On May 25, 2018 a new privacy law called the General Data Protection Regulation (GDPR) takes effect in the European Union. GDPR expands the rights of EU individuals and places obligations on organizations regarding how they manage EU personal data.
For the past year, Vidyard's legal, privacy, and development teams have been actively working to ensure that our responsibilities under GDPR are met. We've taken GDPR as an opportunity to improve the Vidyard platform as a whole and develop a better experience for all our customers as well as yours.
We've sought to make GDPR-related changes to the Vidyard platform as seamless as possible. We've also endeavoured to make customer requests to access, manage, and delete personal data an efficient, self-serve process.
This document provides a summary of GDPR-related changes to Vidyard. It explains both how Vidyard has become GDPR-compliant as well as how we're enabling our customers to achieve compliance.
Vidyard GDPR Service
Under GDPR, you may receive requests to access, modify, or delete personal data. We've created a service to enable customers to submit data subject requests to Vidyard. This transaction can be both automated through our GDPR Service API or completed manually through the Vidyard Platform.
GDPR Service API
Customers who want to automate GDPR data subject requests may either build or use an existing application to communicate with the GDPR Service API.
The Vidyard GDPR Service hosts a REST API that accepts a webhook to return the results of a data subject request. The GDPR service allows calls to access, rectify and forget personal data.
The provided webhook will receive a POST request with the following information:
- receiptID: an identifier to uniquely reference the request
- action: indicates the type of request (access, rectify, forget)
- completedAt: confirmation of when the request was completed
- data: returns a time-sensitive file that contains the requested data
- the data field only returns "access" requests
- the file expires after 7 days
See our developer documentation to use the GDPR Service API.
GDPR Request Feature in Vidyard
For customers who do not have an application that can communicate with the GDPR Service API, we've created a tool to manually process data subject requests inside the Vidyard platform.
- Ask your Customer Success Manager to install the GDPR Request Tool feature for your Vidyard account. This will enable the Manage GDPR Requests permission for all group admins, both at the parent and subgroup level.
- Select Group > GDPR Requests to submit an access, rectify, or forget request.
- Users who submit a request will receive an email confirmation when the task has completed
- Keep record of the request ID as Vidyard does not hold this information.
- Exported data returned from an "access" request will expire after 7 days.
Note: whether completed at the parent or subgroup level, GDPR requests are made against data associated with your entire organization.
Manage consent with the Player API
GDPR requires that persons opt-in to being tracked. We've expanded our Player API to include methods that communicate whether a person has consented to having identified viewing data pass into Vidyard.
Where Vidyard does not have consent, we will only collect completely anonymized viewing data.
Player API methods:
- Sets consent for every player on your page to true or false.
- This method assigns consent on a per subdomain basis.
- Callback receives true or false upon all player ready.
- This function is intended to determine whether or not to display a consent prompt upon page load.
Vidyard.GDPR.consentcalls set to
truepersist in localStorage, so visitors to your webpage do not need to accept tracking on every page load.
Consent on GoVideo (free) sharing pages
Vidyard will now ask any person with a European Union IP address who lands on a GoVideo (free) sharing page to consent to being tracked.
Consent persists in your browser's localStorage. This means that return visitors to a GoVideo free sharing page (hosted on
share.vidyard.com) do not need to consent again unless storage data has been cleared.
Identifying your viewers with the "vyetoken"
To date, Vidyard has used a "vyemail" query string to associate a person's email address with their video viewing behavior. The vyemail string could be appended to sharing page URLs (as part of GoVideo), player embed codes, and passed to third-party applications as part of our MAP and CRM integrations.
We've replaced the vyemail string with a "vyetoken".
The vyetoken is designed to conceal email addresses as part of a query string. This reduces the surface area over which personal information is shared with integrated MAPs and CRMs. Email addresses associated with a video view will remain with Vidyard, and the query string will continue to operate as expected.
If a GDPR data subject request to forget information is submitted, Vidyard will remove any vyetokens associated with the given email address for the relevant organization.
The vyetoken and GoVideo
Across our many GoVideo integrations (Gmail, Outlook, partner applications), the GoVideo app automatically appended the vyemail string to the sharing page URL of your video. The vyemail query string enabled the sender to receive a notification when their recipient had watched a video.
Under GDPR, the email address of your recipient will continue to automatically append to the sharing page URL, but will be concealed as a vyetoken. You will continue to receive notifications when your video content has been watched.
The vyetoken and developers
Prior to GDPR, some Vidyard users may have manually applied the vyemail string (
?firstname.lastname@example.org) to sharing page URLs as part of video analytics testing or work with the GoVideo partner app integration.
To comply with GDPR, third-party developers must consider how GoVideo viewer identification will operate in their application and ask for view consent where applicable.
Developers may also use the Vidyard Dashboard API to generate a vyetoken.
Additional privacy information
Data Processing Addendums (DPAs)
Vidyard provides DPAs to customers looking to process personal data in compliance with GDPR. Contact email@example.com to request a copy of our DPA.
In the event of a data breach involving personal data, Vidyard will contact customers by email.