Call tracking and GDPR: Here’s what marketers need to know

Later this month, the European Union’s General Data Protection Regulation will go into effect. You’ve probably seen plenty of headlines about GDPR, which, in a nutshell, is a set of regulations on businesses designed to protect the privacy of EU citizens.

Perhaps you already have a general idea of how GDPR might impact your business. As you begin to dig deeper and look at all of the ways you attain customer data, you may have questions about GDPR’s impact on how you track calls.

In this article, we’ll outline how you can continue to use a call tracking software like CallRail while maintaining compliance with GDPR.

CallRail’s call tracking solution is GDPR compliant out of the box

Out of the box, CallRail is GDPR complaint. For the purposes of this post, there are two key identities to define under GDPR:

  • Data controllers: Defined as, “A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” Most CallRail customers are data controllers.
  • Data processors: Defined as, “A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” CallRail is a data processor with relation to your customer’s personal data, and a controller with relation to the account holder’s data.

GDPR places the way a controller handles personal data under the microscope. Under GDPR, EU citizens have a set of rights related to how their data is handled, which we outlined in a recent post.

As a business handling personal data, the onus lies with you to clearly communicate what data you’re collecting on your customers and the purpose for which you’re collecting that data. As a tool, CallRail is GDPR compliant, because it legally transmits personal data to its customers –– the controllers.

Businesses must have a valid lawful basis in order to collect or process personal data. Most commonly for businesses, including CallRail, data is collected for a legitimate business reason: pursuing a legitimate interest without overriding the interests of the individual. Check the Information Commissioner’s Office breakdown of the six lawful bases for processing to check that your business complies.

Best practices for handling call tracking data and achieving GDPR compliance

CallRail has already been built in several ways that allow you to practice aboveboard control of personal data, from two-factor authentication support to end-to-end encryption of call recordings, transcriptions, and all other collected data. And of course, CallRail uses only first-party cookies (set on your domain, not ours), never uses your customer data for any other purpose, and never provides it to any other third parties without your consent.

Here are some tips for using CallRail and setting a high threshold for your handling of customer data:

  1. Turn on two-factor authentication to add an extra layer of security to your account. We explain how to do that in our two-factor support documentation.
  2. Don’t share login information. Only give CallRail access to trusted users in your organization. And remember, CallRail supports multiple users per account at no additional cost. Learn how to add users to your account.
  3. Be careful with how you’re using webhooks. If you’re sending customer data to another system, be mindful of what you’re storing and where it is being stored. At a minimum, you should ensure your webhook endpoints are configured to use encrypted transmission via HTTPS.
  4. You likely need to mention your collection of call data and use of cookies in your own privacy policy, and document your use of personal data under the intended lawful interest. You should consult your own legal counsel to determine how this may apply to your situation.

As always, we are here to help. Contact our privacy team at for any customer data export, update or deletion request, or any additional questions related to GDPR compliance and call tracking.