Learn everything there is to know on how Leadpages complies with GDPR and CCPA as well as how Leadpages can help your business comply with these data protection regulations and protect your customers' data.
As a business using Leadpages, it is still your responsibility to comply with any and all regulations you are subject to based on your geographical location and customers’ geographical location.
The fine print
- The nature of these regulations is evolving and interpretation of the law is wide-ranging. Therefore, this article should not be used as legal counsel. Counsel familiar with your business would be able to give you specific best practices for compliance under data protection regulations.
- GDPR form fields from an integration (such as MailChimp) are not able to be added to a Leadpages form. However, you could create a custom GDPR form fields within your integration to be added to Leadpages.
General Data Protection Regulations (GDPR)
General Data Protection Regulations (GDPR) is designed to hold organizations (like Leadpages & your business) more accountable for keeping personal data secure and outlines new procedures for how you collect data, store, and use data – as well as the rights individuals have to protect, access, and modify your data.
This new legislation applies to all people/ organizations/ businesses involved in processing personal data (names, email addresses, tracking, etc.) about individuals within the European Economic Area (EEA) within the context of selling goods and services – regardless of where in the world your business (and data) is based. The EEA states include the EU and Norway, Iceland, and Liechtenstein as well as (for now) the UK.
Your business is responsible for its own compliance. While we'd suggest speaking to a lawyer as to what GDPR compliance means for your own business, we acknowledge legal counsel isn't always readily available to our customers. Leadpages has implemented changes to make our product compliant and has answers below to some of your GDPR questions.
First things first, make sure to read our post on all things GDPR.
How Leadpages complies with GDPR
- All user data processed by us has been secured against accidental or unlawful loss, access or disclosure.
How Leadpages helps you comply with GDPR
- We have drafted a Data Protection Agreement (DPA). Read more below ↘
- A GDPR consent checkbox has been added as an available field to add to your forms. Read more below ↘
Data Protection Agreement (DPA) for Customers
GDPR specifies that any Controller that is subject to GDPR will need to have a signed Data Processing Agreement with any third party that it shares data with where that third party is a Processor as defined under GDPR.
If you’re collecting any personal data (name, email address, etc.) from someone located in the EEA, you’re a controller. The organization/application that stores that data on your behalf (Leadpages, for example) is the processor.
Article 28 (3) of GDPR specifies that this contract should clearly define the nature, purposes, and duration of data processing, the types of personal data, any particular special categories of data and the obligations and rights of both parties.
Customers of Leadpages who are considered to be Controllers under the terms of GDPR should sign a DPA with Leadpages effective of the compliance deadline May 25, 2018.
Here's how to complete this process:
- View our pre-signed DPA: When you click the link below, you'll need to enter your name and email. When you click 'Begin Signing' you'll be taken to a DocuSign version of our DPA that has been pre-signed by the authorized Leadpages Data Protection Officer.
- Add your signature: After you have reviewed the document, add your signature electronically.
- Download and Save: Download a fully signed version of the DPA for your records.
Inside the Leadpages builder, users can easily start gaining consent from leads and subscribers located in the EEA with active-consent checkboxes. The checkbox displays next to a customizable compliance statement (such as “I consent to receive information about services and special offers via email”).
If you're looking to obtain and document that active consent was given, before implementing the Leadpages active-consent checkbox, consider creating a consent checkbox as a custom field within your email service provider (ESP). This custom field would need a compliance statement like the one above and cannot be pre-selected or required.
If you have a Leadpages active-consent checkbox on a page or pop-up and are integrated with Drip, the results of that checkbox will be saved in Drip.
Adding the active-consent checkbox to a form
- Hover over your form and click Edit Integrations.
- Switch to the tab "② FIELDS" on the left and click "Add a Field."
- Select the active-consent checkbox.
