Note: Drip currently is not GDPR compliant due to our data storage residing in the US, however we conduct the rest of our platform "as if" we were following GDPR to it's fullest requirements.
The General Data Protection Regulation
Drip is dedicated to maintaining ongoing compliance under the General Data Protection Regulation (GDPR).
This is a complex regulation that should be implemented if you collect and process data of individuals located in the European Union (EU). We suggest you consult with a legal professional who is knowledgeable about these regulations to see if you need to be GDPR compliant.
What is My Business’ Role Under the GDPR?
Data collection is a common practice for most businesses, especially for those that rely on online revenue streams. Under the GDPR, if you are collecting data, your business assumes the role of Controller. When you collect someone’s data, you need somewhere to store that information so you can recall it later to build effective marketing strategies. That’s where Drip fits in.
Where Does Drip Fit in With My Business and the GDPR?
Drip is a tool you use to store the data you collect to make better marketing decisions. No matter how you use Drip to store data, you should be aware of how it fits into your business under the GDPR. Drip is the service that’s used to process your data, so we take on the role of Processor.
What is Personal Data?
Personal data is any information that can be used to identify an individual person. Some of the common datasets that fall under that category include:
-
Email address
-
Name
-
Phone number
-
Billing/Shipping Address
Your business must remain GDPR compliant if you collect information from people in the EU.
Is Your Business Compliant?
Your email marketing is only a small piece of your business that must be GDPR compliant. We suggest that you consult with a legal expert who is knowledgeable in the following areas:
-
The General Data Protection Regulation
-
Maintaining compliance with GDPR and EU regulations
-
EU privacy laws
Get Consent from People in the EU
While you should always get consent from everyone you send emails to in Drip, the way to get and record consent for people in the EU is a bit different.
Drip has built-in features to help you gain and record consent through your opt-in forms.
-
Click on the Settings in the lower left-hand corner
-
Click Account
-
Click EU Compliance
-
Toggle ON - Add Drip Form Checkbox, Record Consent on Double Opt-in Confirmation Emails, or both
-
Check the box for Only show checkbox if client's browser registers to the EU if it applies
- Click the Save button
How Drip Records and Stores EU Consent
Before we get into how to display your consent statement, it's important to understand how Drip records and stores the consent status of a person. Just gaining consent from people in the EU won't be of much use unless you can recall it at a later time.
In Drip, a person can hold one of the following consent statuses: granted, denied, or unknown. Someone's consent status is not static and immediately updates based on their most recent consent action. This means that if someone who had previously granted consent fails to do so when subscribing in the future, we will update their status to denied. Customers can always grant consent again by taking appropriate action on their next subscription.
Once someone's status is set, Drip records that instance as an event. You can view this event activity on a person's Profile under All Activity.
Additionally, if you'll be creating people through the API and then subscribing them to an email series campaign, you can display your consent message in the double opt-in confirmation email of an individual email series.
If someone has granted consent, we'll record the EU Consent Granted event and set their consent status to granted.
When someone either grants or denies consent, they can hold the following EU consent statuses in Drip:
-
Granted
-
Denied
-
Unknown
If a customer's consent status does not get recorded, we'll set their consent status to unknown. Other common ways a person's status becomes unknown are when they're created through a third-party integration or if you will not be using the features outlined in later parts of the article.
You'll notice that both events consist of the same properties:
- value holds the consent status of the person (e.g. granted, denied, or unknown)
- message contains the consent statement that was agreed to by the person
- source refers to how the subscriber was created
Segment for EU Consent Status
By collecting people’s EU consent status and then recording that status, you can use segmentation to handle people based on that data:
-
Click People
-
Set the filter to EU Consent is > status to filter by (granted, denied, unknown)
-
Click Refresh
EU Compliance Consent Features
EU Compliance in Drip Forms
When this setting is enabled, your compliance statement will be displayed next to a checkbox. By checking the box, the person is granting their consent to you based on your compliance statement.
Go to Settings > Account > EU Compliance and turn the setting ON to enable it.
Once your consent statement is saved in your account, Drip automatically and immediately updates all of your form widgets (but not your existing embedded forms) to display the checkbox, including those that were already activated at the time this setting was enabled. Here's an example of the compliance checkbox and statement on a form widget.
If you're using embedded forms, we'll update the code that we generate in the •••Settings and Code section to include the HTML for the checkbox, but because Drip can't access your codebase, you'll need to update any existing embedded forms manually.
