If you have an online business or an email list that you communicate with, you’ve probably heard the rumblings around the internet about the EU’s new General Data Protection Regulation (let’s just call it GDPR, shall we?). This new regulation goes into effect May 25, 2018 and in an effort to understand what it is, what it means to online marketers, and what we need to take action on, I’ve invited Bobby Klinck, an intellectual property attorney, to help us navigate all things GDPR. Bobby is not only an attorney, but he is an entrepreneur himself, so he really has his finger on the pulse of what online entrepreneurs need to do to protect themselves.
Let’s dive in and figure this all out!
What is GDPR? GDPR stands for “The General Data Protection Regulation” a privacy law from the European Union that goes into effect May 25, 2018. Even though it’s a European Union law, all online entrepreneurs need to be paying attention because the GDPR will mean major changes for the way we operate.
What activities are covered by the GDPR? The GDPR applies to the processing of personal data. Processing is a fancy word for, “doing anything with data”. You should assume it covers everything you do with all of the data you collect from individuals from collection to deletion (and at every point in between). Only applies to personal data which is anything that is associated with, or related to, someone who is identified or who you can identify. Identified includes: names, email addresses, physical addresses, and most people agree it includes IP addresses and other info collected automatically (usually collected by Google Analytics). Also includes any type of processing and information that you’re adding to your contact database. This could be information that you collect automatically, through an opt-in or any other collection method. (ex: surveys, quizzes, etc.), or through tagging or segmenting in your CRM database. These activities are included because you are effectively “monitoring” what people are doing. Who does the GDPR apply to? The GDPR will apply to any relationship or transaction (commercial or free) where one of more of the parties is in the EU. It is not based on citizenship, it’s based on where they are when you are interacting with them. If you are an online entrepreneur or marketer based in the European Union, you must comply with the GDPR across your entire business. The means that if you are collecting data from someone in the US, you still have to comply. If you are an online entrepreneur or marketer based outside of the EU, you must comply with the GDPR when we are interacting with or collecting data from people in the EU. This is where things get complicated! There are some instances where it doesn’t apply if you’re outside the EU . How Does GDPR Apply to Non-EU Entrepreneurs? A non-EU entrepreneur has to comply when processing of people in the EU. But ONLY if the processing is related to: Offering products or services to people in the EU (paid AND free) - that means a lead magnet counts! Monitoring the behavior of people in the EU (as mentioned earlier) Here’s where the GREY ZONE enters in: People are not sure how the territorial limits will apply. Questions you may be asking: What about people who don’t knowingly collect information? Ex: Facebook Ads: Bobby focuses on people only in the US. He’s not actively trying to attract people in the EU. But when he looks at his list, about 5% are in the EU. He’s not going to refuse doing business with this 5%, so he will have to comply with GDPR when he’s interacting and handling data with this 5% from the EU. What about adding a disclaimer that says you only sell to people in the US? Unfortunately, there are not crystal clear answers to these questions, but let’s dig into the language and details and see how this pertains to you. 6 principles of the GDPR #1: Data shall be processed “lawfully, fairly, and in a transparent manner.”
You have to be upfront about what you are collecting the data for. #2: Data shall be “collected for specified, explicit and legitimate purposes.”
You can’t collect data without explaining how you are using it, and those purposes have to be legit. #3: Data processing shall be “limited to what is necessary” for the purpose.
You can’t collect all kinds of data on a person if all you need is an email address (like for a lead magnet). You may only collect the minimum amount of data for the purpose you are collecting it for. Once you have collected the necessary data, you can only use it for its intended purpose. (We’ll get into how this affects list-building later in the post). #4: Data shall be accurate, kept up to date, and corrected.
Doesn’t really apply to us. This is more for the Google and Facebooks of the world. #5: Data shall be kept so it identifies a person “no longer than is necessary.”
You should not keep data about people forever if there is no reason to keep it. #6: Data shall be “processed in a manner that ensures appropriate security.”
You have to take reasonable steps to protect the data. We should all already be using SSL certificates and other ways to actually make sure that we’re protecting the data, (Data should be stored behind a secure wall (password collected). How You Will Need to Change the Way You Collect Email Addresses From Potential Leads In Your Marketing Efforts: The only lawful basis for adding someone to your marketing email list under the GDPR would be consent, and the GDPR requires that consent be freely given, specific, and unambiguous.
This new standard means we can't automatically add everyone who grabs one of our lead magnets to our general marketing email list.
We must get a separate consent to add them to our marketing list. You can't require them to give this consent as a condition for getting your freebie. You have to sell prospects on the benefits of your list to get them to voluntarily sign up (not just as a requirement to get your lead magnet, freebie, or webinar registration). The new consent standard applies to your EXISTING list. If you can’t show that you have the right kind of consent from people who are already on your list and to whom the GDPR applies, then you cannot email them any longer beginning May 25, 2018
IMPORTANT: Because consent must be specific and unambiguous, someone downloading a lead magnet from you does not equate to consent to be added to your general email list.
The GDPR also prohibits you to ask for consent to add them to the email list. Getting consent for multiple things or in the course of some other transaction is going to be hard. You likely need stand alone consent.
