Category: Security, Privacy, and Technology


How to Scale Your Consent and Privacy Management Process

Last fall, I shared some tips and strategies to help marketers building a consent and compliance process. Chances are, you’ve started on that journey. But as you develop those processes, your business is still growing and evolving. So what can you use to help scale those efforts as your company naturally grows toward bigger and more complex audiences?

At Salesforce and Pardot, Trust is our #1 priority. We want to do everything in our power to ensure that our users can build the same trusted relationships with their customers that we have with you. Take a look at some of the tools available to help you to increase customer trust.

Introducing the Salesforce Privacy Center

As your company grows in complexity, your policies around data management and consent do, too. You’ll need to manage more policies and rules and enforce them across different contexts. To aid this effort, Salesforce released a suite of tools with our Customer 360 Truth platform to alleviate this pain: the Salesforce Privacy Center.

With the Salesforce Privacy Center, you can easily create policies around customer data and automate those policies to ensure that your company is compliant with requirements set forth by laws like GDPR. This new application provides a one-stop shop for handling privacy and consent features, with more on the way.

In its current release, the Salesforce Privacy Center is an add-on feature in Salesforce that can help any growing company define how to handle customers’ personal identifiable information (PII) at scale. If your company is moving into several new markets or has grown its audience size, this add-on is worth investigating.

Expand Your Consent Records with the Individual

Most Salesforce users depend on the accuracy of their leads’ email opt-out fields to know who they should and should not email. But in the growing realm of privacy, that one field no longer captures all the nuances of your customers’ privacy and consent. In cases like these, Salesforce marketers can augment their consent model by using Salesforce’s Individual object.

The Individual is Salesforce’s preferred consent data model, and it’s designed to be flexible and granular enough to easily adjust to any company’s specific business strategy. Utilizing the Individual can help you be more diligent with the type of consent you store on behalf of your customers and more mindful in contacting only the most interested customers with your sales or marketing emails.

With the use of APIs and the objects, you can work with your Salesforce Admin to tailor a robust and thorough consent management experience fit for your company.

Explore All of Pardot’s Tools for Tailoring Marketing Consent

Going beyond Salesforce itself, you may need to scale and adjust your Pardot consent strategies too. This is especially true for businesses that take on and segment several Pardot Business Units (BUs) to target multiple markets. Managing consent across these units can be especially difficult, and if you want to market to the same individual across product lines, the complexity only grows.

Pardot is investing in this space. Our Spring ‘21 release will provide new tools to make it easier to manage marketing consent at scale. 

  • You’ll be able to sync prospects safely across BUs with improved APIs, which will allow for granular and controlled consent updates
  • You’ll have more options for defining your unsubscribe experience and capturing the right consent data from customers.
  • You’ll have access to updates for Salesforce Privacy Center along with more granular control of unsubscribes in Pardot.

Watch for feature updates and start thinking about how you can use them to improve your existing processes.

Learn more about Pardot’s existing features for helping marketers comply with today’s privacy regulations.

This blog post is part of our security, privacy, and technology series.


How Pardot Helps Marketers Comply with Today’s Privacy Regulations

Today, technology is integrated into nearly every part of our lives. From the tiny personal fitness trackers on our wrists to the major data centers powering the internet we use daily, computers of all shapes and sizes have become ubiquitous in modern society, achieving levels of scale and popularity that were the realm of science fiction just a decade or two ago.

However, our increasingly connected world is not without its challenges. The trail of information left by our digital actions can last forever. Power imbalances between those who generate data and those who collect it have the potential to lead to serious privacy and security issues. 

As a result, legislative bodies worldwide have passed regulations like the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) to give consumers more control over how their data is used and to penalize misuse.

To remain competitive while maintaining consumer trust, it’s up to today’s businesses to build compliance into their products and services. That’s just what we’re doing here at Pardot. 

