If you have an online business or an email list that you communicate with, you’ve probably heard the rumblings around the internet about the EU’s new General Data Protection Regulation (let’s just call it GDPR, shall we?). This new regulation goes into effect May 25, 2018 and in an effort to understand what it is, what it means to online marketers, and what we need to take action on, I’ve invited Bobby Klinck, an intellectual property attorney, to help us navigate all things GDPR. Bobby is not only an attorney, but he is an entrepreneur himself, so he really has his finger on the pulse of what online entrepreneurs need to do to protect themselves.
Let’s dive in and figure this all out!
What is GDPR?
GDPR stands for “The General Data Protection Regulation” a privacy law from the European Union that goes into effect May 25, 2018. Even though it’s a European Union law, all online entrepreneurs need to be paying attention because the GDPR will mean major changes for the way we operate.
What activities are covered by the GDPR?
- The GDPR applies to the processing of personal data.
- Processing is a fancy word for, “doing anything with data”. You should assume it covers everything you do with all of the data you collect from individuals from collection to deletion (and at every point in between).
- Only applies to personal data which is anything that is associated with, or related to, someone who is identified or who you can identify.
- Identified includes: names, email addresses, physical addresses, and most people agree it includes IP addresses and other info collected automatically (usually collected by Google Analytics).
- Also includes any type of processing and information that you’re adding to your contact database. This could be information that you collect automatically, through an opt-in or any other collection method. (ex: surveys, quizzes, etc.), or through tagging or segmenting in your CRM database. These activities are included because you are effectively “monitoring” what people are doing.
Who does the GDPR apply to?
- The GDPR will apply to any relationship or transaction (commercial or free) where one of more of the parties is in the EU. It is not based on citizenship, it’s based on where they are when you are interacting with them.
- If you are an online entrepreneur or marketer based in the European Union, you must comply with the GDPR across your entire business. The means that if you are collecting data from someone in the US, you still have to comply.
- If you are an online entrepreneur or marketer based outside of the EU, you must comply with the GDPR when we are interacting with or collecting data from people in the EU.
- This is where things get complicated! There are some instances where it doesn’t apply if you’re outside the EU .
How Does GDPR Apply to Non-EU Entrepreneurs?
- A non-EU entrepreneur has to comply when processing of people in the EU.
- But ONLY if the processing is related to:
- Offering products or services to people in the EU (paid AND free) - that means a lead magnet counts!
- Monitoring the behavior of people in the EU (as mentioned earlier)
- Here’s where the GREY ZONE enters in: People are not sure how the territorial limits will apply. Questions you may be asking:
- What about people who don’t knowingly collect information?
- Ex: Facebook Ads: Bobby focuses on people only in the US. He’s not actively trying to attract people in the EU. But when he looks at his list, about 5% are in the EU. He’s not going to refuse doing business with this 5%, so he will have to comply with GDPR when he’s interacting and handling data with this 5% from the EU.
- What about adding a disclaimer that says you only sell to people in the US?
- Unfortunately, there are not crystal clear answers to these questions, but let’s dig into the language and details and see how this pertains to you.
6 principles of the GDPR
#1: Data shall be processed “lawfully, fairly, and in a transparent manner.”
- You have to be upfront about what you are collecting the data for.
#2: Data shall be “collected for specified, explicit and legitimate purposes.”
- You can’t collect data without explaining how you are using it, and those purposes have to be legit.
#3: Data processing shall be “limited to what is necessary” for the purpose.
- You can’t collect all kinds of data on a person if all you need is an email address (like for a lead magnet). You may only collect the minimum amount of data for the purpose you are collecting it for. Once you have collected the necessary data, you can only use it for its intended purpose. (We’ll get into how this affects list-building later in the post).
#4: Data shall be accurate, kept up to date, and corrected.
- Doesn’t really apply to us. This is more for the Google and Facebooks of the world.
#5: Data shall be kept so it identifies a person “no longer than is necessary.”
- You should not keep data about people forever if there is no reason to keep it.
#6: Data shall be “processed in a manner that ensures appropriate security.”
- You have to take reasonable steps to protect the data. We should all already be using SSL certificates and other ways to actually make sure that we’re protecting the data, (Data should be stored behind a secure wall (password collected).
How You Will Need to Change the Way You Collect Email Addresses From Potential Leads In Your Marketing Efforts:
The only lawful basis for adding someone to your marketing email list under the GDPR would be consent, and the GDPR requires that consent be freely given, specific, and unambiguous.
