GDPR Guide

GDPR Guide for Dada Mail

This document explains features and tools built into Dada Mail that may help you and your organization comply with the rules and regulations put forth by the EU's General Data Protection Regulation (GDPR).

If you're running a public mailing list, odds are that you should seriously consider complying with the EU's GDPR. We're not lawyers ourself (and this isn't legal advice). If you do have any questions, consult a legal professional. If you would like a referal to someone we know, please contact us directly.

Whatever you do, don't put off upgrading if you are required to comply with the GDPR!

GDPR Checklist

If you're upgrading your installation of Dada Mail, here are some main points you will definitely want to make sure to do:

Set up Consents

Double Check Your Privacy Policy

Optionally,

Migrate Subscription History

You may also want to migrate any current subscription history data into Dada Mail's new system. v11 of Dada Mail has a plugin/command line script to help you with that.

Do a Re-Confirmation Campaign

If you feel your current subscribers haven't been subscribed in a way that meets the guidelines of the GDPR, you will need to re-subscribe them to a brand new mailing list.

Features we talk about in this doc. made their first appearance in version 11 of Dada Mail (released May, 2018). Again, we absolutely suggest upgrading any version of Dada Mail you may running to version 11 or above.

Consent under GDPR

Points made in this section are taken from the following document:

https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf

It's a great read, and if you want to get into the nuances of consent under GDPR, it's a must-read. There's many opinions on the Internet on what exactly constitutes GDPR compliance and we even have our own. Our advice though, is to only take the advice of a knowledgable lawyer if you have questions.

Dada Mail allows you to set up individual points of consent per mailing list that you would like your users to agree to if they would like to subscribe to your mailing list. Each separate item you would like your subscribers to grant consent to will show up as separate items listed as checkboxes the subscription forms users use to add themselves to your mailing list.

In Dada Mail, these points of consent are never prechecked, and are always required. You are not required to have any (but it's probably a really good idea).

Adding/Removing List Consents

You may add/remove these individual consents in the list control panel under,

Mailing List: List Consents

Take your time in crafting these consents, since once you create them, you'll have to abide by them yourself by only using the information you've collected in a way that your subscribers have given their consent to.

Remember: if you add or remove a new consent, current subscribers of your mailing list may not have actually given their explicit consent to these new terms. Dada Mail does not have a mechanism to function if only some of the consents are agreed to, but others are not. At the moment it's all or nothing. Dada Mail also currently does not have a way to ask current subscribers to update their consent if you decide to add a new item to consent to. When someone unsubscribes (removes themselves from the mailing list), it's analogous of them revoking all their consent that has to do with the mailing list subscription.

You can also think of a successful subscription to your mailing list as the final say on if the subscriber has given you consent: if they're subscribed to your mailing list, they've agreed to granting to you every point of consent you've asked from them.

If a user hasn't, they shouldn't be on your mailing list, and they should be removed immediately.

Consent should not be a new concept to anyone that's collecting data from a user. What the GDPR is really doing is formalizing the process of asking for this explicit consent.

Some points from the above doc that are helpful to remember when crafting your individual consents:

Users Revoking Consent

A user wanting to revoke consent is analogous of wanting to be unsubscribed from your mailing list. Once a user unsubscribes to your mailing list, all consent they've granted to you will then be revoked, and those actions will be recorded.

The easiest way for a subscriber to widthdraw consent is by clicking an unsubscribe link in the mass mailing messages you send. Make sure to always have this link available in your mailing list messages (for public mailing lists, Dada Mail will always place an unsubscribe link into your messages). Have additional contact methods available to your subscribers, so it's as easy as possible for them to ask to be unsubscribed. Dada Mail allows you to enter in a physical mailing address, and phone number to facilitate this. Never make it difficult for them to be removed from your mailing list and field requests as soon as you are able to. "The right to withdraw is 'at any time'"

Record of Consent

Dada Mail keeps the record of consent in its database, and will report the history of granting/revoking these consents within the list control panel. Most of this information will be stored in a table called, dada_consent_activity. The following data is recorded:

You may search through this informationt to generate your own reports, and Dada Mail will report this information perl email address, within the list control panel:

Data about the subscriber will then be shown. A button to export this information is also available. Data will be in .csv (comma separated values) format, which you can then open up in a spreadsheet application.

If you have enabled Closed-Loop Opt-In Confirmation (which we highly suggest!), you'll see entries with the Action, cloic sent and, cloic confirmed. "cloic" stands for, you guessed it, Closed-Loop Opt-In Confirmation.

Privacy Policy

Again, the ICO has a great guide on what should be placed in your Privacy Policy:

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/your-privacy-notice-checklist/

A link to the privacy policy set for your mailing list will be shown at the bottom of the mailing list subscription form that Dada Mail creates. It may also be available on the mailing list's individual screen, and in the subscription confirmation + mailing list welcome email messages.

The URL to the privacy policy will always be publicly available.

Never attempt to hide this privacy policy. Always make it easy for your users to view the privacy policy.

Just like consents, the privacy policy for your mailing list will be saved in Dada Mail's database, and tied to each request to subscribe to your mailing list. Privacy policies are also timestamped/versioned, so if you change your privacy policy, you'll know exactly which version of your privacy policy each subscriber has agreed to.

