - Email Subscriptions
A key requirement is that controllers be able to prove consent has been given (and where appropriate, changed).
It's important to note, therefore, that you are responsible for what goes into a subscription form and what language and controls you use to assure that consent is clearly given.
FeedBlitz has always required dual opt-in for subscriber-initiated subscription requests and will continue to do so. We log subscriber IP, timestamps and referring pages for subscriptions. Moreover, as part of our GDPR compliance efforts, we have recently implemented more comprehensive logging of subscription changes, so that (for example) subscription form payloads can be recovered if necessary to prove consent.
However, this is not FeedBlitz capturing how a form appears; we cannot do that. We can only capture the data a form sends us. For third party forms and plugins, FeedBlitz is even further removed. We will log the data they send along with the API key used. You should work with those providers to ensure that adequate data is sent to FeedBlitz when they use our API. Third party developers should use the X-Forwarded-For header to communicate the end user's IP address to enable accurate audit logs and default preference selection.
Helping YOUR GDPR Compliance - Subscription Forms
When you use FeedBlitz forms, you can optionally set up additional fields in the list (for classic forms) or on the form itself (for FeedBlitz SmartForms) so that a visitor must check the checkbox or radio button to expressly give consent prior to the dual opt-in process starting.
- For classic forms, set up a compliance / consent question via the list's settings, then regenerate the classic form. If the form is not regenerated but the list has a compliance question configured, FeedBlitz will present an interstitial page in order to collect consent.
- For SmartForms, set up a required checkbox (unchecked) field, save the form, and update your website with the new form code.
We also believe that you do NOT need to provide an extra confirmation checkbox when a form is unambiguously for the purposes of creating an email subscription (although you might want to add text that says something like "By clicking the subscribe button you agree to receiving email updates from us").
You DO need to provide a consent control when the subscription is not obvious, or part of another offer. Any such controls cannot default to "checked" as this violates the GDPR's explicit consent rules. Instead, we recommend providing a "radio" control, with two options, saying in essence: Yes, I consent, and No, I decline. Make the control required, make the value clear, and do not select either yes or no as a default option. Studies have shown that the opt in rate for forms with consent choices built like this is very close to preselected checkboxes.
The GDPR also makes it very clear that you may not use consent for activity X as an excuse to contact the subscriber about something unrelated to X. This captures, and formalizes, what is email marketing best practice anyway: Only email people what they expect to be emailed. But it requires a little extra thought in terms of, for example, emailing offers to your blog subscription list.
Cookies and Tracking Pixels
FeedBlitz currently sets first party (to us, third party to you) cookies to enable SmartForms and other functionality; we have modified cookie behaviors and related consent management.
- You (and any site visitor) may modify FeedBlitz cookie preferences at any time at https://app.feedblitz.com/f/?privacy (no login required).
In particular, absent any other preferences, FeedBlitz will not enable third party (to us) tracking for visitors and subscribers from EU member states where GDPR applies.
Subscriber Consent Management
We at FeedBlitz believe that it's important for subscribers to control their own privacy and consent. Enabling this online has the following benefits:
- Immediate satisfaction of the subscriber's needs.
- Reduced compliance workload for both you, our clients, and FeedBlitz technical staff.
That, however, isn't enough. We have also updated our standard email footer that enables:
- Subscribers to change any subscription setting for any list for that controller without logging in.
- Subscribers to contact the list controller via a form.
- Subscribers to modify data they provided (non-hidden fields) and export them.
It's important to note that all your public lists will be visible on the page identified in (1). You should check to ensure that any lists that you do not want, in general, to appear on that form are marked as hidden in the list's setting. Hidden lists are still visible to a subscriber if that subscriber is (or has been) on that list. You can mark a list as closed in its settings to prevent a subscriber from adding themselves back to it.
As our own GDPR compliance work completes, we may add further capabilities to the profile and preferences link, enabling rights of access, portability, deletion and more to be handled by the recipient directly, without manual interactions with us as your processor, or you as the controller.
Sensitive Data and Minors
FeedBlitz encrypts all custom field data. However, FeedBlitz is not a platform to store sensitive data (e.g. social security numbers, healthcare records, subscriber financial data, data relating to minors, etc.).
Do NOT use FeedBlitz to store sensitive, personal data, or data for minors in your jurisdiction.
Web Site Analytics
We use Google Analytics (GA) for visitors using FeedBlitz.com sites. We do not send PII or query string payloads to GA. You may opt out of FeedBlitz's analytics tracking on our site by visiting the cookie consent page.
Informing you of GDPR-related Subscriber Changes
In cases where a subscriber opts out or takes other GDPR-related action, such as exercising the right to be forgotten, FeedBlitz will send an email to the email address associated with the account (as well as the secondary notification address, if provided in the account profile). Our intent is that you then take appropriate actions in your systems, where necessary, to process that change. If you do not process that change, you risk being out of compliance.
In general, if you use third-party solutions and link FeedBlitz data to them, we recommend enabling at least a daily update of subscriber changes (a list option), and / or using a tool like Zapier to propagate individual data changes across all your systems.
Data Processing Agreements (DPA)
FeedBlitz is working with our legal counsel to incorporate a DPA into our terms of service.
FeedBlitz's application to the EU-US Privacy Shield program - see https://www.privacyshield.gov - is in process.
As part of GDPR we, as a processor, are required to maintain contact information about you, the controller. This information may be shared, per the GDPR, with a subscriber who requests it.
- If you have not completed a profile, FeedBlitz will start requiring that you complete one.
- You should ensure that you are comfortable with that information being made public, and take steps (e.g. using a P.O. Box) to protect your own personal privacy if necessary.