This new standard means we can't automatically add everyone who grabs one of our lead magnets to our general marketing email list.
- We must get a separate consent to add them to our marketing list.
- You can't require them to give this consent as a condition for getting your freebie.
- You have to sell prospects on the benefits of your list to get them to voluntarily sign up (not just as a requirement to get your lead magnet, freebie, or webinar registration).
The new consent standard applies to your EXISTING list. If you can’t show that you have the right kind of consent from people who are already on your list and to whom the GDPR applies, then you cannot email them any longer beginning May 25, 2018
IMPORTANT: Because consent must be specific and unambiguous, someone downloading a lead magnet from you does not equate to consent to be added to your general email list.
The GDPR also prohibits you to ask for consent to add them to the email list. Getting consent for multiple things or in the course of some other transaction is going to be hard. You likely need stand alone consent.
According to the GDPR, you also can’t add a checkbox and prohibit the delivery of the lead magnet if they don’t click the box.
You may not require someone to consent to be added to your email list to get access to your lead magnet. (Someone giving you their email address and you promising them a freebie is a contract under the law and adding them to your email list is not “necessary” as stated in the 6 principles above.)
Ultimately, to be added to your email list, a prospect must specifically and affirmatively agree to be added to your list. And you may not require that they join your list to receive a freebie, attend a webinar, etc. Instead, we have to sell prospects on the value of being added to our list.
The new consent standard applies to your EXISTING list. Come May 25, you cannot email your existing contacts who signed up through a lead magnet.
Can I send a nurture sequence after someone opts in for my lead magnet under GDPR?
It’s not crystal clear, but there’s a good argument for allowing you to send a nurture sequence after someone downloads your lead magnet.
This would be called expanded processing and that is when you take an action after the initial action.
Factors to consider when deciding whether it’s ok, or not, to do expanded processing:
- The link between the purposes of collection and the purposes for the expanded processing
- Context in which the data was collected
- Nature of the personal data (we’re not really collecting sensitive information for a lead magnet)
- Consequences of expanded processing (the consequence might be getting a few emails from you)
- Existence of appropriate safeguards (these should be in place no matter what)
How Do I Preserve My Existing List and Get Compliant?
It’s two-pronged: Between now and May 25, you need to build goodwill with your list and run campaigns to get GDPR-compliant consents.
For non-EU entrepreneurs: Start by segmenting your list into two parts:
1) Non-EU subscribers
2) Subscribers from EU and any unknowns (treat them as if they are in the EU)
Many of the email service providers have this functionality or are currently rolling it out.
Why should I segment?:
- You are going to re-engage with the subscribers from your EU (and those who are unknown) segmented portion of your list before May 25. The results of your re-engagement campaign won’t be great. You want to figure out how you can keep people on your list without getting a new consent.
- For the non-EU list, you can continue communicating with them just like you have been.
- If you have people that opted in cleanly to your newsletter, you can probably put them in the “ok” category. These people have given you consent to receive your marketing emails.
How do I run a re-engagement campaign?:
- BEFORE you send the consent emails, first deliver extra value consistently.
- Send an extra email a week.
- THEN send emails asking for consent. Only to those who you have to send to!
- Make sure that you have a system set up so that when someone does consent, you are taking them off this special “EU-non consent” list and moving them on to a “EU confirmed consent” list.
- You want to send multiple “consent” emails and make them enticing. Pay close attention to the subject lines! Catchy or blatant subject lines might work well. The challenge is to get people to open the emails.
- The only goal of the re-engagement campaign is to convince people to give you GDPR-compliant consent.
- That might be by clicking a link in an email or signing up via an opt-in page. It depends on what your email service provider allows.
Anyone who doesn't give the necessary consent by May 24, should be deleted from your list. Remember, even storing or deleting their info is "processing," so this work needs to be done before May 25, 2018.
Summary of Bobby’s Suggestions to Preserve Your
Existing List and Get GDPR Compliant
Step #1: Build goodwill by delivering amazing value to your list between now and then. I'm talking about going above and beyond the normal value that I'm sure you deliver. Make your content SO good, no one will want to miss the awesomeness.
Step #2: Create your list of targets from whom you need new consents. For entrepreneurs in the EU, this will be your whole list. For entrepreneurs outside the EU, this will be everyone in the EU and anyone whose location is unknown.