Here’s how we’re helping our customers comply with existing and evolving privacy regulations and build tailored solutions to support requirements under different privacy frameworks. 

Obtaining Consent 

Consent is at the heart of our approach to marketing automation. As a result, we have a strict permission-based email marketing policy — but for added flexibility, we also offer our customers substantial configuration options for email consent collection and management. 

Pardot also supports recency and frequency automation rules to govern suppression, which sometimes prevents communications from reaching recipients. Different governance strategies can be employed for different groups at a customer, segment, offer, product, or channel level.

We also support alignment with web-tracking consent requirements like affirmative opt-in, and we provide features that ensure unsubscribe and opt-out are as easy as subscribe and opt-in.

Empowering Customers to Manage their Data

Pardot supports the right to know, the right to be forgotten, and the right to rectification by allowing our customers to:

  • search their records for personal data on a given data subject
  • correct records
  • permanently delete data subject records

Our customers can support these privacy use cases directly through our user interface, or they can implement custom privacy workflows through our software interfaces. These same features support privacy requirements like restrictions on processing and restrictions on sale of information.

To enable compliance with data portability requirements, Pardot provides the capability to export records in a comma-delineated format, and we allow record export through our software interfaces for customers who want to build their own portability workflows.

Incorporating Privacy-by-Design

Our software interfaces are rich enough to allow our customers to build implementations using privacy-by-design principles, and Pardot encrypts all data at rest by default across all customer accounts. Pardot encryption works alongside Salesforce Shield and network security best practices to protect data at rest and in transit across systems.

Privacy frameworks and regulations like GDPR enforce controls on how data controllers interface with data processors like Salesforce Pardot. We allow our customers to comply with these controls through non-technical features.

Our Data Processing Addendum to our Master Subscription Agreement defines how Salesforce legally complies with GDPR and CCPA through mechanisms like Binding Corporate Rules. Salesforce contractually guarantees important security controls and certifications to our customers, allowing our customers to comply transitively.

The Future of Privacy

The privacy landscape is evolving, from both legal and social perspectives. The issue is receiving wide support from a variety of people and legislators. This is a good thing for consumers and businesses alike. The principles embodied in new privacy laws will protect against privacy threats that have emerged in recent decades and many of the future threats to come.

Even before the current wave of privacy regulations, most B2B marketers were already focusing on prospects who provide their personal information willingly for the purpose of exploring a relationship. At Salesforce Pardot, we’re watching privacy trends to make sure we support our customers in the face of a changing legal, technical, and social environment. 

Protecting privacy always has been — and always will be — the right thing to do.

Keep Learning

What is mixed content and why should marketers care? Learn why browser vendors are changing the browser experience to discourage mixed content.

This blog post is part of our security, privacy, and technology series.


Protecting Your Email Stats from Bot Activity with Metrics…

Internet security is always evolving. As attack methods change, so do defense mechanisms. A few years ago, we saw a new development in email security. Some inbox providers started employing scanners that would click every link in an email to test its source. This is good news for email security — less risk in your inbox! — but terrible news for digital marketers, who saw click rates suddenly skyrocket to impossible percentages over 100% and watched unengaged prospects with lots of automated “scanner clicks” get passed along to confused and frustrated sales teams.

At first, these scanners were mostly coming from the same few IPs. So in the December 2018 Pardot release, we identified consistent email scanner IPs and packaged them as visitor filters out-of-the-box for all Pardot customers. But the problem didn’t go away. As this practice of protecting email recipients from malicious links gained popularity, we saw a proliferation of scanners on cloud hosts.

Now, a cloud host is tricky. When the activity’s IP can only be tracked to AWS or another public cloud provider, we can’t simply add that IP to a blocklist. Will clicks from cloud IPs always be scanners, or will they sometimes be customers? Will they be scanners this month and customers next month? Unlike IPs we can easily identify as belonging to security providers, we couldn’t just filter out all activity from public cloud IPs that sometimes acted like a security scanner.

