Overview
Groundhogg gives you the tools to stay compliant with major privacy laws like the General Data Protection Regulation (GDPR) and Canada’s Anti-Spam Legislation (CASL). These laws require businesses to obtain valid consent, honor unsubscribe requests, and manage contact data responsibly.
This guide outlines key steps you can take using Groundhogg to stay compliant.
Since Groundhogg is self-hosted, you can always host your data in your own country making GDPR compliance easy. You also don’t have to disclose Groundhogg as a 3rd party data processer, as Groundhogg does not process your contacts’ data outside of your WordPress site.
Enabling GDPR Features
If your business is subject to GDPR you are required to collect and store explicit consent from contacts before sending marketing emails.
Groundhogg includes several GDPR built-in features that make compliance easy! To enable them go to Groundhogg » Settings » Compliance and toggle the option Enable GDPR Features.
Requiring Explicit Marketing Consent
You can also enable the next setting underneath Enable GDPR Features called DO NOT SEND EMAIL WITHOUT CONSENT which will prevent any email from being sent to contacts that have not provided explicit marketing and data processing consent.
When GDPR features are enabled, the following features become available automatically.
GDPR Consent Tracking
Add GDPR checkboxes to your web forms and track consent in the contact record. Groundhogg tracks marketing consent and data processing consent separately, as contact’s can give processing consent, but not marketing consent.
Self-serve Consent and Data Management.
Groundhogg adds additional functionality to the preferences center where contacts can manage their consent and their data without the need for admin intervention.
Update Consent
Contacts can update their marketing and data processing consent from the preferences center.
Download Profile
Contacts can request to download their profile. Groundhogg will send an email to the contact with known information from standard fields, custom fields, and recent activity.
Erase Profile
Contacts can erase their Groundhogg profile, which will delete some information about the contact.
What will be erased?
- Profile details.
- Marketing history.
- Tracking data associated with the contact.
What will be NOT erased?
- Related user account.
- Tracking data and historic details associated with your user account.
- Associated purchase history and orders.
- Legal documents associated with the contact.
Use Double Opt-In
Double opt-in is a verification step that confirms consent before any emails are sent. This is strongly recommended for GDPR and considered a best practice under CASL.
Groundhogg uses the Opt-in Status field to track explicit consent with double opt-in.
- Confirmed – the contact provided explicit consent via double opt-in
- Unconfirmed – the contact did not provide consent
Groundhogg allows you to setup your double opt-in email within your flows as desired, unlike other CRMs that might send a generic double opt-in message. It’s up to you to ensure you are collecting consent in an ethical manner. Use the {confirmation_link} replacement code in your emails to merge a double opt-in confirmation link.
📄 Learn how to create a double opt-in sequence with Groundhogg →
Requiring double opt-in confirmation
You can choose to require double opt-in confirmation for marketing emails by enabling the Only send to confirmed emails setting in Groundhogg » Settings » Compliance. When this option is enabled, only confirmed contacts will receive marketing emails. Transactional emails will not be affected.
You can also configure a “grace period” with the Email confirmation grace period setting. With it you can send marketing emails to unconfirmed contacts from the date they subscribe until the number of days in the grace period. If they don’t confirm within the grace period, they will stop receiving marketing emails.
FAQs
Q: Is Groundhogg GDPR/CASL compliant out of the box?
A: Groundhogg gives you the tools to be compliant, but how you use those tools determines compliance. You’re responsible for ensuring your usage meets the legal requirements in your region.
Q: Do I need double opt-in for CASL?
A: It’s not legally required, but highly recommended. CASL requires proof of consent, and double opt-in provides a clear paper trail.
Q: How can I document consent?
A: Groundhogg has built-in fields to track GDPR consent, and uses the opt-in status field to track double opt-in. Groundhogg also logs form submissions and email confirmations in the contact’s timeline.
Q: Can I customize the unsubscribe link?
A: You can’t remove it for marketing emails, but you can change the surrounding text using a translation plugin. Transactional emails do not include an unsubscribe link.
Was this helpful?
Let us know if this document answered your question. That’s the only way we can improve.