top of page

Is your Pardot/Salesforce setup GDPR-CCPA compliant?

Updated: Nov 10, 2020

Introduction - The rise of Data Privacy

Do you know that 48% of online users in the US stated that they felt they had no control over who could access their online search? Ref here

As our personal data is scraped, collected, sold, shared, and then profiled, processed with AI, etc., and weaponized to target us, the need to have stronger data privacy laws has become a rallying cry.

To regulate this unabated technology assault on our personal information, data privacy laws have been enacted around the world.

This includes the GDPR in the EU, CCPA in California, LGPD in Brazil and others are on the horizon all over the world.

The fundamental idea of most of these laws is simple - Our personal data needs to be treated transparently, lawfully, and with fairness.

Why does it matter?

Pardot and Salesforce Marketers and Technologists are profoundly impacted by these laws, and how you and your company treats personal data can have material implications on your business.

Notably, both GDPR and CCPA are cross border laws, which means that even if your company is not located in the EU or California, it can still be fined for non-compliance. 

GDPR and CCPA have hefty monetary penalties for non-compliance, cause irreparable damage to customer trust, brand value as well as cause embarrassment.

Why do I need to worry about Consent and Communication Preferences?

Data privacy penalties for Consent and Communication Preferences should not be taken lightly. Companies big and small have paid the price for disregarding these laws.

Therefore, managing Consent and Communication preferences as an integral part of your outreach is a good practice to comply with various Data Privacy laws.

Simply put, your subscribers must be conducive to why you are reaching out to them, and the channel you are reaching them on. If not, then they should have an easy way to let your company know, and your company should accede to their request.

Consent - An overview

Per GDPR Article 4-11, Consent is defined as "..any freely given, specific, informed and unambiguous indication of the data subject’s wishes.." 

Data Subjects (AKA Pardot subscribers and/or Salesforce Contacts, Leads, Users etc.) must understand what they are consenting to, and mush do so freely. 

You must give people a genuine choice and control over how you use their data. If they have no real choice, then consent is not considered to be freely given and it will be invalid.

What are my obligations for Consent?

There are specific considerations to ensure that consent is obtained, managed, and applied correctly - across systems, data, processes, websites, emails, people, and everything else that interacts or accesses this data.

UK's Information Commissioner's Office summarizes it succinctly here

Caveat: Consent is one of the 6 lawful bases(basis) for data processing specified by GDPR. You may have other lawful bases, and may not need consent. Please get professional legal advice to determine this.

Is Consent different from Communication Preferences?

Valid consent is required as soon as a Prospect, Lead, or a Contact is created in Salesforce, Pardot, or any other system i.e. as soon as you start processing personal data.

Communication Preferences come into play when you are sending someone an Email or reaching out with other forms of Communication.

Communication preferences are a good way to offer your subscribers a choice to adjust what purposes they want to be communicated about and by what channels.

If implemented correctly, they offer a good middle ground from ‘subscribe’ and ‘unsubscribe’ to both your company and to your subscribers.

Thus it is crucial to think about this holistically and balance both Consent and Communication preferences requirements, to maintain customer trust and comply.

This article uses the terms 'Communication Preferences' and 'Consent' interchangeably.

Consent and Communication Preference lifecycle

To comply with Data Privacy regulations, a comprehensive lifecycle will address the following:

  1. Begin with prospect creation

  2. Offer an integrated self-service consent management

  3. Automate removal of prospects from subscription memberships

  4. Request consent renewal before they expire

  5. Manage consents across both Salesforce and Pardot

Should you manage Consent in both Pardot and Salesforce?

To be compliant, your company needs to respect the prospect’s preferences and consent across the enterprise.

This means consent must be managed in both Salesforce and Pardot and utilized to determine if your company can reach out via a particular communication channel and purpose.

Limitation of Pardot's "Confirmed Opt-in Process" and "Email Preference Pages" is its stand-alone nature. If preferences are only stored in Pardot, your Salesforce users will not be aware and can unknowingly violate them.

For example, your Salesforce users may be sending emails from Salesforce and calling a data subject who has explicitly asked not to be contacted.

Why does a ‘Pardot only’ stand-alone approach not work?

Read more here

How can you manage Consents in Pardot and Salesforce?

Managing consents across both systems requires building a solution on top of some hooks that are provided by Pardot and Salesforce.

Here is a high-level process flow that shows these various steps:

  • Consent is initially recorded via Pardot form (or Salesforce’s Web-to-lead/Email-to-lead)

  • Propagated to Salesforce (for Pardot forms only)

  • Connected with Salesforce's Data privacy objects (Individual, Consent, etc.)

  • Made accessible in both Pardot and Salesforce

  • Exposed via self-service

Common Pardot-Salesforce Consent Management requirements

An important aspect is to weave consent management across the entire subscriber experience - From creation to self-service for updates, and to transparency around how it is used.

Building a Pardot/Salesforce Consent Management Solution

You can address these requirements with a comprehensive solution such as AppExchange native app like Cloud Compliance - GDPR/CCPA Management Suite, or build it in-house.

You will need to consider the following technical capabilities:

  • Pardot Automation and Form customization

  • Salesforce Apex code to automate Salesforce Individual and Consent creation

  • Sync mechanism to keep Pardot and Salesforce consents updated

  • Communities for self-service

  • Privacy policies either via Communities or via a CMS system

  • Lightning components

Here is an example of Pardot automation that populates Consent and Marketing preference values, which are synced to Salesforce

The following image shows a custom lighting component created by Cloud Compliance to display and manage Consents within Salesforce.

These consents are synchronized with Pardot to ensure that both systems and its users are respectful of the end customer’s preferences at all times.

Here is a rundown of the various tasks that will need to be done if you are building this in-house.

What can you do next? / Conclusion

A combination of Pardot and Salesforce is an important marketing capability that builds and nurtures customer trust. It also helps your company stay compliant and prevent fines and reputation loss.

The approach discussed in this article addresses common data privacy requirements that we hear from our customers.

Our focus here is to utilize the best capabilities of Pardot with Salesforce's Data Privacy and Communication Preference to offer a holistic enterprise-grade offering.

If you decide not to build these yourself, you can consider AppExchange apps like Cloud Compliance - GDPR/CCPA Management Suite that is built on this very design. 

Contact us to learn more here

This article was originally published on LinkedIn

85 views0 comments


bottom of page