GDPR Changes

As we mentioned in our previous announcement, we have made some changes to our platform in order to support the General Data Protection Regulation (GDPR in short). You can read more about our approach to GDPR on our GDPR Readiness page.

If you don’t make any change to your integration, we will simply consider that customers did not pass consent, they will not appear in Audience, and there are not any breaking changes.

Below is a list of the changes and details of any updates you need to make to your implementation if you’re using certain features of our platform.

Checkout Changes

All checkouts will now display a message and link to Paddle’s privacy policy page. The message states that the checkout is powered by Paddle, and that their data will be shared with the software seller for fulfillment purposes.

If you use “Automatic” opt-ins

“Automatic” opt-ins are no longer supported. If you did not change this setting before 9th May, we have migrated you to “Optional” opt-ins.

If you use “Optional” opt-ins

If you have your checkout’s marketing opt-ins set to “Optional”, you will now have a fixed message, rather than a customizable one. This fixed message is GDPR-compliant and is localized to all languages supported by the checkout. There are no changes you need to make, as these have been done for you.

Paddle.js Changes

Skipping the email step of the checkout

Documentation link: https://paddle.com/docs/paddlejs-buttons-checkout

Skipping the email step of the checkout is possible by passing in an email attribute into the Paddle.Checkout.open function. Once our GDPR changes come into effect, we will assume you have not gathered GDPR-compliant consent and will therefore not opt the customer into marketing. If you have gathered GDPR-compliant consent, you will need to pass in a marketingConsent attribute set to true.

Paddle.Checkout.open({
  product: 123456,
  email: 'example@paddle.com',
  marketingConsent: true
});

Using the Audience Popup

Documentation link: https://paddle.com/docs/paddlejs-audience

In order for the Audience Popup to be GDPR compliant, your company name must be included in the opt-in message. To do this, you must add a vendor_name parameter to the function initializing the popup.

Paddle.Audience.Popup({ 
  vendorName: 'Paddle',
  triggers: { 
    exitIntent: true, 
    scrollDepth: false, 
    timed: false 
  }, 
  strings: { 
    heading: "Before you leave...", 
    subHeading: "Before you head outta here, why not subscribe to our email list and be the first to know about our latest products, updates and offers?", 
    cta: "Sign me up!" 
  }
});

Using the Download Prompt

Documentation link: https://paddle.com/docs/paddlejs-download-tracking

In order for the Download Prompt to be GDPR compliant, your company name must be included in the opt-in message. To do this, you must add a vendorName attribute to the download button. Failure to do this will result in no marketing consent being gathered for users submitting the form.

<a href="javascript:;" class="paddle_download" data-download-url="http://mysite.com/download.zip" data-vendor-name="My Vendor Name">Download</a>

Using the Audience Add API (paddle.js function)

Documentation link: https://paddle.com/docs/paddlejs-audience

When using the Audience Add API function in paddle.js, you must now confirm you have GDPR-compliant consent by passing in a parameter set to true.

Paddle.Audience.subscribe(email, true, function(response) {
  if(response.success) { 
    alert("You've been successfully subscribed!"); 
  } else { 
    alert(response.error); 
  }
});

Using the Audience Add API (direct)

Documentation link: https://paddle.com/docs/paddlejs-audience

When calling the Audience Add API directly, you must now confirm you have GDPR-compliant consent by passing in a marketing_consent parameter set to 1.

curl -X GET https://checkout.paddle.com/api/1.0/audience/1234567/add?email=example@paddle.com&marketing_consent=1

Custom Checkout API Changes

Documentation link: https://paddle.com/docs/api-custom-checkout

Skipping the email step of the checkout is possible by passing in a customer_email field. Once our GDPR changes come into effect, we will assume you have not gathered GDPR-compliant consent and will therefore not opt the customer into marketing. If you have gathered GDPR-compliant consent, you will need to pass in a marketing_consent field set to true.

API Response Changes

Documentation link: https://paddle.com/docs/api-list-users, https://paddle.com/docs/list-transactions-api, and https://paddle.com/docs/paddlejs-order-information

In these API responses that return customer email, we have added a new marketing_consent parameter which will be set to true or false depending on whether the customer has provided the vendor with the consent to contact them with marketing messages.

https://vendors.paddle.com/api/2.0/subscription/users
https://vendors.paddle.com/api/2.0/user/{id}/transactions
https://vendors.paddle.com/api/2.0/subscription/{id}/transactions
https://vendors.paddle.com/api/2.0/order/{id}/transactions
https://vendors.paddle.com/api/2.0/checkout/{id}/transactions
https://checkout.paddle.com/api/1.0/order

Webhook Changes

Documentation link: https://paddle.com/docs/reference-using-webhooks and https://paddle.com/docs/subscriptions-event-reference

New Audience Member Webhook Changes

We currently send the New Audience Member alert when a customer is added to your Audience. This happens regardless of whether the customer opted-in to marketing or not. In order to be GDPR compliant, we must only send this alert when we have a legitimate interest to do so.

We have a legitimate interest when:

  • The customer has opted-in to marketing.
  • The customer has completed a checkout

Therefore, for customers who do not opt-in to marketing, we will only be sending the New Audience member alert if they complete a checkout. This also applies to the Audience section of the Vendor Dashboard, which will now only show customers to have opted-in or completed a checkout.

We have updated the fulfilment webhook and custom fulfilment webhook requests sent to vendors to include marketing consent when customer email address is included as a parameter. marketing consent value will be set to “0” or “1” depending on whether the customer has provided the vendor with the consent to contact them with marketing messages.

