Pardot Marketing Data Sharing Rules: Prevent Duplicates in Salesforce

You’re a responsible marketer and adhere to the Salesforce Marketing Cloud Account Engagement (Pardot) Permission-Based Marketing Policy. You’ve enabled Marketing Data Sharing (MDS) rules to ensure that prospects who have not opted-in are not syncing to Pardot. Now you get a call from your Salesforce Admin about Pardot creating duplicates in Salesforce.

In this post, we’ll discuss how you can remain compliant AND prevent unintentional dupes in Salesforce.

Let’s start at the beginning

Most sales organizations use tools like Clearbit, Lusha, or ZoomInfo to research companies, find new contacts, review intent data, or enhance data.

These are perfectly valid use cases and can be very beneficial to organizations. However, the problems start when marketing begins emailing these records through Pardot.

What’s the problem? The email addresses are valid.

Salesforce has a Marketing Cloud Account Engagement Permission-Based Marketing Policy that strictly prohibits the sending of emails to customers or prospects who have not expressly opted-in to receive them.

Our customers certify that they will not use rented, traded, or purchased lists, email append lists, or any list that contains email addresses captured in any method other than express, customer-specific opt-in when using our system to send emails.

Sending emails to acquired records is a clear violation of the permission-based marketing policy and can result in the suspension or termination of your account. I’d hate to be the person responsible for that!

What’s a marketer to do?

Verify your connector preferences

The first thing is to understand your connector settings in Pardot. Most accounts will be configured to automatically create prospects in Pardot if they are created as a Lead or Contact in Salesforce. This means that ANY lead or contact created in Salesforce from ANY source is going to end up in Pardot and could unknowingly be emailed by your marketing team.

Limit record entry with Marketing Data Sharing Rules

MDS is the safest way to make sure that data does not enter Pardot (Here’s a great post on MDS if you have questions – Pardot Marketing Data Sharing: Tips, Gotchas, and Setup). You can restrict which leads, contacts, opportunities, or custom objects sync to Pardot. The intent of MDS is to control the data that can be seen by the Pardot connector. The issue is that MDS does this job a little too well and this can result in duplicate leads being created in Salesforce.

MDS and duplicate records records

Hold up a minute! Are you telling me that by doing the right thing, I could actually create duplicates in my Salesforce org? Yep.

Here’s the rub. Before creating a lead or contact in Salesforce, Pardot undergoes a series of checks to see if the prospect is in Salesforce already. The intent is to identify matching records and not create duplicates. Since MDS limits the visibility of the connector, Pardot is not able to find prospects who might be in SFDC from a source deemed “not marketable” if they visit your site and complete a Pardot form (for example).

For reference here are the checks performed by Pardot before creating a lead or contact in Salesforce.

  • Is there a lead or contact with a matching CRM ID?
  • Is there a contact with the same email address?
  • Is there a lead with the same email address?
  • Is the prospect assigned to a user in Pardot?

Here’s how we addressed this issue for one of my clients

Don’t activate MDS

It’s important that MDS is not activated in this solution. We want the prospects to sync from Salesforce to Pardot. We’re going to use custom fields and automation rules to make sure that we remain compliant and don’t create duplicates in Salesforce.

Create custom fields

The first step involves creating several custom fields in Salesforce and Pardot. We created first touch and last touch fields to capture the needed information on leads and contacts. In this case, we used Lead Source Detail and Lead Source Detail Most Recent.

  • Lead Source Detail – This is a FIRST TOUCH field that identifies the specifics of where the lead originated (ex. ZoomInfo).
  • Lead Source Detail Most Recent – This is a LAST TOUCH field that identifies the specifics of the most recent source that drove the prospect to your site (ex. LinkedIn).

Map data to your custom fields

We’re going to stick with the ZoomInfo example here since I see this product used in a lot of organizations. When setting up your CRM Integration in ZoomInfo, you have the ability to map fields to for your Account, Contact, and Lead Objects.

In this case, we mapped Lead Source (standard field) and the two custom fields that we created. We also set fixed values for each.

Based on this configuration, any new records added from ZoomInfo into Salesforce will have the fixed values specified. This is super important.

