<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=924004897742821&amp;ev=PageView&amp;noscript=1">

How to Securely Request and Store Your Clients' Social Media Passwords and Avoid a €20 Million Fine

With the recent Cambridge Analytica scandal and GDPR coming into effect on 25 May, in just a few blinks, we suddenly find ourselves in a much more privacy-conscious world. If you’re someone who runs a social media agency or manages social media on behalf of others, these trends cannot be ignored and now is the time to instill confidence in your clients so that they feel comfortable working with your company for the long term.

TL;DR Stop asking clients to send you their social media passwords over email and storing them in spreadsheets - it’s not worth the risk! Sendible has a new solution called Client Connect, that allows clients to grant you access to their social profiles without ever needing to transfer passwords.

With GDPR, companies and agencies are taking a much closer look at the way they store and transfer data. By now, you should’ve received countless emails from some of your largest clients asking you what changes your agency is making to be GDPR compliant.

Where most agencies view these kinds of questions as a burden and chore to answer, this is an incredible opportunity. Think about it - your clients are giving you a chance to reassure them in a way that can help cement your partnership with them well into the future. Also, don’t expect these emails to end after 25 May, this is just the beginning of what’s to come! We expect to see similar data protection regulation coming into effect from the US in the next few years, so now really is the ideal time to ensure your agency is ready. Afterall, if you’re not compliant and your clients’ personal data is leaked, you stand to be fined up to £20 million or 4% of annual turnover. If that’s not enough of a wake-up call for all of us, I’m not sure what else is!

But where can you possibly start? Your clients’ personal data is being transferred all over the place: from emails to spreadsheets, CSV files to CRMs and CMSs to Social Media Management Tools. I apologize for all the acronyms here, but it just serves to highlight the fact that with so many different tools and integration points us marketers have to deal with, how can we possibly be expected to secure all these flows and take steps to ensure there are no data leaks?

At Sendible, we believe that when analyzing your data flows, the best place to start is with that initial onboarding journey when your client first agrees to let you manage their social media profiles on their behalf. In this article, I’m going to show you:

  1. Why the way you currently onboard clients is fraught with risks
  2. How to securely onboard new clients and gain their trust
  3. Why implementing privacy by design now will guarantee future growth for your agency


Sharing passwords over email is not secure

Stop accepting your clients’ social media passwords over email

Let’s face it, in order to do their jobs, all social media agencies, no matter the size, need a way to receive and store their clients’ login details for Twitter, Instagram, LinkedIn, Pinterest, Facebook and others.

It’s worth mentioning, however, that Facebook’s Terms of Service contains the following line and with recent privacy trends, we expect to see other social networks follow suit:

You will not share your password, let anyone else access your account or do anything else that might jeopardize the security of your account.


Here are typical ways that agencies handle the transfer of passwords from their clients:

  • The client sends the username and password for each of their social media accounts over an open email.
  • The client submits a Google Form (or similar) listing all their social media passwords which are stored in an openly available Google Doc.
  • The client uses the same master password for all their social media accounts, so the agency is able to sign into every account using the same credentials.

With each of the above approaches, there is the risk that one day, all of the passwords for all clients’ accounts could end up in one central place for a hacker to come in and take control or more likely, for a disgruntled ex-employee to steal and wreak havoc.


Just think about the damage this scenario could cause your agency:

  1. You fire an employee, they steal the spreadsheet containing the social media login details for the brands your agency manages.
  2. They post malicious content to your clients’ social media profiles.
  3. Your clients cancel their contracts with your agency due to a data breach.
  4. Your agency is fined or sued.
  5. Your other clients hear about the breach, and terminate their contracts with you.

The best case is that you realize they’ve stolen the spreadsheet and can notify all of your clients, asking them to change their passwords before any harm is done. Even if the passwords are reset in time, your relationship with that client has already been tarnished beyond repair.

Matthew Mizbani from Two Sigma Ventures sums it up nicely:

In my own experience, a company’s marketing firm is given the social media credentials for the company’s social media accounts. Because the marketing firm is contracted by the company and relies on its reputation to be contracted by more companies, if the marketing firm were to tamper with the account, they would not only lose the business of the company, but likely have a hard time finding future business.

There is also the risk that even after a client terminates their contract with your agency, they don’t bother to change their passwords or remove your agency’s admin access leaving their social media accounts open to further vulnerabilities.

Most digital agency founders, when they first get started, are hustling to bring on those first few clients and really can’t be blamed for being scrappy. But, even as they grow, they remain focused on delivering results for their clients and very rarely do they revisit the risks related to the way they request and store social media passwords for their clients.

