Tamboo Customer GDPR Controller Guidance

Contents

Overview

GDPR, or Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), requires that the personal data of EU natural persons be treated in a transparent and secure manner. If you use Tamboo for any purpose where an EU natural person's personal data may be captured, or where an EU natural person may use a webpage that you run Tamboo on, you must know and adhere to your responsibilities as outlined in the GDPR. Tamboo's Data Processing Addendum (DPA), which all Tamboo customers must read, agree to, and adhere to, ensures that all of Tamboo's customers understand their obligations as they pertain to the processing of personal data.

In the context of GDPR, when you use Tamboo's services, you are a Controller and Tamboo is a Processor. This guide is intended to assist you in properly implementing Tamboo so that you can maintain your compliance as a Controller under the GDPR.

It is important to note that, even though Tamboo is providing this guide, that Tamboo does not guarantee that adherance to this guide will make you "GDPR compliant", even with respect to your use of Tamboo. Each Controller must be familiar with their own individual requirements as they pertain to GDRP. This guide is intended as a helpful resource with useful suggestions and guidance, but cannot be taken as a "checklist" for compliance in any fashion.

Processing of Personal Data

By using Tamboo, you are determining the purposes and means of the type of data that you are requesting Tamboo to process. As outlined in Tamboo's DPA, websites running Tamboo send data about visitors and the activities those visitors perform on the website. This information is necessary for Tamboo to perform its services for its customers, and constitutes a legitimate interest with respect to the collection of such information. However, this information may be used to identify a natural person - either directly or indirectly - and so this information must be assumed to be and treated as personal data.

As a Controller, it is your responsibility to ensure that you limit the personal data that you collect to the bare minimum needed, and that you adhere to GDPR requirements regarding the collection and handling of personal data.

Tamboo collects not just metadata about website visitors, but also entire recordings of website visitor activities (see Tamboo's DPA for more details on the types of data collected). Because of this, you must take special effort to ensure that you are not inadvertently collecting personal data from visitors using your website. For example, if you display any kind of personal information on a webpage (such as a name, email address, or even a profile picture of a user) that you have installed the Tamboo JavaScript agent on, that personal information will be captured and sent to Tamboo for processing.

Because Tamboo is a Processor, Tamboo does not determine the purpose or means of the type of data that you are requesting Tamboo to process. In other words, it is your responsibility as a Controller to control the type of data that you send to Tamboo for processing.

Consent

The GDPR is clear that the collection of personal data may only be performed with clear and transparent consent from the data subject, and only for a specific purpose that the data subject has given consent for. Furthermore, a Controller must be able to demonstrate that this consent was given for any personal data collected and processed.

In order to fully capture a website visitor's journey through a website, Tamboo's JavaScript agent is typically configured to begin capturing webpage information as soon as its JavaScript is loaded on a page. While this is a desired and useful behavior when it comes to getting the most realistic picture of what activities a visitor peforms on a website, it poses a problem with GDPR's consent requirement, as you must have consent before you can begin processing a visitor's activities.

Because of this, Tamboo recommends that Controllers do not initialize Tamboo's JavaScript agent until after they have received consent from their visitors.

This requires a slight change to the Tamboo JavaScript snippet that you have installed on your website.

As a refresher, Tamboo typically recommends that the following JavaScript be added right before the ending HTML <body> tag on a webpage:

<!-- Tamboo Code -->
<script>
(function(t,a,m,b,o,e,v){if(t[o])return;t[o]=function(){t[o].a=t[o].a||[];
t[o].a.push(arguments);};t[o].l=Date.now();t[o].v=1.0;t[o].s=b;e=a.createElement(m);
v=a.getElementsByTagName(m)[0];e.async=1;e.src=b;v.parentNode.insertBefore(e,v);
})(window,document,'script','https://js.gettamboo.com/agent.min.js','tamboo');
tamboo('init', ACCOUNT_KEY);
</script>
<!-- End Tamboo Code -->

As previously mentioned, this code does not check that consent has been given prior to loading Tamboo, and so it is not compliant with GDPR Controller requirements. To load the Tamboo JavaScript only if you have received consent from a visitor, you need to wrap the above JavaScript in a conditional block that checks whether or not you have your visitor's consent. An overly simplistic (and definitely not GDPR-compliant) example of this is as follows:

<!-- Tamboo Code -->
<script>
var haveConsent = confirm('Do you consent to let us use Tamboo to record your visit to our site for usability purposes?');

// If they consent, start recording:
if (haveConsent) {
  (function(t,a,m,b,o,e,v){if(t[o])return;t[o]=function(){t[o].a=t[o].a||[];
  t[o].a.push(arguments);};t[o].l=Date.now();t[o].v=1.0;t[o].s=b;e=a.createElement(m);
  v=a.getElementsByTagName(m)[0];e.async=1;e.src=b;v.parentNode.insertBefore(e,v);
  })(window,document,'script','https://js.gettamboo.com/agent.min.js','tamboo');
  tamboo('init', ACCOUNT_KEY);
}
</script>
<!-- End Tamboo Code -->

You should know that you must obtain individual consent for each tracking code or script you use on your website that processes any personal data from your visitors. This might be achieved using a modal dialog that prompts visitors when they first visit your website for consent to use each specific tracking code. Once you have determined what consent you have from your visitors, you would then activate each tracking code that you have been given consent to use. The above code example should help you to see how you could achieve that consent-driven activation with Tamboo.