Automation Rules

Remember the Pardot prospect mailability upgrade that took place with the Winter ‘22 release? We’re going to take advantage of it to make sure that we comply with the Marketing Cloud Account Engagement Permission-Based Marketing Policy. Don’t remember the changes? No problem – check out this post “Are You Ready for the Pardot Prospect Mailability Upgrade?” from Erin Duncan.

Automation Rule #1 – Set Do Not Email to TRUE

This automation rule will look for prospects in Pardot where Lead Source Detail and Lead Source Detail Most Recent equal “zoominfo”. This lets us know that the prospect was added into Salesforce from ZoomInfo, synced to Pardot, and that the person did not opt-in. As a result, we’ll mark the record as “Do Not Email.”

Automation Rule #2 – Set Do Not Email to FALSE

This automation rule will look for prospects in Pardot where Lead Source Detail is “zoominfo” and Lead Source Detail Most Recent is NOT “zoominfo.” This will show us that the person interacted with our marketing and is eligible to be emailed. It goes without saying that we only want to “activate” prospects who have given permission for us to email them. The Lead Source Detail Most recent field can be updated using completion actions or UTM parameters from URLs (that’s another post).

The short and sweet summary

This solution allows records added into Salesforce (that have not opted-in) to sync to Pardot. Automation rules in Pardot update the “Do Not Email” field based on Pardot interactions and opt-in status. This ensures that prospects who did not previously opt-in are updated correctly when they do opt-in and that no duplicates are created in Salesforce.

Let’s play by the rules AND not create duplicate records

Based on how your organization uses tools like Clearbit, Lusha, or ZoomInfo and the volume of records added to your Salesforce org, MDS might be the best solution for you. However, if a high volume of records are being added into Salesforce, I would recommend that you give this solution some consideration. The chances of duplicates being created in your system grows exponentially based on the number of records being added from external sources.

If you have any questions about this solution, MDS, or anything related to Marketing Cloud Account Engagement or Marketing Cloud Engagement, contact us with your questions.

Original article: Pardot Marketing Data Sharing Rules: Prevent Duplicates in Salesforce

©2022 The Spot. All Rights Reserved.

The post Pardot Marketing Data Sharing Rules: Prevent Duplicates in Salesforce appeared first on The Spot.

By |2022-11-30T20:39:21+00:00November 30th, 2022|Categories: Data Management, Privacy & Compliance, Pro Tips, revive|

7 Marketing Cloud Security Tips for a Hybrid Work Environment

You can keep your free snacks and ping pong tables. If we’ve learned one thing from the pandemic, it would be that employees really want the ability to work remotely — at least part of the time. While organizations have become more accepting of this new reality, IT departments are facing security challenges.  

In this post, we’re looking at Salesforce Marketing Cloud security best practices for hybrid and remote work environments. We’ll review some of the security settings in Marketing Cloud that will allow your remote employees to work safely and take some of the stress off of your IT team.

Marketing Cloud security for remote and hybrid work models

Since the onset of the pandemic, the number of remote workers has grown exponentially and the hybrid work model is becoming the new norm. A 2021 Mckinsey & Company survey found that 52% of workers prefer a more flexible working model moving forward. And listening to those wishes is helping many employers to avoid the effects of the Great Resignation at their companies.

Luckily, Marketing Cloud is built with security in mind and it can be configured to allow your employees to work securely — wherever they may be. 

Let’s take a look at some ways you can protect your data in addition to using multi-factor authentication (MFA).

Security Tip #1: Limit the Data in Salesforce Marketing Cloud

Salesforce Marketing Cloud is not a data warehouse. So don’t treat it like one. 

When bringing data into SFMC, ask yourself how it will be used for segmentation. If data will not be used for segmentation, don’t import or sync it over. Data like credit card numbers should NEVER be stored in Marketing Cloud.

Special attention also needs to be applied when handling Personally Identifiable Information (PII). The Department of Homeland Security defines PII as:

As any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department.

Linked PII is information that can be used by itself to identify an individual (ex. Social Security number) and linkable PII is information that can be used in combination with other information to identify an individual. Depending on the type of data in your account and the industries you serve, additional security measures like data at rest encryption, field level encryption and tokenized sending might be necessary.

Security Tip #2: Control Access with Marketing Cloud Business Units

Even before creating users, I like to see how organizations are structured. If your organization operates in several regions, all users might not need access to all the data. The best way to secure data is to not grant access to it in the first place!