With new laws like GDPR coming into effect and a new privacy consciousness that’s being instilled in both companies and individuals, this is no longer a risk that your agency can afford to take. If there’s one thing you can do now, I would suggest revisiting the way you request, transfer and store your clients’ social media login details.

With an increased focus on privacy along with social networks changing their Terms of Service, you should also start to expect that clients will become more reluctant to share their passwords with your agency.

At Sendible, we have developed a solution to this problem called Client Connect. Client Connect makes it easy for your clients to securely grant your agency access to their social media profiles directly from your website, without any passwords needing to be transferred or stored.


Client Connect: The risk-free way to request social media login details from clients

Instead of needing to directly request login details for your clients’ social media accounts, Client Connect is a widget that can be installed on your website. It allows your clients to connect their social media profiles themselves and authorize you to manage their accounts through Sendible’s social media management platform.

When your clients connect their accounts, they are immediately available for your agency to manage within your Sendible account. There is no need to transfer passwords via email or store your clients’ login details in spreadsheets. Also, since Sendible uses OAuth 2.0, which allows your clients to authenticate directly with the social platforms, there is no transfer of passwords and other sensitive information. There is also no way for disgruntled ex-employees to run off with your clients’ passwords!
Client Connect by Sendible Preview


How can my agency benefit from Client Connect?

Client Connect is a great way for your agency to demonstrate its commitment to your clients’ privacy. Since you no longer have to request that clients email you the passwords to their social media accounts, you are now granting complete control to your clients to be able to connect these accounts themselves.

The fact that you do not ask them for their login details will set your agency apart from the rest and is a fantastic USP when pitching to new clients. Besides acting as an additional benefit in new client pitches, Client Connect can also act as a reassurance for existing clients by showing them that your agency takes their privacy extremely seriously. Since Client Connect gives your agency the ability to manage your clients’ accounts without the need to transfer passwords, you are also fully adhering to the terms and conditions of each of the social networks, not to mention GDPR requirements.


How can I install Client Connect on my website?

  1. If you’re already a Sendible customer, simply sign into your account and you’ll be able to access the Client Connect setup wizard from the Add Services page. If you’re not yet a user, start your free trial here.Client Connect Instructions - Part 1
  2. On the right side of the page, towards the bottom, you’ll find the Install Client Connect box. Click to start the setup process.Client Connect Instructions - Part 2
  3. In the first step, enter your website domain name, for example, http://www.mywebsite.com. This is the website on which Client Connect will be installed.Client Connect Instructions - Part 3
  4. Click Select Services to continue. You can now choose the services that you want to make available for your clients to be able to connect from your website.
  5. When you’re happy with your selection, click Generate Code to continue.Client Connect instructions - Part 5
  6. Now, select the code that’s been generated and copy to your clipboard. This code can now be added to any page on your website. When rendered, the services you selected will appear for your clients to be able to connect to your Sendible account.
  7. Click Done to close the window.

When Client Connect is displayed on your website, it will display Powered by Sendible just below the services that are available for connection. The Powered by Sendible branding will be removed as soon as you upgrade to our Large or White Label plans.

The Client Connect widget will automatically adapt to the look and feel of your website, but if you’d like to customize it further, you can add your own styling to the connect buttons through a coding language called CSS.


Implement privacy-by-design at your agency

With the recent wave of changes from Twitter and Facebook along with GDPR, we can only expect more updates in the coming months. With all this change, there is a massive opportunity for your agency to get a competitive edge over the thousands of other agencies competing for your clients’ attention by implementing privacy by design.

The agencies who lead with a privacy-first approach in their client pitches and in their operational processes are the ones who are going to ride this wave and come out on top.

At Sendible, our entire organization is hard at work ensuring that our own practices are GDPR-compliant and that we put out customers’ privacy first. But equally important to us is helping you, our partners and customers, understand what these new changes mean for your businesses so that you can build privacy-first processes of your own. Although we are not legal professionals, if we can help your agency in any way, please get in touch using this form and we’ll do our best to advise you.

Social Media Marketing Tool Built for Agencies

Gavin Hammar

Gavin Hammar

Tech entrepreneur, software developer and founder of Sendible.com.


Planning your client's calendar for 2020?

Did you know celebrating special occasions on social media can often help improve engagement rates?

Plan some of your content around trending dates with our free digital calendar for 2020, and impress your clients with your work! 💪

Check out our calendar