But we can filter out activity from an IP when it is acting like a security scanner. So that’s exactly what we did.

We built Metrics Guard for Email to watch for activity that isn’t really part of your hard-earned metrics. This brand-new service monitors email clicks and opens to identify patterns that are clearly bot-based, and it keeps those activities out of Pardot entirely. In its first week, Metrics Guard for Email kept 2 million scanner clicks from inflating our marketers’ metrics and triggering actions that shouldn’t have happened.

The best part of this service is that it’s totally hands-off for you — no activation is required! Since early November, Metrics Guard for Email has been working behind the scenes to keep your engagement data clean so that your click metrics are accurate and only truly engaged prospects become qualified.

So send away, knowing that Metrics Guard for Email is serving engagement metrics you can trust.

Check out how to use email metrics to make data-driven decisions.


Encryption Everywhere: What is mixed content and why should…

Browser vendors are planning changes that will affect the way Pardot users produce online content and emails. The Pardot product team is working with the browser vendors and web standards communities to stay current with planned changes and to communicate to our customers what you need to know to continue to deliver effective content. In this post, we’ll explain what mixed content is and how near-term changes being rolled out by browser vendors will affect you.

But first, some background that will help us understand why things are changing.

The history of online encryption

Before about 1970, commercial computers were mostly isolated systems, each installed by a business for some specific task, such as running an accounting system. As business processes became increasingly reliant on information technology, the potential of networked computers became apparent. This raised a serious question: How would networked systems protect themselves against malicious actors who would snoop on and tamper with critical data moving between systems?

Outside of secretive governmental agencies, encryption was mostly a dark art in 1970. But due to the rise of the internet, this has changed in the decades since. In the 1970s, we saw the standardization and deployment of the Data Encryption Standard (DES). In the 1980s, we saw the rise of encryption systems with fancy capabilities such as performing secure digital signatures. During the 1990s, Netscape developed the early versions of Secure Sockets Layer (SSL), now rebranded Transport Layer Security (TLS).

TLS is the protocol that secures the internet. It’s based on the encryption research that happened in earlier decades, and the protocol continues to mature today – the most recent version is TLS 1.3. During the 2010s, technologies such as Let’s Encrypt made TLS more accessible, and the visible rise of major cybersecurity incidents has motivated technology leaders like Salesforce to push for the universal adoption of encryption via TLS. The 2020s will be the decade where we witness ubiquitous web security and privacy via encryption.

This is a trend that we need to pay attention to.

What is mixed content?

Browsers interact with sites using a technology called Hypertext Transfer Protocol (HTTP). The “http” in indicates the link is using HTTP to transfer your content to your visitor. But HTTP alone doesn’t provide any encryption. This means that content transferred to the browser can be snooped on or tampered with while in transit.

HTTPS is HTTP combined with TLS. The “https” in means the link is using HTTP along with TLS to provide a secure browsing experience. Technology leaders and standards bodies are moving away from vanilla HTTP to secure HTTPS.

Now we come to the heart of this post: mixed content.

Mixed content is when a site mixes HTTPS and HTTP. A common example of mixed content is a secure site (served over HTTPS) that includes images served over vanilla HTTP. The problem is that the site owner or site visitor created a website that was clearly intended to be secure, but some parts of the website — images in this example — still remain vulnerable to snooping and tampering.

Why it matters to marketers

You may be thinking: None of my trade secrets are exposed on my site or in my marketing materials. While this is probably true (I’d hope so!), there are good reasons to move all of your content to HTTPS and make sure you don’t have mixed content. The biggest reason?

Browser vendors are changing the browser experience to encourage site owners to avoid mixed content, with an ultimate aim to create a secure browsing experience across the internet.

