Site tracking and the GDPR

Disclaimer: The contents of this web page do not constitute legal advice. This page is for informational purposes only, and we strongly encourage you to seek independent legal counsel to understand how your organization needs to comply with the GDPR. 

If you’re using ActiveCampaign's site tracking feature to track visits made to your website by contacts in the EU, then you may want to make changes to consider how you’ve implemented site tracking in order to help with your GDPR compliance efforts. 

In this article, we’ll discuss:

Read more about the GDPR.

What is site tracking?

Our site tracking feature tracks visits made to your website and associates those page visits with contact records. It also collects the IP address of your contacts. Site tracking allows you to see which web pages a contact visits so you can create segments and send targeted campaigns, display site messages to specific contacts, and is used with our attribution feature. These page visits and the IP address are considered personal data under the GDPR because they allow your contacts to be individually identified.

How the GDPR impacts site tracking

Under GDPR, you will need an appropriate lawful basis or legally approved reason before you can collect and store personal data. Once such lawful basis is consent. One way you can implement this is by creating a "Tracking Consent" notice on your site that states what information is being collected and how that information will be used based on the consent you are requesting. The information in this notice must use clear and plain language, advise of the ability to withdraw consent at any time, and contain a button or checkbox that the contact must affirmatively click in order to give their consent. 

Keep in mind that, in addition to creating a proper method to collect consent (if you are processing based on consent), you will also need to comply with other GDPR requirements, including making a compliant privacy notice available to your contacts that makes very clear data processing practices and aligns with the GDPR requirements, including the notice requirements in Articles 13 and 14. 

Who does the site tracking update for the GDPR apply to?

The site tracking update for the GDPR applies to:

  • Any ActiveCampaign customer in the European Union (EU) that is processing personal data and using our site tracking feature.
  • Any ActiveCampaign customer outside of the EU that is processing personal data of EU data subjects and using our site tracking feature.

How to update site tracking for the GDPR to obtain consent

1. Replace the site tracking code on your website.

We’ve made updates to our site tracking code in order to complement your GDPR compliance needs. You will need to replace the ActiveCampaign site tracking code you’re currently using with this new one. You can get this new code by going to Settings > Tracking in your account. The updated site tracking code will be located in the “Tracking Code” box.

2. Update the "Track by Default" setting in the site tracking code.

The "Track by Default" setting on our site tracking code automatically tracks page visits. Once you replace the site tracking code on your website, you will need to update that default setting. This update is done in the site tracking code that is pasted on your site. 

You can change this:

vgo('setTrackByDefault',true);

To this:

vgo('setTrackByDefault',false);

Simply replacing the site tracking code (see step 1 above) will not change how the ActiveCampaign platform tracks data for you. Updating the "Track by Default" setting is a necessary step that may help you comply with the GDPR when you are processing data based on consent by allowing you to obtain freely given, affirmative, informed consent.

3. Create a “Tracking Consent” notice.

The purpose of this notice is to explicitly ask contacts for their permission to be tracked and notify them what, specifically, they are consenting to. This notice can be in the form of a banner or a pop up box. The notice must state what information is being collected, how it will be used, and let individuals know that they can withdraw their consent at any time. In addition, the notice must use clear and plain language and contain some method for individuals to indicate their affirmative agreement, such as a button that they must click in order to give their consent.

You are responsible for creating this notice. If you don’t know how to create this notice, you must work with someone on your team or organization who can, or preferably your legal counsel. Our support team will not be able to assist with creating a “Tracking Consent” notice.

4. Add a snippet of code to your “Yes/Agree” button on the “Tracking Consent” notice.

If a contact has allowed site tracking, you will need to call the Javascript function, vgo('process', 'allowTracking') .

In order to allow tracking for future visits, when cookies are accepted by the contact, you might set a temporary cookie (for example, for 30 days). Then on each page load, check for the temporary cookie you have set and run vgo('process', 'allowTracking').

Example:

// Insert tracking snippet here
if (document.cookie.indexOf('accept_cookies') !== -1) {
    vgo('process', 'allowTracking');
}

$('.btn').on('click', function() {
    var expiration = new Date(new Date().getTime() + 1000 * 60 * 60 * 24 * 30);
    vgo('process', 'allowTracking');
    document.cookie = 'accept_cookies=1; expires=' + expiration + '; path=/';
});

The GDPR compliance deadline was May 25, 2018. Parties who violate the law, including collecting and processing personal data without a proper lawful basis such as consent, are subject to substantial penalties. See Article 83: General conditions for imposing administrative fines.

Have more questions? Submit a request