The GDPR outlines the specific criteria that constitute demonstrated consent from a visitor, and we encourage you to consult that document to understand your full responsibilities.

Limiting the Collection of Personal Data

The GDPR states that a Controller should only collect the minimum amount of personal data a Controller requires for a specific purpose. In other words: You should only collect what you absolutely need, and if you don't need it, you shouldn't collect it.

It is important that you do a thorough review of the webpages you choose to install Tamboo on, as there may be personal data you are displaying (and that Tamboo could capture) that you may not be aware of.

Because the GDPR considers personal data any kind of identifying or identifiable information about a person, you need to consider things like the following when making your assessment:

  • The display of a person's name or contact information
  • The display of a person's account details
  • The display of a picture of an individual (for example, a profile picture)
  • The display of any kind of sensitive personal information such as payment details, date of birth, etc.
  • Whether or not your URLs contain any unique identifiers that could be associated with a person
  • Any form fields where personal data may be entered
  • (And so on)

Once you have identified all of the places where you may collect or display personal data, you must choose if and how you will limit the collection of that personal data.

While you are not required to limit the collection of all personal data, it is strongly encouraged that you limit as much personal data as you collect, and that you only collect personal data that is necessary and required, whenever possible.

Tamboo provides two ways for you to limit the collection of personal data: Through limiting the placement of the Tamboo JavaScript, and through Tamboo's built-in masking features.

Limiting the Placement of the Tamboo JavaScript

The simplest way to avoid the collection of personal data through Tamboo is to simply not install the Tamboo JavaScript on webpages that display or collect personal data.

While this approach is the easiest and most comprehensive approach to limiting the collection of personal data, it also means that other data about your website visitors (such as which page elements they clicked or which steps in a funnel they completed) will be missed.

For this reason, this appraoch may not be suitable for all cases (although it should be considered).

Masking Personal Data with Tamboo

For those instances when you want to continue to use Tamboo on a webpage that displays or collects personal data, but you want to avoid sending that personal data to Tamboo, you can make use of Tamboo's data masking capabilities.

Tamboo's masking features allow you to identify form fields and even entire parts of a webpage that you want to have "masked". When Tamboo is recording a page and encounters a form field or a page element that has masking enabled, Tamboo automatically replaces any text within that mask boundary with "xxxxxxxx" in the recording. This means that the masked information is never captured or transmitted to Tamboo - only the "xxxxxxxx" is recorded and sent to Tamboo. In your recordings, you'll see "xxxxxxxx" as the text value for those masked fields and elements.

Securing Passwords

By default, Tamboo automatically ignores any input entered into the standard "password" HTML form input element such as the following:

<input type="password" value="some-really-strong-password">

Any text entered into a password input type will automatically be ignored by Tamboo's data collection mechanism and will never be transmitted to Tamboo's servers or stored by Tamboo in any way.

In order to show in recordings that a password was entered into a password input field, Tamboo will show eight asterisks (********) in the password input field. This is only to help you visualize that a password has been entered and does not mean that Tamboo has captured or stored any portion of the original password entered on your website.

For example, Tamboo will see the above password field as:

If you collect passwords from your users using a non-standard password input field, you will have to secure that input field using a mask (see below).

Securing Credit Card Fields

Tamboo attempts to automatically mask any input fields which may be used to enter credit card information. If any input field meets any of the following criteria, it will be automatically masked:

  • If the id attribute of the input field contains the word card or credit anywhere in its value.
  • If the name attribute of the input field contains the word card or credit anywhere in its value.

As an example, the following fields would be masked under these rules as their id or name values all contain either card or credit:

<input type="text" id="cardnumber">
<input type="text" id="credit_card_number">
<input type="text" name="thecardnumber">
<input type="text" name="the_credit_no">

Tamboo will replace any text entered into these fields with eight "x's" (xxxxxxxx) to be used during playback to show that a value was entered into a field - the original information will not be captured by Tamboo.

Just to show, Tamboo will see the above examples as:

If your websites has credit card fields that do not meet this criteria, you will have to secure those fields using a mask (see below).