  • Regular Checkout fulfilment webhook: customer email is optional. If it is included as a parameter, then “marketing_consent” will also be included.
  • Custom Checkout fulfilment webhook: customer email is a top-level property called “p_customer_email”. “marketing_consent” is included at the top-level.

In these webhooks/alerts that return customer email, we have added a new marketing_consent parameter which will be set to “0” or “1” depending on whether the customer has provided the vendor with the consent to contact them with marketing messages.

  • “payment_dispute_closed”: customer email is a top-level property called “email”. “marketing_consent” is included at the top-level.
  • “payment_dispute_created”: customer email is a top-level property called “email”. “marketing_consent” is included at the top-level.
  • “payment_refunded”: customer email is a top-level property called “email”. “marketing_consent” is included at the top-level.
  • “payment_succeeded”: customer email is a top-level property called “email”. “marketing_consent” is included at the top-level.
  • “subscription_cancelled”: customer email is a top-level property called “email”. “marketing_consent” is included at the top-level.
  • “subscription_created”: customer email is a top-level property called “email”. “marketing_consent” is included at the top-level.
  • “subscription_payment_failed”: customer email is a top-level property called “email”. “marketing_consent” is included at the top-level.
  • “subscription_payment_refunded”: customer email is a top-level property called “email”. “marketing_consent” is included at the top-level.
  • “subscription_payment_succeeded”: customer email is a top-level property called “email”. “marketing_consent” is included at the top-level.
  • “subscription_updated”: customer email is a top-level property called “email”. “marketing_consent” is included at the top-level.

macOS SDK Changes

Audience Usage

Documentation Link: https://paddle.com/docs/sdk-audience-mac

When making use of our email subscribe UI you’ll now need to supply a company name for use in our GDPR compliant consent messages. You can still override our messaging with your own and in that case we’ll add a GDPR checkbox.


-(void)presentEmailSubscribePromptWithSchedule:

is now:


-(void)presentEmailSubscribePromptWithSchedule:(nullable NSString *)schedule message:(nullable NSString *)message andCompanyName:(nonnull NSString *)companyName

example usage:


[[PaddleToolKit sharedInstance] presentEmailSubscribePromptWithSchedule:@"5 launches"  message:nil andCompanyName:@"My Company"];

In the case that you’ve already collected marketing consent for an email prior to launching the checkout you can pass that consent into us and we’ll skip that checkout step:


[[Paddle sharedInstance] setCustomCheckoutAttributes:@{kPADCheckoutMarketingConsent:@1, kPADCheckoutEmail:@"person@domain.com"}];

If you’d prefer to submit an email direct to audience with or without consent then our sendEmailSubscribe method has been updated to:


- (void)sendEmailSubscribe:(nonnull NSString *)email withConsent:(BOOL)consent;

Changes to your Audience in Paddle

Importing customers into Paddle Audience

In the Audience section of Paddle there is a button below the table called ‘Import Audience (from CSV)’. This has been a good way of adding more people to your list of your customers. In the past you could upload a CSV file with three ‘columns’ for your customers’ firstname, lastname and email. We’ve now made this even more useful, and more compliant. This upload will now accept a fourth column. If you title that one allowed_contact you can specify for each customer whether or not you have GDPR compliant opt-in for that audience member. For example, you might be manually collecting this outside of the checkout (where Paddle would usually be passed that information).

If you have collected compliant opt-in for a customer, you should mark the fourth column of that customer’s row as 1. On the other hand, if you want to add the customer to Audience but don’t have opt-ins for them then you should mark it as 0. This might be useful if you want to upload customers to Audience where you can legally send them service, maintenance or transactional emails, but not marketing emails.

Any blank cell in the fourth column will be interpreted as having compliant opt-in consent for that customer (aka ‘1’).

If your CSV upload includes email addresses that are already in your Audience section, the allowed_contact column will be updated for them following the rules above.

You can also export your Audience list at any time using the ‘Export Audience from Report’ button on the same page, which will take you to the Audience report under Checkout > Reports. In this report there is another allowed_contact column which here shows the opt-in status for each of your customers in your Audience list.

Opting-out EU Audience members who aren’t compliant

On the 9th May 2018 Paddle enforced GDPR compliance. From that date all the customers in your Audience section who do not have an authentic GDPR compliant opt-in had their opt-in status set to false, or 0. These customers who do not have consent are hidden from the Audience page, but they will still be accessible from your Audience report.

Paddle determined whether opt-ins are compliant in a couple of ways. Transactions that occured after the 18th April will be collecting consent from the checkout properly if the method of collection is set to ‘Optional’ in your Vendor Settings. Alternatively, from the 18th April you can also upload customers for whom you have GDPR-compliant consent using the Audience Import, as outlined above.

Removing non-compliant checkout recovery targets

As well as setting the opt-in status of customers without compliant consent to 0, we have removed some people from your Audience report. However, this is only for people who added their email as part of the checkout process, but haven’t actually completed the purchase. For them, we will still be initiating our checkout recovery process, but cannot share their email or personal details with you until they do actually return and complete a purchase.

Checkout Recovery Changes

We will continue to send Checkout Recovery emails if you have them enabled. There will be a few small changes:

  • If you have a discount set up, this will only be sent to your customers who opt-in to marketing
  • Customers will be given the ability to opt-out of future Checkout Recovery emails

Questions about Paddle?

If you need any help regarding your Paddle integration, please get in touch with our Customer Success team using the form below.