Opt-in and Confirmed Opt-in simultanously in use after GDPR

Hello!

I have run into troubles with many things regarding the confirmed-opt-in vs. opt-in. It seems to be a big nut for SuiteCRM developers to get the confirmed-opt-in to work as it should. After switching email settings to Confirmed Opt In it does only apply for new contacts added into the CRM. All old contacts still remain as opt-in in the database. This is of course like it should be, since the whole idea with confirmed-opt-in is that all old contacts in crm has to renew their permission in order to receive emails from us.

The problem occurs when SuiteCRM do not really handle the situation well after we have both opt-in contacts and confirmed-opt-in contacts in the CRM. Why are not all with status opt-in automatically turned to not-opt-in after switching emailsettings to Confirmed Opt In? This is causing even more problems with third party addons like SugarChimp, since they do not yet recognize the difference between confirmed-opt-in and opt-in. Both will receive emails if I use that addon.

Has anybody manually changed status for opt-in to not-opt-in after switching over to Confirmed Opt In due to GDPR? Would be nice to know so I do not have to try and see. Or does anybody have anu suggestion for how to handle this situation? I do not really figure out why SuiteCRM need to have opt-in contacts after switching to Confirmed Opt In? Of cours, I can not send out the manual Confirmed Opt In email request to contacts that have opted out.

Also regarding GDPR a contact should be able to opt-in again to a targetlist (Newsletter). If that contact is already market opt-out I do not know how this can be done via any Web Form?

One thing is switching the company policy (from “confirmed opt-in” to “opt-in” or the other way around), it’s a system-wide setting, the other is to go into your individual records and change their registered value. If this was done automatically you would throw away possibly valuable information. Imagine some admin looking at the settings and saying, “let’s see what happens when I change this here”, and risk throwing away individual user’s options? What if you wanted that back someday?

So, I see the case you’re making, you are right there should be a way to do it from the UI (not just from the database), but it would need to be carefully thought-out as a separate option, I believe.

The problem is that due to GDPR you have to have confirmed-opt in active, since e.g. all new subscribers for a newsletter (target list) have to get the confirmation emal where they are asked for permission (automatically sent or manually), this is not possible if you have Opted-In as the general opt-in setting. It has to be Confirmed Opt In to get this feature.

It would be enough to mark all opt-in as “not-opt-in” when you switch the general setting to Confirmed Opt In, BUT that will make it impossible to send any emails, not even the manual “Send Confirmed Opt In” email to old contacts. Those who really have opted out, they are separately marked in a differnt table as opted out. But you are right, this has to be done carefully without loosing any important information.

I think this will be solved or iomproved quite soon when everybody slowly starts to recognize what the GDPR is about.

Oh, and about the other issue, I asked one of the developers and this is what I heard:

If somebody fills a web form, it will create a new Target, regardless of whether he uses an email previously registered in the system. But if there was already an existing target with the same email address they will both get updated.

The opt-in status is system wide so if you create a new target using a web form that has the same email address as another target the opt-in status will change to whatever you selected in the form.

You’ll have to experiment with this and see how it behaves.

GDPR doesn’t require either opt-in nor double opt-in.

Art. 6.1. of GDPR says that processing is lawful if one of the following applies:
a. consent
b. there is a contract in place
c. for some legal obligations
d. vital interests
e. public interest
f. legitimate interest

With respect to 6.1.f. (as well as 6.1.a. ???), Recital 47 of the GDPR clarifies:
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

The Regulation is a little more complex though. However “consent” doesn’t mean “double opt-in”. What matters is that, if a “controller” (a company in GDPR’s jargon) decides to pursue “consent”, they will have to do it in a way that will allow them to prove that they have obtained such consent.

Achieving this evidence is by no means straight forward, and there are a number of circumstances under which “data subjects” may object of having granted such consent even in the presence of an opt-in or a double opt-in.

IMHO the way in which CRM systems (including SuiteCRM) deal with the acquisition of consent and keep the data are not compliant to the above requirement. For example any system administrator of the CRM could launch a query and change the decision of a “data subject”, since the information is not encrypted, it doesn’t carry a real proof of who actually provided the double opt-in (eg: you don’t know who is on the other side).

Additionally, for those pursuing consent they have to obtain it for each of the single reasons for processing the data, while, here we are just seeking a generic aggregated consent.

Having said this the feature is more than welcome!

Ok, we have different understanding of what GDPR is about.

For me it is 100% clear that no CRM system will automatically make you GDPR ready. Of course it is about

1. What you save and
2. For which purposes
3. How you get consent
   Etc etc…

Regarding consent it is also totally clear that people who have subscribed for a newsletter they have to renew their consent. How this is done can be discussed. But it is enough to send out an email to the address registered and asking for confirmation. That is consent renewal in a very basic way.