Step #3: Run a re-engagement campaign to the list of people who need to provide fresh consent. Sell them on the benefits and do this in your own style. Good copywriting is still key here! You know your audience. You'll want to plan for a series of emails with increasingly dire (and interesting) subject lines to make sure people don't miss them.
Finally, anyone who doesn't give the necessary consent by May 24, should be axed from your list. Remember even storing or deleting their info is "processing," so this work needs to be done before May 25.
For online entrepreneurs, the main impact of GDPR will be in how we build our email list, so let’s take a list on what list-building will look like going forward.
IMPORTANT: Gone are the days of offering a lead magnet and adding everyone who claims the lead magnet to our marketing email lists.
What do I need to do moving forward in my list building efforts to be compliant with GDPR?
Because you have to get stand alone consent to add someone to our list, you either have to go back to the old “join my newsletter” model or use lead magnets and get consent somewhere along the funnel.
- There’s no question that this consent would be sufficient, assuming you disclose what you will include.
- But this method never really worked from a marketing standpoint... and there’s no reason to think that it will work now.
- The “join my newsletter” approach is especially bad for non -EU entrepreneurs who can use segmenting as part of their strategy.
What would a workaround look like?
- You can use lead magnets to get their name and email and then try to sell them on joining your list at some point in your funnel that you are allowed to have without getting further consent.
- There are four touchpoints to consider:
1) Opt-in Page (checkbox or drop-down menu)
2) Sandwich Page (like a one-click upsell page)
3) Delivery Email Itself
4) In the Lead Magnet
Let’s break down all 4 options:
- Opt-in Page:
- You can add a voluntary checkbox/dropdown menu on your opt-in page.
- This would clearly be consent if you do it right.
- It must be voluntary and it cannot be the default. You can’t force them to agree and you can’t have the agreement as the default.
- If you are going to do this, try to use a drop-down menu vs a checkbox. That way they have to choose “Yes or No” - so they have to make a choice and you are not forcing the “Yes.” With a checkbox for “Yes”, they can easily miss it and skip it all together (since it can’t be forced!).
- Sandwich Page:
- Include a one-click upsell page between opt-in and thank you page that asks them to subscribe.
- “Hey! One more thing before we finish.” - It’s essentially a sales page for your newsletter.
- This gives you the chance to sell the benefits of being on your list.
- They are presented with this option all on its own, so it’s compliant.
- Delivery Email:
- You deliver the email as usual that gives them the lead magnet as promised.
- Include language in the email to sell them on joining your list and include a call to action (example below).
- Depending on how your system works, either send them to a separate opt-in or use click to segment the list.
- In the Lead Magnet:
- Add a paragraph at the end of your lead magnets selling them on your list with a clickable link.
- This is sufficient consent and it gives them a reminder if they look back at your lead magnet later.
Guidance for non-EU Marketers:
- Don’t seek consent until after the point that you can segment between EU and non-EU prospective leads. This likely means using only the delivery email and in the lead magnet itself.
- **If your email service provider is able to show different pages based on somebody’s IP address/country, then do this at the front end (and outlined above). So you would show an alternative page for all outside of the US and don’t bother those in the US.
- Under the GDPR, you are required to inform people of certain information and you have to give them information to get informed consent.
- CA law requires you to disclose certain information.
- There are hefty fines under GDPR and CA law, so get a policy in place.
- The relevant contact information.
- What information you collect and the basis for collecting it.
- What you do with the data (including who else gets access).
- The visitors rights under the GDPR.
Where Do You Put the Policy?
- Create a standalone page on your website that includes the policy.
- Put links to that page in your footer navigation on your website (and on opt-in pages, sales pages, LeadPages, webinar registration pages, etc.)
- Put a link anywhere that you ask for consent or collect data.
Check out Bobby’s Free GDPR Training: I’m breaking my rules a bit here because you all know I’ve had a policy for the last year or so of not sending podcast traffic to someone else’s sign up page - I’ve talked about that strategy on my show before. HOWEVER, this information is important and I want you to protect yourself. So I’m making an exception. I want to encourage you to check out Bobby’s FREE mini-training all about the GDPR. The goal of his mini training is not only to make sure that you, as an online entrepreneur, understand the legal requirements but also to give you the tools and practical advice you need to thrive in a GDPR world.
THANK YOU, Bobby, for your time and generosity in helping us understand GDPR. I truly feel I now have what it takes to move forward and implement to get compliant before the deadline! -- Amy