Once the checkbox setting has been enabled, all new forms you create will include the checkbox HTML for the embedded version of the form. Or, if simply need to add the checkbox HTML to your existing form, use the below template:
<div>
<input type="hidden" name="fields[eu_consent]" id="drip-eu-consent-denied" value="denied" />
<input type="checkbox" name="fields[eu_consent]" id="drip-eu-consent" value="granted" />
<label for="drip-eu-consent">Your EU Consent Message Goes Here!</label>
</div>
Bear in mind that the checkbox is not a required field in either form type and that the person will still be able to subscribe to your email list. If you do not wish to maintain people who have denied consent, you can take the optional steps of deleting them from your account.
Along with enabling the consent statement checkbox on your forms, you'll notice an additional feature at the bottom of the EU Compliance settings page. When enabled, this feature will only show the consent statement checkbox on your form widgets if the person's browser registers to the EU. This setting will only impact the form widget, and embedded forms will show the checkbox to all visitors regardless of their location.
This feature cannot guarantee all EU residents are caught. For example, if a person is using a browser whose timezone hasn’t been properly updated, they may not be shown the consent checkbox when they should. Please use this feature at your own risk.
You cannot use a pre-checked checkbox to record a person's consent because it does not comply with current regulations under the GDPR.
EU Compliance in Emails
Double Opt-In Confirmation Emails
When you enable compliance on your double opt-in confirmation emails, all new email series campaigns and forms will include your consent message at the top of their default double opt-in confirmation email, followed by a colon.
These emails can, of course, be edited.
For any existing double opt-in confirmation emails that need to be compliant, you'll need to add the {{ compliance_html }}
Liquid shortcode. This shortcode converts to your consent message. Also, if the shortcode isn’t present in the email, Drip won’t record consent for that person, even if the double opt-in setting is enabled.
Go to Settings > Account > EU Compliance and turn the setting ON to enable it.
Form Confirmation Emails
If you've set your form's confirmation setting to After every submission or Only to new people, you'll find the confirmation email under the Submission > Edit Double Opt-in Email. In order to display your compliance statement, you'll need to add the {{ compliance_html }}
Liquid shortcode to the email. You can include it anywhere in the email, but we suggest making it highly visible so that it is apparent to the reader once the email is opened.
Email Series Campaign Confirmation Emails
If you're using double opt-in confirmation emails for your email series campaigns, you'll need to take a few steps to ensure that your confirmation email displays the correct consent message. You can include the {{ compliance_html }}
shortcode in the confirmation email of an individual email series under the Emails tab. Once there, you’ll need to select the Confirmation email from the drop-down.
When editing the confirmation email, you'll want to be sure to replace any default confirmation message with the {{ compliance_html }}
shortcode.
If you’re subscribing people to your campaigns via our REST/JS APIs, and you'd like to use the confirmation email method to gain consent, you’ll want to make sure that you have the double-opt-in email setting turned ON within the settings of the individual email series.
If you’re using automation actions to send your email series, make sure that the Send a double opt-in confirmation email setting is turned on when you set the action up.
EU Compliance Through CSV File and API
EU consent status can be sent into your account with a CSV file, as well as through the REST and JavaScript APIs.
When importing your list via CSV file, you can use these reserved fields to record the consent of a person:
-
eu_consent
should hold a value of either granted, denied, or unknown -
eu_consent_message
accepts a string containing your consent statement -
eu_consent_timestamp
should include a timestamp in ISO-8601 format.
When updating EU consent through the REST or JavaScript APIs, both the eu_consent
and the eu_consent_message
can be passed through to your account. It's important to note, however, that the eu_consent_timestamp
is not accepted by either of the APIs.
In regards to eu_consent
and eu_consent_message
, both of these fields are accepted by these REST and JavaScript API methods:
- Create / Update a Subscriber
- Subscribe a person to an email series
- Start someone on a workflow
- JS Identify method
Use a Single Email Campaign to Regain the Consent of Existing People in the EU
To determine whether or not you need to ask existing people in the EU for their consent to market to them, we recommend consulting with a lawyer. In general, people who already granted consent in a GDPR-compliant way don’t need to be asked again.