Chromium, the technology at the heart of the Google Chrome, has announced mixed-content deprecation, an initiative to disallow sites to serve mixed content. This process is already in motion. There are a couple of key callouts for Pardot users:

  • The latest version of Chrome – Chrome 86 – automatically attempts to upgrade mixed-content images to HTTPS. While this should be innocuous, there may be unintended side effects of this Chrome change that affect the browsing experience.
  • Chrome will eventually stop showing mixed-content images altogether. This is planned to happen in Chrome 88, scheduled for deployment in January 2021.

There are other motivations for moving to encryption everywhere. Not only do search engines prioritize secure sites, this practice also promotes trust with your audience and helps to future-proof your sites against related browser and web changes.

How marketers can prepare for the changes ahead

According to my research, over 90% of Pardot users have websites served via HTTPS. This is good! My calls to action for you are:

  • Make sure that the marketing content you link to in your sites and emails is also served via HTTPS. Not sure how to do this? Learn how to turn on HTTPS for your marketing content.
  • Check out the Pardot product team’s Salesforce Knowledge Base Article about mixed content. We’ll update it as new information emerges.
  • Check your site for any resources, even those not served by Pardot, that need to be secured.

At Salesforce Pardot, we believe that a secure, trusted experience in everyone’s best interest. For this reason, we’re actively exploring other ways to promote security for our users and for their customers. Stay tuned for more communication as events unfold!

This blog post is part of our security, privacy, and technology series.


Pardot’s First-Party Tracking Open Beta: Everything You Need to…

In January 2020, the world’s most popular internet browser, Google Chrome, announced that it would stop supporting third-party tracking cookies entirely within two years. By eliminating third-party cookies, Chrome will be guarding its users against nefarious cross-site request forgeries and data privacy breaches. 

However, third-party cookies have long been used by marketers for web analytics and deeper insights into customer journeys. In a world without third-party cookies, marketers will need to adapt their approaches and focus on first-party cookies, which are tracked with clear customer permission. 

That’s why Pardot has developed a new first-party tracking service that allows our marketing customers to keep providing personalized experiences based on their customers’ journeys and keep delivering relevant content at the right time. This service is currently in open beta — so all of our customers can opt in and start preparing for the end of third-party cookies.

In this post, we’ll explore what first-party context is, why it’s important, and other considerations you should take into account. We’ll also share how to get started with our new open beta. For even more context, check out this blog post about the browser privacy race.

  1. Understanding First-Party Context

First-party context is an important concept, and it plays a large role in the way web data is exchanged between services. It depends on two factors:

  1. The relationship between the service and the website
  2. The type of cookies being used

In a first-party relationship, the service and the website share an Extended Top Level Domain + 1 or ETLD+1 — which is the part of your website domain that your company controls. For example, if your website is, then your ETLD+1 is If a service you use on your website also shares, then it’s considered a first-party service, over which you have control. If your website uses files hosted on, then is a first-party resource.

The purpose of any type of web cookie is to store user activity data within the user’s browser that websites can then use to provide relevant services. Cookies are used to save user preferences or shopping cart information in case the page is refreshed or abandoned. First-party cookies are cookies operated by the website itself. Third-party cookies are cookies operated by a third party, like an advertiser. 

  1. Setting Up Pardot as a First-Party Service

With the upcoming end of third-party cookies, we’re asking our customers to set Pardot tracker domains as first-party services. This is important for the following reasons:

  • Pardot tracker domains are used to host marketing content. By giving them the same domains as your websites, you’ll maintain consistent branding and assure your users that your marketing assets are under your control. 
    • If your main website is and you then ask users to go to to download a whitepaper, it creates an inconsistent experience at best. At worst, your customers might worry it’s a phishing attempt.
  • Web analytics data allows B2B marketing teams to provide personalized recommendations and serve the right content at the right time. With first-party context, you can track engagement across subdomains faster. 
    • First-party cookies are a critical part of maximizing progressive profiling on your site and on Pardot-hosted landing pages, as they allow you to confidently verify users before auto-filling potentially sensitive information.
  1. What is Pardot’s Position on Web Tracking?