And just like consents, there's currently no mechanism to have subscribers to agree to a new privacy policy if you have updated it, so be thoughtful when you author your mailing list's privacy policy.

Changes to the Dada Mail Application

Subscription Form no longer on default screen

End of an era for sure! Since each of your mailing list may have a different privacy policy and set of consents a user has to agree to grant, it's not possible to have one subscription for that will work for all mailing lists.

A subscription form is available on each mailing list's individual screen, archive screens, and an individual subscriber landing page (used for list invitations)

Multiple List Subscribe extension non-functional for public mailing lists

For the same reason as above, the multiple subscribe form isn't going to work, if you are running multiple mailing lists, with different privacy policies and/or list consents.

Because of that, we absolutely do NOT suggest using this extension at all. You'll have to figure out a different system to allow people to subscribe to more than one mailing list at once.

Migrating Current Users of a Mailing List

If you are strictly following the GDPR, you should consider very seriously if your current mailing list complies with the GDPR and/or if it requires to do so. Our suggestion is that every public mailing list should comply with the GDPR, without exception. Tough pill to swallow, but thems the breaks, as they say.

Migrating Existing Subscription Information

Older versions of Dada Mail did keep a plaintext log of subscription and unsubscription activities of the mailing lists it managed, including when subscription requests were made for Closed-Loop Opt-In confirmed subscriptions. This was done in a file called, dada.txt, which you would find in the, .dada_files/.logs directory.

We've created a tool to import some of that information into Dada Mail's new, explicit consent activity database, to help flesh out history of consent you have made with your subscribers.

The import tool isn't perfect.

If your current mailing list had some sort of history where "confirmed-by-the-user" (via Dada Mail's closed-loop opt-in system) subscriptions was not required, think long and hard about using this tool on your mailing list at all. If there's absolutely no history of consent, there's really no reason to import that non-history and the tool will do nothing but complicate the task of record keeping.

But, if you feel you've covered your bases on what the GDPR requires to have a user be a part of your mailing list, it can be a valuable tool at your disposal. The tool exists as a list control panel plugin, and may need to be enable at the time of an install/upgrade. In the included Dada Mail Installer, look for the plugin named, usage_log_to_consent_activity and check the option next to its name to have it installed along with the rest of Dada Mail.

Once your install/upgrade is finished, you may visit the plugin by logging into a mailing list, and going to, Plugins/Extensions: usage_log_to_consent_activity. This plugin does allow you to tag records it finds in the previous database with any current consents you've set for your mailing list, as well as the current privacy policy. If any of these items were used when all your subscriptions were made, you then have the option to do this.

Don't mis-tag your mailing list subscribers with this information, if they did not give you this consent!. The purpose of this plugin is only to import already-existing data, not to retroactively "fix" missing data!

Consult an expert on the GDPR if you have any questions.

Command Line Interface

If you're mailing list was very active and/or has been active for a very long time, this plugin may very time out on you, when run via a web browser. To help with this problem, this plugin also has a command line interface, and it is the prefered interface to use it:

Connect to the server you have Dada Mail installed, and change into the "plugins" directory, where you'll find this plugin (usage_log_to_consent_activity) You may have to change it's permissions to run:

    chmod 755 usage_log_to_consent_activity

The command takes three arguments:

Here's how you use all those arguments at once, with two consents:

        ./usage_log_to_consent_activity --list yourlist --consent 1 --consent 2 --privacy_policy

"Mailing List" menu moved to the left between, "Mass Mailing", and "Membership"

Basically, "Membership" and, "Mailing List" have switched places.

New screen in the List Control Panel, "Privacy Policy"

We've done this to highlight just how important setting up the Privacy Policy is, and also to allow administrators to disable this screen when a user logs into the list control panel with the List Password. That will allow the main administrator of the Dada Mail install (whoever can log in with the Dada Mail Root Password) to set up the Privacy Policy for each list and make sure it does not get changed, if they so desire.

Privacy Policy always available in its own screen

We've set up Dada Mail now to always have the Privacy Policy for your mailing list available, alone, in its own screen.

A link to this privacy policy is placed on the bottom of your subscription form.

New screen in the List Control Panel, "List Consents"

This screen will allow you to set up the various List Consents for your mailing list. Every mailing list has their own set of List Consents. List Consents can NOT be edited, as the history of what a consent was used at a particular date and time is important in record keeping.

They may be deleted, but it's highly advised to NOT do this (unless you're setting things up, and moving things around), as there's not (yet) a mechanism in Dada Mail to ask for a change of consent from your subscribers.

New screen, "subscribe_landing"

This screen is public, and is what a recipient of an invitation message will be directed to, after they click the button in the invitation message itself. This screen simply has a subscription form for your mailing list, for a user to fill out. You may also simply link to this screen for any other user to subscribe to your mailing list.

Options to Track message analytics with data of subscriber (their email address) has been disabled.

Tracking mass mailing analytics tied to the email address of your subscriber is what we feel something that you would need to get explicit consent from your subscribers to do, if you are strictly following the GDPR. And if so, that would be something you would need to create a list consent for. For new mailing lists, we've disabled that feature. But, it may need to be toggled for previous mailing lists.