If you do need to reach out to existing people in the EU on your list, however, you can create a new single email campaign email and include the {{ compliance_html }}
shortcode. The EU Compliance setting for double opt-in confirmation emails must be enabled for this to work. Along with the compliance shortcode, the email must also include either the {{ confirmation_link }}
shortcode or the {{ confirmation_url }}
shortcode.
When a person consents, Drip will set their consent status as granted. Keep in mind that existing people will automatically have a consent status set to unknown.
When building up the recipient list for the broadcast, you can select to only send the email to people currently in the EU. Here’s how you would build that recipient list:
Time zone > is in > Europe
This consent method only needs to be taken if you haven’t already gained the consent of people in the EU in a GDPR-compliant way. We suggest consulting a lawyer if you’re unsure whether or not your previous consent methods are still in compliance with current GDPR policies.
Non-Consenting People in the EU
People will be added to your account even if they do not consent at the time of their subscription. In some cases, this may just be an error on the person's end. When that happens, you can consider sending the non-consenting person a one-off email offering them another opportunity to consent.
You can build this type of automation with a workflow.
- Go to Workflows > Workflows > + New Workflow
- Set the entry trigger Performed a custom event
- Enter “EU Consent Denied” into the event name field and click Update trigger
- Add an action step to send a person an email by clicking the + icon directly below the entry trigger
- Add an Action step
- Select Send a person an email
- Click Edit email settings and complete your email setup
When you write your email, explain that unless they grant consent, you won't be able to send them marketing content of any kind. Include a link to a form where they can update their EU Consent status.
Once the email is sent to the person, we’ll need to give them a window of opportunity to consent before removing them from your list. To do that, set a delay for the amount of time in which the subscriber should grant their consent:
- Click the + icon directly below the one-off email action
- Add a Delay step
- Set the amount of time you’d like to give the person to consent and click Update Delay. This will give the person time to grant consent from the time they reach the delay.
If the person fails to grant their consent by the time the delay runs out, the method we'll implement consists of deleting the person from your Drip account in order to remain GDPR compliant. Keep in mind that this is only a suggestion.
Now that the delay is set, we’ll set the action to delete the person if they don’t consent by the end of the delay.
- Click the + icon directly beneath the Delay step
- Add an Action step
- Select Delete person
The automation up to this point will delete non-consenting people after a certain period of time. If they do go ahead and complete the methods for giving consent, we’ll need a way to pull them out of the workflow so they don’t get deleted. For this, we’ll use a goal.
- Click the + icon directly below the delete action
- Add a Goal step
- Select Performed a custom event goal
- Enter “EU Consent Granted” into the event name field
- Click Update trigger
When your workflow is ready, be sure to activate it so that it will start accepting people. To do so, turn the ON/OFF toggle in the top right of the workflow editor ON.
Here's the finished Workflow:
My Business Will Not Become GDPR Compliant
For those who find the cost of compliance is higher than not doing business with EU citizens at all, please continue reading.
Before we get into the details, however, please take note that neither Drip nor any service provider can completely prevent EU citizens from subscribing. Providers like Drip use time zone and IP address data to attempt to locate people, but there are a number of reasons why this data could be either unavailable or inaccurate (e.g. the person is traveling outside the EU, using someone else’s device, etc.). So while the methods below reduce the chance of a person in the EU from landing on your list, they do not remove it entirely.
Remove Existing People in the EU From Your List
If you think you might already have people from the EU on your list, you can perform an account query to find out. Keep in mind that his method will only work if you have people's time zones already stored in Olson format (also known as “tz database”) in your account.
- To query for existing people in the EU, go to People > Active
- Set your filters to Time zone > is in > Europe
- Click Refresh
Take note that the Europe filter includes all time zones in this TZ time zone table in Olson format.
Your segmented list will now only contain people that have time zones in the EU. Unless you'll be managing people from the EU in another way, we recommend removing them from your list via a Bulk Operation.
- Click Action
- Select Perform a Bulk Operation
- Select Delete a person and all of their data
- Click Next
- Click Schedule Operation to complete the operation
Block People from the EU From Your Account
If you're using Drip forms, a person's time zone is automatically determined. You can create a Rule that will automatically delete any person with a European time zone.
Before proceeding, we should note that there are a few downsides to this approach:
- Countries outside of the EU that share a time zone (such as Egypt) may be deleted, as well.
- Non-EU citizens who happen to be in Europe when they subscribe may be deleted.
- People legitimately interested in your content may be turned off when they don’t receive what they expect.
