2
When double opt-in is enabled and a new Contact subscribes, they receive an email asking them to confirm their subscription, however before they have clicked on the confirmation, their contact details are already stored in Dynamics. This doesn't seem to comply with GDPR as they may change their mind and not confirm the email yet the Contact record has been created and their data is still being stored.

The Contact record should only really be created in Dynamics after they have clicked on the link in the email to confirm their subscription.
STATUS DETAILS
New

Comments

P

As the status of Pauls idea is still on "NEW", I understand that it has not been taken in account by MS in the last 6 month yet.

I absolutely agree to Pauls idea, which - frankly speaking - is legally mandatory (at least for European countries)!
In general Microsoft Dynamics 365 Marketing lacks GDPR compliant out of the box solutions.
(E.g. same goes with cookie management on dynamics portal pages - but that is a different story.)

It is inevitable that changes in forms get stored at a contact only after the reconfirmation of the data subject (=contact) took place via DOI mail!

To make it even worse:
We faced the completely unexpected situation (luckily it was during tests) that, if in a marketing form an email address is used, which already exists in the Dynamics database, after submit of the form the existing data get instantly overwritten with the ones in the marketing form!

Thus, the provided DOI implementation seems to me as an unacceptable breach of data integrity and GDPR regulations.

To sum it up:
If I understand correctly, as long as this DOI is not working legally compliant, no implementation of Microsoft Dynamics marketing forms can be used even for a plain and simple email registration form (at least without heavy customizing and workarounds)!

Category: Security & Privacy