For companies who have exclusively EU customers it is necessary to have a GDPR-complained Opt-in and Opt-out process in place. This article by Customer.io explains perfectly how to set up a Double Opt-in campaign. But in order to...
- make sure users can resubscribe on your website
- be strictly complained
- be able to gather all necessary information in case of a data access request by a user (Art. 15 GDPR)
you should additionally make sure to…
Let’s get into it:
Remove resubscribers from the Opt-out list
This is actually not related to GDPR nor to Double Opt-in, but a “must have”. You should make sure that the attribute unsubscribed
is removed or set to “false” once a user (re)subscribes. This is not done automatically by Customer.io!
Send second Double Opt-in email for resubscribers
If a user unsubscribes, you should make sure that the attribute double_optin
(or whatever you named it) is removed or set to “false”. You can simple create a campaign that updates the user’s profile when s:he unsubscribed:
This is important because in case the user resubscribes again in the future on your website s:he will otherwise not receive a second Double Opt-in email (which s:he should regarding GDPR) in case you are using a segment-based campaign for the Double Opt-in process.
If you, as mentioned above, removed the unsubscribed
attribute it is even worse because in that case the user receives the Double Opt-in email, but will receive your newsletters even without clicking the link in the email (the user’s double_optin
status was and still is “true”).
Save Registration, Double opt-in and Unsubscribe timestamp
Yes, I am pretty sure all these timestamps can be found in the events or triggers somewhere in Customer.io as well, but it is much easier to have it all in one place. You don’t want to start searching if the customer service hands you over a data access request from a user, do you?
Just to be clear, here is what mean with the terms:
- Registration timestamp: date and time the user submitted the form
- Double Ept-in timestamp: date and time the user clicked the link in the Double Opt-in email
- Unsubscribe timestamp: date and time the user unsubscribed
For all three timestamps you can simple use the “create or update a person” in the workflow to set the timestamp with Liquid:
Save consent text the user agreed to
Again, this is useful in case there is a data access request in which you also should state the exact consent the user has given. You can either store an consent text ID if you have a reference table for a lookup of the exact words or simple store the whole text in Customer.io. Make sure you to pass the information over with your event or form submission and store it by using the “create or update a person” (see screenshot above).
In sum, a Double Opt-in and a Opt-out campaign could look something like that:
Hope that helps,
Felix