GDPR and Mautic

According to the EU law IP-address is a private data: https://eur-lex.europa.eu/legal-content/EN-DE/TXT/?uri=CELEX:32016R0679&from=EN

| Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses , cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

Also cookies require an active consent from a user (german info but I there are also infos around online in your language) https://www.wko.at/branchen/information-consulting/werbung-marktkommunikation/eugh-entscheidung-zu-cookies-und-einwilligung.htmlAs you know IP-address is send with every HTTP request. As we can not send any private data to 3rd party without a consent, we can not send any request to any website until user gives his/her consent (we are not allowed to load any 3rd party javascript, iframe or image).
If the user accepts the “essential” cookies and does not accept both “marketing” and “statistic” cookies, we are not allowed to load any tracking or advertisement scripts.
This law affects such 3rd-party providers as ÖWA (for Austrian Media Houses needed, Google Analytics, Google Tag Manager, any ad providers, images from other websites, social embeds, Cookiebot, etc.Of cource “not all” websites are doing 3rd party implementations correct (with GDPR standards) at the moment, but the GDPR commission can start making strict checks at some point.

Problems:

1. Less ad impressions and less page views mean less income for companies.

2. ÖWA analytics numbers will become irrelevant, because not all page visits are tracked.

3. the most interesting issue for mautic: how is it affecting mautic… some features are “useless” like tracking e.g… maybe it would be great if a dsgvo/gdpr person can look through mautic and tell us what should be globally changed to respect the gdpr/etc. And how to implement it by default.

nice to have: a blogpost sometime what’s the actual status in mautic3
p.s. there is this blogpost: https://www.mautic.org/blog/marketer/mautic-and-gdpr/ which recently also gets updated…

are there already some thoughts about?
what do you think about it?

Just to add, the recent update was me adding a meta description and excerpt so no content changes were made!

Agree with you that it would be good to have some concrete guidance on this in our documentation!

I have seen quite a few sites using https://opt-out.ferank.eu/en/ which makes use of https://github.com/AmauriC/tarteaucitron.js/ - open source with a paid version available - for the tracking side of things.

I’m sure others will chime in as to how they deal with this within the Mautic instance themselves, although there are some examples given in the post you referred to

Hi Nico,

generally, I believe that Automation (based on tracking and segmentation where possible) will continue to make sense, and Mautic even has real advantages in this context!

Quick thoughts:

• Consent Management Providers (CMPs) are acting in the front-end (read: on the CMS/website, …), not sure Mautic has a technical role there. Best practices for maximum opt-in success are always a good thing, of course (note that we’re not talking “all or nothing/useless” here, but increasing ratios)
• just to be exact: Cookie Consent is not GDPR (but ePrivacy, which is currently a moving target, and depends on the country you’re in)
• Best part: Mautic is NOT 3rd-party, but 1st party just like your web server. Thus we’re in LESS trouble than SaaS-only products like Hubspot, Marketo and the like

Nonetheless Mautic will become even more GDPR-friendly in the course of 2020, specifically by easier and more complete defaults, as you mentioned. Details to be expected in the next couple of weeks; my guess is: After the release of 3.0.

P.S. …and we should absolutely cover CCPA, too!