If this feature is enabled, a warning will be displayed in the, Mailing List: List Consents screen to remind you about this issue.

You may enable/disable this feature from within: Plugins/Extensions: Tracker:

Check the option labeled, Track with email addresses, under, Preferences to enable. Uncheck to disable.

IP Addresses logged are now anonymized

Most IP Addresses logged by Dada Mail also include a timestamp, which can be enough information to be "personal". Because of that, IP Addresses are anonymized. This may make things like geo ip mapped data by less exact as before. There's no way (yet) to enable/disable this anonymizing, but you may see the code that does the anonymizing in, DADA::App::Guts, look for the subroutine named, anonymize_ip

"Skip subscription confirmation if the subscriber already has a Dada Mail Profile" option removed

List Invitations

List invitations are a pretty weird grey area when it comes to GPPR and mailing lists. If you're confused yourself, don't use them if you have a mailing list that closely follows the GDPR. We've made quite a number of changes to list invitations in Dada Mail, to make it easier to navigate these waters.

Before the GDPR takes affect though, it could be a useful tool to utilizse to re-confirm subscribers from an old mailing list to a new mailing list that has list consent and privacy policy set up correctly.

Profile Fields not saved when list invitation sent

In previous versions of Dada Mail, Dada Mail would save any profile fields you submitted within Dada Mail's list control panel during a list invitation. We're disabling this functionality, since it again goes against the GDPR's requirement to ask for consent before collecting and saving personal information.

Custom Invite Message

List Invitations can now be sent with a custom message, to help give context of where this invitation is coming from. For example, "hey, we met at that conference", or, "we're re-confirming our subscribers to closely follow the GDPR", etc

Subscription confirmation button replaced with button to subscription form

Dada Mail's invitation message had a button that, when clicked, would automatically subscribe an address to a mailing list. The way we're reading the GDPR, this is really not allowed (no explicit consent), so unfortunetely we replaced this button with a different button that takes you to a subscription form where the user can fill out the form, and explicitly agree to the consent you are asking for.

Dada Mail Profiles

Magic Subscription Forms: Removed

"Magic Subscription Forms" would fill in a logged in user (using their Dada Mail Profile) with their email address. We've removed this feature to simplify things, and to closely follow the "no pre-filled in" points of consent of the GDPR.

Complying to the GDPR by reconfirming your mailing list.

Reconfirming your mailing list may be the most secure and straightforward way to be in the clear with GDPR compliance, but you only have until May 27th, 2018 to do so! The rub is that many people on your mailing list may not re-confirm to your new mailing list. It's another tough pill to swallow, but think of it as a MAJOR Spring cleaning. You'll know that the subscribers on this new mailing list are your most engaged audience members!

Here are the steps you'll need to reconfirm your mailing list subscribers using Dada Mail:

Upgrade to Dada Mail 11

Previous versions of Dada Mail will lack the tools to help you be GDPR compliant

Export your current mailing list

Log into your list control panel into the mailing list you want to work with.

Go to: Membership: View

At the bottom of the screen click the button labeled, Export Subscribers (.csv).

The only option you will need checked is, Email Address.

Profile Fields won't be added during an invite, so you won't need that checked.

All your really want is the email address.

Delete your current mailing list

Parting is such sweet sorrow, but it's time to say goodbye. In your list control panel, go to: Mailing List: Delete This Mailing List, to delete your mailing list. Remember: this deletion will be permanent.

If this step seems too drastic, instead of deleting the mailing list, Change the type of mailing list from public to private, make it hidden, and close it to future subscriptions.

All these things can be set in the list control panel under, Mailing List: Options. Once you've set up your new mailing list, don't forget to delete your old mailing list!

Create a new mailing list

Once you've deleted your mailing list, revist the administration screen and click the tab labeled, Create. Fill in your Dada Mail Root Pass, and fill out the form to create a new mailing list. For completeness, make sure to use a different list short name than before, so you make sure any lingering subscription forms out there won't somehow work with your new mailing list.

Remember to set up a Privacy Policy and the List Consents that you would like your users to agree in giving you. Only one consent can be set up during mailing list creation, so if you need more, do so afterwards (via the Mailing List: List Consents screen).

Get these parts right!

Invite Your Previous Subscribers

Once logged in your new mailing list, go to, Membership: Invite/Subscribe/Add

Under Upload Your Addresses, select the .csv file you just exported, and click, Verify Addresses...

Once the screen refreshes, and shows all the addresses that have past the verification process, click the button labeled, Send Invitation...

Once the screen refreshes, you have the option to add a note to your mailing list invitation. Here's your chance to explain to your subscribers what you're doing asking for them to reconfirm. Make the message a good one! (and perhaps apologize for the hassle).

Click, Send: Invitations, and you're done!

Recipients of your mailing list invitation will get your message, along with a button that, when clicked, will bring them to a URL that they can fill out the subscription form that has the necessary checkboxes for you to ask for consent needed to be a member of your mailing list!


Dada Mail Project

Download

Installation

Support