As an alternative approach to deleting people, you might send them a one-off email informing them of why you plan to delete them. If you'd like to go a bit further, you might also add a text warning on your form that you won't be accepting people from the EU in order to protect your business under GDPR restrictions.
To block EU form subscriptions:
- Go to Workflows > Rules > +New Rule
- Select Submitted a form
- Choose Any form from the drop-down
- Click Change to add filter criteria to the rule. The rule should only trigger if the person's time zone is in the EU, otherwise, it would delete every person that submitted a form.
- Use the filter to only recognize people in the EU by using these filter criteria: Time zone > is in > Europe
- Click Update Criteria
- Set the rule's action (step 2) to Delete person
- Activate the Rule
Add Text Warning to Your Forms
When designing your forms, you can add text to inform possible people from the EU that they will not be allowed to subscribe in order to protect their GDPR privacy rights.
To do that, go to the form's Design tab and add whatever text to the bottom of the description that you’d like to use.
This method can potentially deter people from the EU from subscribing to your list.
Exercising Peoples' Data Subject Rights
The GDPR grants several rights to EU residents around their data. While it is your responsibility as the controller to exercise these, you may need assistance from Drip to do so depending on the request. Please note that, as a data processor, we can only provide assistance on behalf of people on your list if the Drip account owner directly requests it via privacy@drip.com. People on your list are not allowed to reach out to Drip directly.
Right of Access and Portability (GDPR Article 15)
A person may request access to all data you have stored on them, which would include data stored in Drip.
If you receive a legitimate request for this from someone on your list (please consult with your lawyer on this - people from the EU simply curious about their data do not necessarily qualify), you may email privacy@drip.com. Exporting data to CSV is possible, but will be incomplete without a person's activity feed data, which we can provide.
Please note the following:
- For security purposes, this request must come from the Drip account owner, not any member of the account.
- The email address of the person requesting access must be provided, and that person must be present on your Drip account.
- Drip will respond to data subject rights requests within 30 days, as required by the GDPR.
Right of Rectification (GDPR Article 16)
People from the EU have the right to update the information you have stored on them. They can do this on their own via their subscription management page.
Right to Be Forgotten (GDPR Article 16)
A person may request to have all data you have stored on them erased, which would include data stored in Drip.
If you receive a legitimate request for this from someone, delete the person on the People tab of your Drip account to prevent any further data from being collected, then email privacy@drip.com to have the full deletion of their data expedited. Please note the following:
- For security purposes, this request must come from the Drip account owner, not any member of the account.
- The email address of the person requesting to be forgotten must be provided, and that person must be present on your Drip account.
- Drip will respond to data subject rights requests within 30 days, as required by the GDPR.
Right to Restrict Processing (GDPR Article 18)
A person may request that their data no longer be processed by you.
If you receive a legitimate request for this from someone on your list, you may delete the person on the People tab of your Drip account. This will prevent the customers’ data from being processed.
Right to Object to Processing (GDPR Article 21)
Not to be confused with the Right to Restrict Processing, this article relates to the legal basis on which you are collecting their data (for example, if that legal basis is something other than that person's consent).
This objection will most likely be focused on you as a controller, not Drip as a processor. As such, you will need to involve your legal counsel to determine the legitimacy of the person’s request and facilitate a resolution with them.
If the objection is focused on Drip as a processor, you may email privacy@drip.com.
- For security purposes, this email must come from the Drip account owner, not any member of the account.
- Drip will respond to data subject rights requests within 30 days, as required by the GDPR.
Current Subprocessors
Below is our most up-to-date list of all subcontractors used for Subprocessing Personal Data covered by the GDPR under the agreement.
Amazon Web Services
Atlassian
Browserstack
Calendly
Churnzero
Clearbit
Dataloader.io
Docusign
Domo
Drift
Dropbox
E Hawk
FullStory
G2 Crowd
Gong i.o. Inc
Honeybadger
Hubspot
Liquid Web
Mixpanel
Outreach
Papertrail/Solarwinds
Pendo
Pusher
Salesforce
SendGrid
Shopify
Slack
Stripe
Trello
VividCortex
Wistia
Yotpo
Zapier
Zendesk
Zoom
Zoominfo
Marketo
Drip's Data Processing Agreement + Additional Resources
- View Drip’s Data Processing Agreement
- GDPR Website