This is where business units come in. Business units in Marketing Cloud allow you to control access to information by creating a hierarchical structure. They also allow you to control branding elements including email display name, email reply address, and physical mailing address at the business unit level. You can even control the settings to allow unsubscribe at the business unit level or the enterprise.

Business units don’t have to be limited to geography. Your hierarchy can be built based on your unique needs. Building a hierarchy based on products is a great use case.

Note: Business Units are available in Enterprise and Enterprise 2.0 accounts.


Security Tip #3: Provide Users with the Correct Access Based on Need

Now that we’ve established our hierarchy and determined where users should be included, the next question is access level. Let’s start by talking about the differences between roles and permissions.

  • Permissions are micro-level security.
  • Roles are macro-level security.
    • They are a collection of permissions.

Permissions in Marketing Cloud are very granular. For this reason, the good folks at Salesforce have included default roles within Marketing Cloud based on common needs/scenarios (similar concept to the default user roles in Pardot). These are divided into Marketing Cloud and Email Studio Roles. I would highly recommend using these roles and limiting the creation of custom roles.

Marketing Cloud Role Description
Marketing Cloud Administrator This role assigns Marketing Cloud roles to users and manages channels, apps, and tools.
Marketing Cloud Viewer This role views cross-channel marketing activity results in Marketing Cloud.
Marketing Cloud Channel Manager This role creates and executes cross-channel interactive marketing campaigns and administers specific channels like Email Studio.
Marketing Cloud Security Administrator This role maintains security settings and manages user activity and alerts.
Marketing Cloud Content Editor/Publisher This role creates and delivers messages through applicable channel apps.
Email Studio Role Description
Administrator Access to all Email Studio functions including Setup, email creating, and creating data extensions.
Content Creator Access to all content, shared folders, and tracking in Email Studio, but no access to data or administrative features.
Data Manager Access to everything in Email Studio except email content
Analyst Access to tracking features in Email Studio.

Marketing Cloud Roles and Permissions

When assigning roles to users, you should always start with the lowest level that permits the individual to do their job. I’m always amazed when I log into an account for the first time and see all users have the Marketing Cloud Administrator and Administrator roles assigned. There’s simply no reason for this. I generally like to have two admins in an organization. It’s always good to have a backup in the event of an emergency!

It’s also worth noting that SFMC defaults to the most restrictive value when multiple roles are assigned to a user. For example, if a user was assigned the Content Creator, Marketing Cloud Channel Manager, and the Marketing Cloud Viewer roles, they would not be able to send an email. This is due to the fact that the Marketing Cloud Viewer is the most restrictive of the three roles and does not permit email sending.

It’s very possible that the same user will have access to multiple business units, but perform different functions in each. That’s perfectly fine and SFMC has you covered. Roles can be assigned at the business unit level so the same user could have admin access in one and view only in another. This is very handy and should be utilized if users don’t need full access to all the BUs that they are part of.

Security Tip #4: Follow Login and Password Best Practices

Marketing Cloud allows admins to set security policies very easily within the Security Setting under setup. However, I’m really surprised by how often I see accounts where the standard Salesforce recommendations are not followed. Take a minute to audit your account to ensure that they comply with the recommended account settings from Salesforce included below.

Field Recommended Setting
Session Timeout 20 minutes
Login Expires After Inactivity 90 days or less
Invalid Logins Before Lockout 3
Count Invalid Logins Across Sessions Yes
Minimum Username Length 8 characters
Minimum Password Length 8 characters or more
Enforce Password History 8 passwords remembered
User Passwords Expire In 90 days
Send Password Change Confirmation Email Enable
Enable Audit Logging Data Collection Enable

Security Tip #5: Limit Logins by IP Address

The Restrict Logins by IP Address (IP Allowlisting) setting allows you to define a list of IP addresses that can access your account.

This feature is optional and is set to Off by default, but can quickly be activated under Setup > Security Setting > Username and Logins. When activating, you’ll have the option to log non-allowed IP addresses and permit access or log non-allowed IP addresses and block access. Don’t forget to add IP addresses to your allowlist under Setup > Security > Login IP Allowlist if you choose to use this feature. 


Security Tip #6: Limit Exports

Ask yourself this simple question…

Does this user need to extract data from SFMC to do their job?