Securing Personal and Sensitive Data with Masks

Tamboo lets you control what data is collected from a webpage using a feature called "masking".

Masking lets you tell Tamboo that certain HTML elements on a webpage may be used to enter or display sensitive information and that Tamboo should not collect any of the information entered into those fields or displayed by those elements.

Tamboo's masking lets you mask not only form input fields but also any HTML element on a webpage.

During the playback of a recording, Tamboo will show any masked input field's value as eight "x's" (xxxxxxxx to show that a value was entered into that field.

If a mask has been applied to any HTML element that is not a form input field, Tamboo will replace the display text of that HTML element with eight "x's" (xxxxxxxx).

Once an HTML element has been flagged as masked, Tamboo will apply masking to all descendents of that HTML element as well. This enables you to specify a mask at a parent element and then have everything under that element to be masked as well.

To mask an HTML element, there are two available options:

Using the tamboo-mask CSS Class

The simplest way to enable masking is to apply the tamboo-mask CSS class to any HTML element you wish to mask.

Here are some examples illustrating the use of this CSS class that also show how Tamboo "sees" different HTML elements annotated with this CSS class:

Form Input Example
<input type="text" name="ssn" class="tamboo-mask">

Tamboo will see it as:

HTML Element Example
Your new PIN is <span class="tamboo-mask">1234!</span>

Tamboo will see it as:

Your new PIN is xxxxxxxx
HTML Parent Element Example
<table class="tamboo-mask">
  <tr>
  	<td>SSN: 1234</td>
  	<td>PIN: 5678</td>
  </tr>
  <tr>
  	<td>CC#: 1111-1111-1111-1111</td>
  	<td>Name: Alice</td>
  </tr>
</table>

Tamboo will see it as:

xxxxxxxx xxxxxxxx
xxxxxxxx xxxxxxxx
Using the data-tamboo-mask HTML Element Attribute

There may be cases where you want to mask a parent element and yet still be able to "unmask" certain child elements. In these instances, the data-tamboo-mask HTML attribute can be used to give you fine-grained control over when masking should be turned on or off. This attribute may also be used if you are unable to set the class on an HTML element reliably.

The data-tamboo-mask attribute must be provided with a true or false value to turn masking on or off, respectively:

<div data-tamboo-mask="true">
  This will be masked.
  <div data-tamboo-mask="false">
    This will not be masked.
  <div>
</div>

Tamboo will see the above as:

xxxxxxxx This will not be masked.

The data-tamboo-mask attribute operates in a lexical (or contextual) scope based on the element's location in the DOM hierarchy:

<div data-tamboo-mask="true">
  This will be masked.
  <div data-tamboo-mask="false">
    This will not be masked.
    <div data-tamboo-mask="true">
      This will be masked.
    <div>
  <div>
</div>

Tamboo will see this as:

xxxxxxxx
This will not be masked.
xxxxxxxx

The data-tamboo-mask attribute can be used in conjunction with the tamboo-mask CSS class to turn "off" masking for a particular child element:

<table class="tamboo-mask">
  <tr>
  	<td>SSN: 1234</td>
  	<td>PIN: 5678</td>
  </tr>
  <tr>
  	<td>CC#: 1111-1111-1111-1111</td>
  	<td data-tamboo-mask="false">Name: Alice</td>
  </tr>
</table>

Tamboo would see the above as:

xxxxxxxx xxxxxxxx
xxxxxxxx Name: Alice

Retention of Personal Data

Tamboo currently retains all information sent to it by its customers for one year. We are currently building tools to help our customers specify their own retention periods.

Access to Personal Data

In order to service requests from data subjects about the personal data you have collected from them and are currently processing with Tamboo, please follow these steps:

  1. Obtain from the data subject making the request the value of the "tamboo.u" cookie stored in their browser.
  2. In Tamboo, navigate to "Recordings".
  3. In "Recordings", locate the search section titled "User Attributes".
  4. Locate the search field titled "Tamboo User ID".
  5. Enter the data subject's "tamboo.u" cookie value in the "Tamboo User ID" search field.
  6. Click "Search".
  7. The recordings for that data subject will show up in the search results.

Tamboo does not currently provide a mechanism for sharing this information with data subjects directly. You will need to review the recordings and communicate their contents to the data subject.

Erasure of Personal Data

Revoking Consent and Restricting or Prohibiting Processing

As a Controller, it is your responsibility to determine how you will handle the revocation of a data subject's consent to collect or process their personal data with respect to Tamboo.

As mentioned in the Consent section of this document, controlling when you load the Tamboo JavaScript effectively turns Tamboo on or off.

To fulfill a request from somone regarding the revocation of their consent or to restrict or prohibit processing of their personal data, you should not load the Tamboo JavaScript for pageviews from that data subject.