#Ensure GDPR compliance
All CampaignPRO-managed Mautic instances collect and process personally identifiable information (PII) from your visitors / customers, both via the instance's site and via any websites you decide to embed your Mautic tracking code.
Such collections are subject to various privacy laws depending on where the visitors are coming from such as:
- GDPR - For the European Union
- FADP (Revised) - For Switzerland (once it comes into force)
- PECR - For the UK
Most laws share common requirements, so for most cases ensuring your business is compliant with GDPR should be sufficient.
#Requirements
In order to ensure compliance with GDPR and similar laws you should consider the following requirements:
- Every person has to give consent to the collection of personal data;
- Every person has the right to know what data about them is stored;
- Every person has the right to download the data stored about them;
- Every person has the right to be forgotten;
We are not a legal entity. All information presented here is a product of our best effort to understand these laws ourselves.
Please consider consulting a licensed law representative to ensure full understanding and compliance with all laws that affect you and your customers.
#Every person has to give consent to the collection of personal data
All your visitors must agree to have their personal identifiable information tracked BEFORE you start collecting it.
This also includes working with cookies for any marketing purposes other than the absolute minimum required for the technical operation of your website.
Embedding the Mautic tracking code on a webpage automatically constitutes collecting PPI from visitors. Therefore you should implement a mechanism that embeds / loads the code only AFTER obtaining the user's permission.
For the moment Mautic does not provide such functionality out-of-the-box, so you should rely on a third-party application for this. We suggest searching the web for Consent Management Platform such as Usercentrics.
By default, Mautic will utilize the following tracking cookies anywhere you embed your tracking code:
mtc_id
expires after 1 year
A targeting cookie to enhance the user communication and experience.mtc_sid
expires at the end of the session
This is a targeting functional cookie in case you use forms or focus items.mautic_session_id
expires at the end of the session
This is a targeting functional cookie in case you use forms or focus items.mautic_referer_id
expires after 1 year
This is a targeting cookie.mautic_session_id
expires depending on your configuration
This is a functional cookie in case you use focus items.
#Every person has the right to know what data about them is stored
#Create a privacy policy
Every reputable website processing user information should have a privacy policy page listing (among other things) what kind of information is being collected or tracked and for what purposes.
You should also let your visitors know about the tools and technologies you are using for collection and any third-party services or tools also involved in the process.
Lastly you must inform your visitors about the security measures you've implemented in order to protect the information they share with you.
The best way to create such a page is to contact a certified law representative (a lawyer), but for most intents and purposes you can also use one of the freely available privacy policy page generators on the web.
#Ask users to agree to your privacy policy
Once you have a proper privacy policy page you should consider asking your visitors to read and agree to it. Ideally this should happen via the Consent Management Platform when you're asking your visitors to allow you to track their personal information for marketing purposes.
A good practice is to allow fine-grained control and let users agree to the privacy page without explicitly having to agree to collection for marketing purposes.
If a visitor opts-out of marketing collection, but decides to subscribe to a newsletter for example, entering his/her e-mail is still considered collecting PPI and therefore you must ask them to agree to your privacy policy.
Traditionally this is done by adding a checkbox field in your Mautic form that the visitor has read and agrees with the policy.
#Every person has the right to download the data stored about them
Any person engaging with your Mautic instance may request to download all of their stored personal information from you.
For this purpose you'll need to assign a company data protection officer for your website. For GDPR compliance this officer must be physically located in the European Union.
If you do not have a suitable person for this purpose you can use a paid service such as datenschutzpartner.ch.
To export all available information about a person, open Mautic's Contacts page, find the contact in question and click on it.
Next click the dropdown icon in the top right corner of the page and click Export to download the contact's information in a CSV format.
Finally click the Export button in the History tab at the bottom of the page to download all of the contact's user activity in a CSV format.
#Every person has the right to be forgotten
If any of your customers / visitors requests to be forgotten you can simply delete the corresponding contact by opening Mautic's Contacts page, finding the contact in question and clicking on it.
Now click the dropdown icon in the top right corner of the page and click Delete. This will irreversibly delete the contact along with all related information including history.
