Disclaimer: The contents of this web page do not constitute legal advice. This page is for informational purposes only, and we strongly encourage you to seek independent legal counsel to understand how your organization needs to comply with the GDPR.
If you’re using ActiveCampaign's site tracking feature to track visits made to your website by contacts in the EU, then you may want to make changes to consider how you’ve implemented site tracking to help with your GDPR compliance efforts.
What is site tracking?
Our site tracking feature tracks visits to your website and associates those page visits with contact records. It also collects the IP address of your contacts. Site tracking allows you to see which web pages contacts visits so you can create segments and send targeted campaigns, display site messages to specific contacts, and is used with our attribution feature.
These page visits and IP addresses are considered personal data under the GDPR because they allow your contacts to be individually identified.
How the GDPR impacts site tracking
Under GDPR, you will need an appropriate lawful basis or legally approved reason before you can collect and store personal data. Once such lawful basis is consent.
One way you can implement this is by creating a "Tracking Consent" notice on your site that states what information is being collected and how that information will be used based on the consent you request. The information in this notice must use clear and plain language, advise of the ability to withdraw consent at any time and contain a button or checkbox that the contact must affirmatively click to give their consent.
Keep in mind that, in addition to creating a proper method to collect consent (if you are processing based on consent), you will also need to comply with other GDPR requirements, including making a compliant privacy notice available to your contacts that makes very clear data processing practices and aligns with the GDPR requirements, including the notice requirements in Articles 13 and 14.
Who does the site tracking update for the GDPR apply to?
The site tracking update for the GDPR applies to:
- Any ActiveCampaign customer in the European Union (EU) processing personal data and using our site tracking feature.
- Any ActiveCampaign customer outside of the EU processing the personal data of EU data subjects and using our site tracking feature.
How to update site tracking for the GDPR to obtain consent
- Replace the site tracking code on your website.
We’ve updated our site tracking code to complement your GDPR compliance needs. You will need to replace the ActiveCampaign site tracking code you’re currently using with this new one. You can get this new code by visiting Settings > Tracking in your account. The updated site tracking code will be in the “Tracking Code” box. - Update the "Track by Default" setting in the site tracking code.
The "Track by Default" setting on our site tracking code automatically tracks page visits. Once you replace the site tracking code on your website, you must update that default setting. This update is done in the site tracking code pasted on your site.
You can change this: vgo('setTrackByDefault',true);
To this: vgo('setTrackByDefault',false);
Simply replacing the site tracking code (see step 1 above) will not change how the ActiveCampaign platform tracks data for you. Updating the "Track by Default" setting is a necessary step that may help you comply with the GDPR when processing data based on consent by allowing you to obtain freely given, affirmative, informed consent. - Create a “Tracking Consent” notice.
The purpose of this notice is to explicitly ask contacts for their permission to be tracked and notify them what they are consenting to. This notice can be in the form of a banner or a pop-up box.
The notice must state what information is being collected, and how it will be used, and let individuals know they can withdraw their consent at any time. In addition, the notice must use clear and plain language and contain some methods for individuals to indicate their affirmative agreement, such as a button that they must click to give their consent.
You are responsible for creating this notice. If you don’t know how to create this notice, you must work with someone on your team or organization who can, or preferably your legal counsel. Our Customer Experience Team cannot assist with creating a “Tracking Consent” notice. - Add a code snippet to your “Yes/Agree” button on the “Tracking Consent” notice.
If a contact has allowed site tracking, you will need to call the Javascript function, vgo('process', 'allowTracking')
To allow tracking for future visits, when the contact accepts cookies, you might set a temporary cookie (for example, for 30 days). Then on each page load, check for the temporary cookie you have set and run vgo('process', 'allowTracking')
Example:
// Insert tracking snippet here
if (document.cookie.indexOf('accept_cookies') !== -1) {
vgo('process', 'allowTracking');
}
$('.btn').on('click', function() {
var expiration = new Date(new Date().getTime() + 1000 * 60 * 60 * 24 * 30);
vgo('process', 'allowTracking');
document.cookie = 'accept_cookies=1; expires=' + expiration + '; path=/';
});
The GDPR compliance deadline was May 25, 2018. Parties who violate the law, including collecting and processing personal data without a proper lawful basis such as consent, are subject to substantial penalties. See Article 83: General conditions for imposing administrative fines.