If the answer is “no,” then don’t allow them to export. It’s that easy!

Data extracts are a security risk that I see in most accounts. While data in the hands of a user can be risky, the real concern is data sitting on a computer that is not properly secured. Once the data leaves SFMC, all bets are off. This is a huge risk with remote workers. Let’s mitigate this risk by limiting exports.

Data can be exported from SFMC using Data Extract activities in Automation Studio, from tracking in Email Studio, and from reports in Analytics Studio. While some reports can be viewed onscreen or downloaded as PDFs, email and file transfer locations are the primary ways that data is exported. 

Email Export 

Your data is sent from SFMC via email. This is pretty scary, but can be controlled with Export Email Allowlists. The email allowlist includes individual email addresses or domains that are authorized to receive email exports from your account.

Export Email Allowlists must be activated in your SFMC account by first selecting the Enforce Export Allowlist in Security Setting. You will then need to specify the individual email addresses and domains that are authorized to receive email exports within your Export Email Allowlist (Setup > Security > Export Email Allowlist).

File Transfer Locations 

Marketing Cloud also makes use of file transfer locations to import and export data. The most common location is the Enhanced FTP Account, but you can also add additional locations under Setup > Administration > Data Management > File Locations.

To access data from the Enhanced FTP Site, users must login. Access to the data can be controlled by limiting users and not sharing login credentials. Marketing Cloud allows up to 10 FTP users per MID, allocate them wisely! Users can be granted Read Only or Full access.

Security Tip #7: Automate and Review Audit Trails

Audit Trails in Marketing Cloud can be used to track account access and activity. Reports can be automated through Automation Studio or through REST API extracts.

Before audit trails can be exported, the following actions must be taken to enable them in your account.

  • Enable Audit Trail Data Collection under Setup > Security > Security Settings
  • Assign the Marketing Cloud Security Administrator role to the user who will be extracting the data

Once these requirements are met, automations can be created in Automation Studio to extract the access and activity logs. Salesforce recommends that audit trail data be retrieved periodically based on a rolling window.

There are a couple of things to keep in mind when creating your automations.

  • You must create a Data Extract activity and select the desired extract type (Audit Trail Access Log or Audit Trail Activity Log).
  • Data is extracted to the Marketing Cloud Safehouse, so a File Transfer activity is needed to securely transfer files to the FTP location of your choice.

The automation is pretty simple and will look like this when complete.

The Basic Audit Trails are a great place to start. They are included in your account and have a 30-day retention period. Advanced Audit Trails, which can be purchased for an additional fee, extend the retention period to 60-days and include additional data related to Email Studio, CloudPages, MobileConnect, and more. Learn more about Basic and Advanced Audit Trails. 

Take Action to Secure your Marketing Cloud account

This post includes some recommendations to help secure your Marketing Cloud account with the rise in remote workers. However, it is not inclusive of all the security capabilities of SFMC. 

For more information, check out the following Trailhead modules or post your questions in the comments section. We’re here to help you succeed with Marketing Cloud! You can contact us with any questions.

Original article: 7 Marketing Cloud Security Tips for a Hybrid Work Environment

©2022 The Spot. All Rights Reserved.

The post 7 Marketing Cloud Security Tips for a Hybrid Work Environment appeared first on The Spot.

By |2022-06-28T20:44:08+00:00June 28th, 2022|Categories: Data Management, Privacy & Compliance, Pro Tips, revive, Strategy|

GDPR and Google Analytics Updates in 2022

We marketers have pivoted our strategies to comply with GDPR in the past, but a recent court ruling may have us scrambling to change the way we use Google Analytics with European website users.

In a groundbreaking court case, the Austrian Data Protection Authority decided that the use of Google Analytics is currently violating the GDPR. The primary reason Google Analytics is violating GDPR involves personal data privacy.

As a result, it’s time for marketers to wake up and pay closer attention to how they track and report on visitor data coming from European Union (EU) countries. 

What is GDPR?

The thing we’re talking about here is the General Data Protection Regulation (GDPR).  It’s a law passed by the EU in May 2017 that creates standards for organizations that market to, track, or handle personal data from EU residents.

GDPR applies to you if you’re doing business or marketing to people in the EU regardless of where your company is physically located.