Pardot’s goal is to provide our customers with privacy-friendly services that help distinguish their analytics from internet-wide trackers and help fulfill their privacy obligations. Trust is our core value, and privacy is a key part of trust. 

While cookies are an important part of creating personalized customer journeys, we recommend that our customers always share transparent information with their users about how their data is being used. It’s best to always allow your web user to control whether you collect their data or not. Privacy is always more important than personalization. 

Pardot will never resell, share, or capitalize on user data. Our customers maintain control of this information if they ever decide to terminate our service. As attitudes and policies on digital marketing and privacy change, we’re committed to keeping our customers informed about new developments and adapting our services to their needs and their users’ needs.

  1. Using Pardot’s First-Party Tracking Service

When using Pardot’s first-party tracking service, it’s essential to maintain both tracking alignment and tracking coverage.

Tracking Alignment

First, align your website and your tracker domain to maintain first-party context. The following scenario shows why this is so important:

Imagine a web user is interacting with three websites. One of the sites doesn’t maintain first-party context because the website and the ELTD+1 don’t align. 

  1. The first visit by the web user generates activity with no issues because the website and tracker domain do share the ETLD+1 of “”
  2. The second visit by the web user doesn’t generate any activity, because the website is on “” but the tracker domain is on “”
  3. The third visit by the web user again creates the visitor activity as expected, because both the website and tracker domain share the ETLD+1 of “”

Overall, you should make sure anything you want to track has a domain URL that aligns with the website ETLD+1.

Tracking Coverage

Tracking coverage is a bit more complicated than tracking alignment, and it’s also more important. Since third-party cookies are no longer available, you’ll only be able to anonymously track a visitor across your sub-domains. However, if your web user chooses to identify themselves on multiple websites, then you’ll be able to see their full engagement.

Again, imagine a web user is interacting with three websites — only this time, all the sites have full tracking alignment. First-Party Tracking Coverage

  1. The web user decides to visit three of your websites across two branded domains. Since two of these websites are hosted on “”, the visits are linked to “visitor 1”.
  2. Their visit to “” is then linked to “visitor 2,” because there are no third-party cookies to link them together.
  3. In their second round of visits, the web user decides to fill out a form on “” This results in the web user becoming a prospect and “visitor 1” activity is linked to “prospect 1.”
  4. In their third round of visits, the web user decides to fill out a form on “” using the same information. With this information, precious data from “visitor 1” and “visitor 2” are then linked to “prospect 1.”

At the end of the customer’s rounds of visits, a marketer will have a complete view of their journey. The important takeaway is that marketers will need to engage customers across different domains to achieve this when third-party cookies are no longer available.

  1. How to Join Pardot’s First-Party Tracking Open Beta

All Pardot customers are invited to join our first-party tracking open beta. During the beta, you’ll have the opportunity to provide direct feedback to help improve the feature. 

Here’s how to get started:

  1. Review the considerations and create a plan for migrating. The change requires placing new tracker codes on your websites and aligning your tracker domains properly — so be prepared. Please note that old tracker codes will continue to work until you swap them out, so you can change them at your own pace. 
  2. Review your Pardot hosted content for domain alignment and align where possible. You may need to add new tracker domains. 
  3. When you’re ready, go to your account settings page and check the box for Enable first-party tracking
  4. Configure your tracker domains with default campaigns.
  5. Generate the appropriate tracker codes for your tracked websites and swap them out.

If you only use one website domain or already align your tracker domains, switching to first-party cookies should be simple. Others may want to prepare for the switch in phases. Keep in mind that we recommend activating third-party cookies to start out with, especially if you use multiple website domains. You can turn them off once you’re ready to make the full switch to first-party. 

Still not sure if you’re ready to join the open beta? Check the following documentation for more details about the set-up process.

Translate »