Best Practices for GDPR Compliance for Web Push Notifications from PushEngage
GDPR or General Data Protection Regulation is new legislation from the European Commission to enhance the protection of personal data and the rights of EU residents. They have outlined the requirements to be followed in order to be GDPR compliant.
GDPR lays down the rules on the processing of user data. The new regulation protects the fundamental right of user’s freedom and lays down the strict rule on protecting user data. The rule is applicable to every business which – offers goods and services to individuals in EU or monitors the behavior of individuals within EU. As an individual staying in EU, all your personal data can be processed only for authorized purposes with minimum identity exposure.
At PushEngage we always keep data integrity, the privacy of the user, and data security as the topmost priority. We at PushEngage are committed to make our product fully complaint to GDPR. Simultaneously we have launched several features for both website owners who are sending browser push notifications and push subscribers for GDPR.
Even if your site does not need to comply with GDPR, we find some of these features helping you offer more control to your customers, and they would be confident that you will respect their choices.
Here are the best practices for you as a website owner to enable our GDPR features on your website, so you can be compliant and your customers are happy with your site. We wrote in detail about how to configure unsubscription option for web push notifications, and offer a granular level of unsubscription to your subscribers.
Here are the details of the GDPR Rights Based Features
For Your Subscribers –
- The right to be informed – The user is informed and has to provide consent before website owner can gather their subscription. As per GDPR, before sending any marketing notifications, you have to take user consent. The user has to click on ALLOW and complete the subscription-only then he will be sent notifications. Technically it is not possible to gather the web push subscriber id, without them clicking on Allow to receive notifications. Below is an example of GDPR marketing consent opt-in.
We also allow you to add your custom legal language or extra opt-in language where you could share the type of messages you would be sending them through web push. This way your subscribers are fully informed of the kind of notifications they are opting into.
- The right of access – We do not store any personal data that can identify a subscriber individually at the time of web push subscription. We only collect the geolocation that is country, state, and the city at the time of subscription. But if you want you can disable it by navigating to Settings > Privacy settings. From there you can enable or disable the geolocation.
- The right of rectification, The right to erasure, The right to restrict processing of data – to fulfill these rights we have Unsubscribe Feature. It appears in for of a button or bell that a user can use to unsubscribe from the notification in just one click. Now, it’s your choice whether you wish to show the unsubscription widget on all the pages or the customized one.
- The right to object automated profiling – With PushEngage, subscribers have the right to opt out of the notifications received through auto-responders and trigger notifications. This works same as Unsubscription Widget where the user is provided with unsubscribe widget and gets an option to unsubscribe to the notification or to Opt Out of Automated Profiling. To enable these settings, navigate to Settings > Subscriber management and enable Automated Personal Notification. Once the settings are enabled subscriber will get the same opt-in on the unsubscription opt-in.
Your rights as a website owner –
- The right to be informed – Website owners are always informed before storing their data, as explicit consent is there on the registration page. This screen or a version of this screen appears at the time when you register for the services. Also, once your account is created we do ask again “Are you European Union Customer, or serve European Union Subjects? ” As it would help us to personalize your dashboard with GDPR features.
- The right of access – This means that all personal data is accessible and can be downloaded through the dashboard. To download it, navigate to Settings > General Settings and you can download your Personal Data.
- The right of rectification – Being the website owner you can edit all their personal data like Password, First and Last Name, Address, Zip Code, Phone Number through your PushEnagge dashboard. To do so you would need to navigate to Settings > General Settings and there you get this screen Once you make the changes you can click on Update Profile. But in case of sensitive data like email, you can raise a ticket by sending an email at firstname.lastname@example.org using your registered email id and mention the changes. Once the ticket is raised we will make the changes accordingly and will update you.
- The right to erasure – You can now delete your account yourself from your PushEngage Dashboard. To do so navigate to Settings >Privacy Settings and then click on “Delete Account”. Your account will then be deleted.
- The right to data portability – We are a believer in Transparency, at PushEngage. We wrote an article about how to achieve full vendor portability with Web Push Notifications. For Push Notification to work, it needs a GCM/FCM key. In order for you to export your subscribers successfully, you will need to configure PushEngage (or for that matter any provider) with your own Firebase Cloud Messaging Sender Id. At the same time, you would also need your Safari Web Push Certificate for complete subscriber portability. These settings should be done while configuring your account.
- We strongly recommend setting up your own FCM Settings/Key and your own safari certificate, to ensure subscribers are portable. For HTTP sites we encourage custom subdomain setup as well. When any of these changes are not done, we show a warning in your account.
We provide you a subscriber export list by raising a ticket regarding the same by sending ann email to email@example.com using your registered email id.
- The right to object automated profiling – We do not do any automated profiling with the data collected from website owners.
- The right to restrict processing of data – If you wish to disable your account for a while you can let us know. In this case, we would mark your account as inactive and whenever you wish to use the services again the account will be enabled. If not, you can raise a ticket using your registered email id to delete your account.
We would like to reiterate that at PushEngage, we keep data integrity, the privacy of the user, and data security as the highest priority. If you are looking for push notification service, then join PushEngage now. We have made most of the changes needed to be compliant with GDPR policy and will be finishing up the remaining before 25th May. Keep using PushEngage for all your push notification marketing and grow your business. If you have any query, please contact us at firstname.lastname@example.org. We would be happy to clarify any concern you have related to GDPR.