Google Analytics is currently violating GDPR

The court case that led to the realization that Google Analytics violates GDPR stems from a complaint that landed on the doorstep of the Austrian Data Protection Authority (a.k.a. Datenschutzbehörde).

Here’s how it went down.

On August 14, 2020, a Google user accessed an Austrian website called NetDoktor, which has self-serve resources for learning about health issues. The website uses Google Analytics, which means data about the user is transmitted to Google. Website users have filed 100+ complaints since then with similar GDPR violations from Google Analytics. 

The issue at hand is that sensitive data about EU website users is traveling through Google’s servers and across the pond to the US and other non-EU countries. As a result, that data is not being subjected to the privacy standards established through GDPR. (official legal response from Google here🤓)

So, in December 2021, the Austrian Data Protection Authority determined that the NetDoktor website’s usage of Google Analytics does not comply with GDPR. Other cases have come forward since that first case, which means this is something that’s here to stay.

What marketers on Salesforce need to know about GDPR and Google Analytics

If you’re a marketer using Salesforce Marketing Cloud or Tableau and you’re importing website user data through integrations with Google Analytics, then you’ll want to listen up. This is especially important if a large portion of your website users are located in a European Union country.

How to take action to stay GDPR compliant

We knew you’re a good seed. Here’s what you need to know to stay on the GDPR compliant side.

You’re already ahead of the curve if you’ve made the switch to first-party web tracking cookies. However, you’ll need to take additional steps to avoid legal action from website users living in EU countries regardless of the type of web tracking cookies you use (and we think you should switch to first-party cookies).

Verify privacy policy is up-to-date and available

Google Analytics requires all website owners using the Google Analytics Advertising features to display the privacy policy link on websites that utilize the service. And if you’re using advanced features to track website user data, then it’s likely that you’re using Google Analytics Advertising features.

Here’s what to include in your privacy policy:
  • The Google Analytics Advertising Features you’ve implemented
  • How you and third-party vendors use first-party cookies (such as the Google Analytics cookie) or other first-party identifiers, and third-party cookies (such as Google advertising cookies) or other third-party identifiers together
  • How visitors can opt-out of the Google Analytics Advertising features you use. This includes features used through Ads Settings, Ad Settings for mobile apps, or any other available means (for example, the NAI’s consumer opt-out).

Enable cookie consent on your website

Letting your website users know you’re using tracking tools to gather data from them is a great way to stay compliant with GDPR while using analytics tools like Google Analytics.

You can use a cookie consent vendor, such as OneTrust, to collect informed consent prior to dropping the tracking cookies into the website user’s browser. Cookie consent vendors make it easy for you to deliver a banner to your website visitors that collects their consent for tracking website browsing data using tracking cookies before they are activated and set.

We recommend you enable IP anonymization on your Google Analytics account to ensure you use pseudonymous identifiers. In addition, you can set the time period before the data stored by Google Analytics is automatically deleted from servers. Then, include that time period in the Google Analytics cookie banner. 

The banner you use to collect cookie consent from website users should be a simple and clear message explaining:

  • How user data is collected
  • Purposes of data collection
  • Duration of the data collected
  • Vendors and technical details

If you’re using third-party cookies, the banner should also inform users that the website uses third-party cookies for profiling purposes to provide advertising insights.

What could happen if you take no action

So, maybe you missed the memo and you haven’t done anything to address your website’s usage of Google Analytics in EU countries. Or maybe you use some other analytics tracking tool, like Heap, Matomo, Statcounter, or Adobe Analytics, and didn’t realize this probably applies to you, too. 

Well, it’s a good thing you’re here. We advise you to do two things: 

  1. Notify your legal counsel that there is a potential risk.
  2. Get ahead of the regulations. 

Violating the regulations doesn’t necessarily mean the GDPR privacy police are going to show up on your doorstep tomorrow.  It means someone could complain about your collection of their web browsing data. That complaint could snowball into a lawsuit and all the expenses that go along with it.

That’s why it’s so important for you to collect informed consent before a cookie starts collecting data from a website user who’s visiting your site from an EU country. 

Still confused by all of this? Tell us about it in the comments section. 

The post GDPR and Google Analytics Updates in 2022 appeared first on The Spot for Pardot.

By |2022-04-06T02:09:00+00:00April 6th, 2022|Categories: Analytics & Reporting, Privacy & Compliance, Pro Tips|