We have all different needs and different expectations from the CRM. For me and according to my and our lawyers understanding the confirmed-opt-in has to be there.

This is not what the GDPR says.Even if you base the processing of data on “consent”, which is not the only lawful option, if such consent has already been granted, “processors” are not required to take any further action, provided they can prove that “consent” has been granted.

In any case, since the legislator has explicitly clarified with Recital 47 that “legitimate interest” is lawful in the case of direct marketing (which includes also newsletters), I wonder why a company would pursue “consent” when it is not strictly necessary.

Furthermore writing to a list of possibly thousands (or more) contacts asking to opt-in is a near suicide!

Unless you are one of the www giants it is very likely that less than half will read your message. Out of that half, probably only a little percentage will respond (maybe 10%). And out of the respondents probably (less than) half will give their consent.

Specially in these days, in which everybody is receiving tens if not hundreds of such messages! (I have received over 300 so far and I binned 100% of them and I don’t think I am much more different than the majority!)

For me this is a commercial suicide.

For those pursuing consent (which is among the lawful reasons to process data) it is important to understand the complexity and the risks seeking to of obtaing such consent. Among many things it has to be provided distinctively for each of the uses (this means that one single tick is not sufficient in most cases).

Probably the most compliant way to obtain proof of consent would require identification of who is providing consent and copy of his id. And still there will be no “proof”. Only an “indication”… It could have been easily someone esle claiming to be that person!

Apart from reading the GDPR itself to understand how it works, there are a number of articles on “consent” under the GDPR.

I recommend the following two:

https://www.i-scoop.eu/gdpr/explicit-consent/

https://nation.marketo.com/thread/44150-gdpr-marketing-consent-and-legitimate-interest

@amarussi I think there has been a misunderstanding in general regarding my topic and GDPR. My starting point has been our company and the situation we were in before GDPR and where we are now. I do not know how other companies have things arranged regarding GDPR and concent. Our problem is that we do not have any old consent or first consent from subscribers. And also, please let us separate contacts in the CRM and subscribers for newsletters. You are completely right that it would be a commercial suiside to wipe all contacts from the CRM that do not have renewed their consent. For newsletters and other commercial mails I see it different. If you never collected any consent, you just forced every new contact you put into the CRM to be subscribers. Even if you always have the opt-out link in any email sent, you still do not have the first consent. That is where I / we are currently. And that is why the double-opt-in / confirmed-opt-in is extremely important. It is not just a feature, it is also a good practise. And specially now when everybody are aware of the new GDPR regualtions I think it is very important that serious companies are not only informing abouth how they handle personal data but also renewing the consent.

This is also an interesting article by Tony Kent regarding GDPR, double opt-in and re-consent, below a cut from https://www.signupto.com/news/digital-marketing/gdpr-double-opt-in-and-re-consent/

"In principle, as long as a clear, genuine and mutually beneficial relationship is in place, and that the processing is anticipated, appropriate and doesn’t otherwise infringe the rights and freedoms of the individual, then data processing can still be undertaken without consent. A quick look at my own inbox suggests that many email marketers are commonly applying this scenario, and although consent is still the preferred route, my guess is that this will not significantly change under GDPR. In fact, after much discussion and lobbying the justification of Legitimate Use has been referenced within the GDPR copy as being specifically aligned to the needs of marketers.

However, the other major change with GDPR is that whatever justification you are making for the processing data (consent or otherwise) you need to have made an assessment of the possible impact of this assumption, in advance. This is new.

Having said all that, many people are taking the opportunity to contact their database to either re-affirm consent, or in the cases where (GDPR compliant) consent is not in place, to establish this. Some are specifically referencing GDPR in this process, but others are simply taking this step as a courtesy – after all, permission is a politeness and re-engaging in this way can be used to show that data protection is an important consideration and serve to strengthen an existing relationship.

There’s the danger (in fact a high probability) that some subscribers will also take this opportunity to re-assess their situation and withdraw their consent. So if you take this step, be prepared for losses. However re-engaging in this way will have the double benefit of strengthening the bond with your loyal subscribers and cleaning out those who are unlikely to engage further in the future."

So please let us now focus on how to get good features in Suite CRM for those who need confirmed-opt in. The “political” discussion about GDPR and double-opt-in may continue, but since it obviously is already implemented in Suite CRM (even if it is not working 100%) I think we need to focus on how to get these features better for those who need them or have decided to use them. Not to focus on are they necessary or not, that train did alrady leave I think.