- Press Done and Update your page.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is a California data privacy law that went into effect on January 1, 2020. The CCPA regulates how certain businesses may use personal data of Californians. Under CCPA, the California consumers of your content built with Leadpages have specific rights as it pertains to their personal data.
CCPA applies to your business if it meets one of the following criteria:
- Has gross annual revenues in excess of $25 million
- Buys, receives, or sells the personal information of 50,000 or more California consumers, households, or devices
- Derives 50 percent or more of annual revenues from selling California consumers’ personal information.
If you have visitors or customers in California and your business meets one or more of the criteria above, we outline a few of the ways Leadpages has prepared for CCPA and helps you comply with the law below.
How Leadpages complies with CCPA
- We offer the ability to delete or opt-out of our services, including the removal of your data upon request and after verification of your identity.
- We retain documentation of all requests from our users who have requested disclosure or removal of their data.
How Leadpages helps you comply with CCPA
- The Leadpages DPA for GDPR above satisfies CCPA's requirements for the data protection of your customers, as GDPR requires even more thorough transparency in processing of your customers' data.
- Security covered in DPA: we secure any User Personal Data Processed by us against accidental or unlawful loss, access or disclosure; identify reasonably foreseeable and internal risks to security and unauthorized access to the User Personal Data Processed by us; minimize security risks, including through risk assessment and regular testing.
- Data requests covered in DPA: Where applicable, and taking into account the nature of the processing time, we will assist you in fulfillment of your obligation to respond to requests from your customers exercising their data protection rights.
Frequently asked questions
How do I access the IP addresses of subscribers?
At this time, Leadpages does not provide the IP addresses of subscribers. Please note, if you're looking to identify the geographical location of your subscribers, it's best to set up a field on your form that asks for their location, as IP addresses are not the most accurate indicator for a subscribers residence. Furthermore, filtering by IP addresses when deciding who to send subsequent emails to could incorrectly include subscribers of a location not intended to be left out.
I can use double opt-in instead of checkboxes, right?
Not quite. Double opt-in is a function offered by most third-party email service providers (ESP) and enables marketers to send an email after a visitor has signed up, inviting the visitor to confirm his/her email address and consent to receive further email communications. Under the terms of the GDPR, double opt-in is generally not an acceptable means of obtaining active consent. Because exceptions to this rule do exist in certain cases, we recommend you first seek legal counsel to help craft the necessary compliance statements necessary to deploy double opt-ins.
Active-consent checkboxes are the recommended alternative.
Why can't your checkbox just talk to my email service provider (ESP)?
Many of our third-party ESP integrations have not yet updated their API in order for Leadpages to pull in GDPR-specific fields to be added to Leadpages forms and in turn submitted to that ESP. But, as indicated above, you're not out of options.
How do I get cookie consent from my visitors?
Obtaining consent for tracking cookies is not a requirement of GDPR but rather the ePrivacy Directive. Cookie consent is a current topic for ePrivacy Regulation, likely to replace the Directive next year, requiring all browsers to regulate cookie consent rather than individual websites. However, being that many of you currently use third-party tracking code and analytics, our team is exploring options to build this functionality into our product in the future.
Are Leadpages certified with the Privacy Shield?
Leadpages will not be self-certifying with US Privacy Shield, but instead committing to the EU Standard Contractual Clauses (SCCs) in our Data Processing Agreement, which cover the EU's requirements for international data transfer. Since you're transferring data to Leadpages only for processing purposes, the contract will do.
Can I set up multiple checkboxes?
Some online marketers may be counseled by a legal team to have multiple consent checkboxes for each of the means of communication they'll be contacting their subscribers (i.e. email, phone, direct mail). We only have one active-consent checkbox within Leadpages, however, you may be able to set up multiple custom field checkboxes in your ESP and add those to your Leadpages form.
As always, our support team is standing by for any other questions you have!
Need more help?
You can always get in touch with our support team—just click Support in your Leadpages navigation menu, or submit a ticket ↗