@kristian.ostman

I understand your point.

The issues/functionalilities of opt-in and double opt-in in SuiteCRM are in the hands of Sales Agility so I am unable to help here since I don’t know the analysis that has been made nor to what point Sales Agility is prepared to develop this functionality.

From what I see at the moment they have introduced a new feature but, as you have pointed out, it is still to be refined and fortified with certain missing features.

However Sales Agility are investing heavily in many directions to make SuiteCRM more stable and robust. At the moment I understand that they are heavily working on the introduction of new tools to make new releases less error prone, more robust and more thoroughly tested. In parallel they are working onto solving a huge number of issues regarding emails in general and a few more fronts.

I don’t know what priority nor capacity they are able to assign to GDPR, even if it is a very current topic, since they have introduced some new functionality on this already. I think that this should be answered by them. Hopefully with a more detailed description of their plans (although keep in mind also that such an answer would require some extra effort taking it away from all their open fronts!).

Maybe Pedro (@pgr) may be able to provide more information asking Sales Agility but, from what I see, he is extremely busy while carrying out his job in the Forum in such an excellent way.

Just one more useful guide:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-legitimate-interests/

This is just to let you know this thread has sparked some interesting internal debates in SalesAgility and we will be posting some additional information here in a few days. Thanks for your feedback!

I run in a problem with your interpetration of the GDPR. There are some emails we dont need double confirmed opt-in, like professional emails, we only need the double confirm for personal emails. So if in setting “Opt In Settings” = “confirmed opt-in” i cant send campaigns to my list of professional emails, and if i change the opt-in settings to opt-in i cant send Send Opt In Email.

Anny suggestion?

Was the “additional information” posted?

Oops! No, sorry. Thanks for pointing this out to us. I will try to dig up that text from wherever it was left forgotten and I will come back here soon.

Sorry for the delay guys. The text below was the “lost” response from one of our analysts. Let me know if you have further questions! Thanks for your patience.

Thanks for some of your feedback on the consent features of SuiteCRM. We are still releasing new features will help organisations comply with the new GDPR regulation and we do hope to continue to make the lives of our users easier.

Just regarding your question above and consent.

In 7.10 we have changed the email consent-based permissions to an opt-in system rather than an opt-out system. There is also the additional confirmed opt-in feature for those who want to follow this practice. So essentially there are four statuses for e-marketing consent:

Not Opt-In - No Consent has ever been given
Opt-In - Person has provided Consent but not confirmed Consent. If you are not using Confirmed Opt-In then this is treated as Full Consent.
Confirmed Opt-In
Opt-Out; A Person has previously provided consent and is now withdrawing that consent.

So if I understand correctly you have legacy data where the permission is opt-in and you are now are wanting to move to a confirmed opt-in system?

The CRM does have the feature to search based on Opt-In Status and then Bulk Send the Confirmed Opt-In email for processing. This would allow you to re-establish consent with your user basis. So under this mechanism, it is assumed you established consent previously but did not confirm consent and therefore the Person record has been provided with the primary opt-in (Opt-In) but not secondary Opt-In (Confirmed). Under Confirmed Opt-In settings we are stating you don’t truly have consent until the status is ‘Confirmed Opt-In’. When converting to a Confirmed Opt-In system SuiteCRM assumes that initial consent was obtained for the legacy Person records you have in the CRM you have in the database as they have not been opted out. To confirm their opt-ins under the new system then you would follow the process above. If you do not want to confirm consent with these and treat them as no consent then you can do this using the mass update feature. selecting all records and setting the Opt-In to No.

Please note the ‘Opt-In’ field and ‘Out-Out’ field are only used to determine e-marketing under the lawful basis of ‘Consent’. As stated in the thread there are other Lawful Bases to send e-marketing records such as Legitimate Interest. We have introduced fields to capture other Lawful Basis, The Source of the Basis and the Review Date in 7.10.5. We will also be introducing the ability to select the Lawful Basis and justify for Campaigns in future as well as providing enhanced consent withdrawal features. At the moment there is one field to cover multiple Lawful Basis however based on feedback this may be revised to separate fields. If you require this to meet your own GDPR policy in the meantime then you could add additional fields to cater the storage of the additional Lawful Basis for each Transaction.

Regarding third-party plugins, these will need to be revised with the vendor.

Ok so this is all cool and dandy. What happens if neither my country, nor my customer base are affected by GDPR? How do I set all my opt_out = 0 email addresses to fully oped in yes, cool, happy, I want to recieve email?

Please see the Docs for help disabling the feature:

https://docs.suitecrm.com/user/modules/confirmed-opt-in-settings/