According to the GDPR, you also can’t add a checkbox and prohibit the delivery of the lead magnet if they don’t click the box.
You may not require someone to consent to be added to your email list to get access to your lead magnet. (Someone giving you their email address and you promising them a freebie is a contract under the law and adding them to your email list is not “necessary” as stated in the 6 principles above.)
Ultimately, to be added to your email list, a prospect must specifically and affirmatively agree to be added to your list. And you may not require that they join your list to receive a freebie, attend a webinar, etc. Instead, we have to sell prospects on the value of being added to our list.
The new consent standard applies to your EXISTING list. Come May 25, you cannot email your existing contacts who signed up through a lead magnet.
Can I send a nurture sequence after someone opts in for my lead magnet under GDPR? It’s not crystal clear, but there’s a good argument for allowing you to send a nurture sequence after someone downloads your lead magnet.
This would be called expanded processing and that is when you take an action after the initial action.
Factors to consider when deciding whether it’s ok, or not, to do expanded processing:
The link between the purposes of collection and the purposes for the expanded processing Context in which the data was collected Nature of the personal data (we’re not really collecting sensitive information for a lead magnet) Consequences of expanded processing (the consequence might be getting a few emails from you) Existence of appropriate safeguards (these should be in place no matter what) How Do I Preserve My Existing List and Get Compliant? It’s two-pronged: Between now and May 25, you need to build goodwill with your list and run campaigns to get GDPR-compliant consents.
For non-EU entrepreneurs: Start by segmenting your list into two parts:
1) Non-EU subscribers
2) Subscribers from EU and any unknowns (treat them as if they are in the EU)
Many of the email service providers have this functionality or are currently rolling it out.
Why should I segment?:
You are going to re-engage with the subscribers from your EU (and those who are unknown) segmented portion of your list before May 25. The results of your re-engagement campaign won’t be great. You want to figure out how you can keep people on your list without getting a new consent. For the non-EU list, you can continue communicating with them just like you have been. If you have people that opted in cleanly to your newsletter, you can probably put them in the “ok” category. These people have given you consent to receive your marketing emails. How do I run a re-engagement campaign?:
BEFORE you send the consent emails, first deliver extra value consistently. Send an extra email a week. THEN send emails asking for consent. Only to those who you have to send to! Make sure that you have a system set up so that when someone does consent, you are taking them off this special “EU-non consent” list and moving them on to a “EU confirmed consent” list. You want to send multiple “consent” emails and make them enticing. Pay close attention to the subject lines! Catchy or blatant subject lines might work well. The challenge is to get people to open the emails. The only goal of the re-engagement campaign is to convince people to give you GDPR-compliant consent. That might be by clicking a link in an email or signing up via an opt-in page. It depends on what your email service provider allows. Anyone who doesn't give the necessary consent by May 24, should be deleted from your list. Remember, even storing or deleting their info is "processing," so this work needs to be done before May 25, 2018.
Summary of Bobby’s Suggestions to Preserve Your
Existing List and Get GDPR Compliant
Step #1: Build goodwill by delivering amazing value to your list between now and then. I'm talking about going above and beyond the normal value that I'm sure you deliver. Make your content SO good, no one will want to miss the awesomeness.
Step #2: Create your list of targets from whom you need new consents. For entrepreneurs in the EU, this will be your whole list. For entrepreneurs outside the EU, this will be everyone in the EU and anyone whose location is unknown.
Step #3: Run a re-engagement campaign to the list of people who need to provide fresh consent. Sell them on the benefits and do this in your own style. Good copywriting is still key here! You know your audience. You'll want to plan for a series of emails with increasingly dire (and interesting) subject lines to make sure people don't miss them.
Finally, anyone who doesn't give the necessary consent by May 24, should be axed from your list. Remember even storing or deleting their info is "processing," so this work needs to be done before May 25.
For online entrepreneurs, the main impact of GDPR will be in how we build our email list, so let’s take a list on what list-building will look like going forward.
IMPORTANT: Gone are the days of offering a lead magnet and adding everyone who claims the lead magnet to our marketing email lists.
What do I need to do moving forward in my list building efforts to be compliant with GDPR? Because you have to get stand alone consent to add someone to our list, you either have to go back to the old “join my newsletter” model or use lead magnets and get consent somewhere along the funnel.
There’s no question that this consent would be sufficient, assuming you disclose what you will include. But this method never really worked from a marketing standpoint... and there’s no reason to think that it will work now. The “join my newsletter” approach is especially bad for non -EU entrepreneurs who can use segmenting as part of their strategy. What would a workaround look like? You can use lead magnets to get their name and email and then try to sell them on joining your list at some point in your funnel that you are allowed to have without getting further consent. There are four touchpoints to consider:
1) Opt-in Page (checkbox or drop-down menu)
2) Sandwich Page (like a one-click upsell page)
3) Delivery Email Itself
4) In the Lead Magnet Let’s break down all 4 options:
THANK YOU, Bobby, for your time and generosity in helping us understand GDPR. I truly feel I now have what it takes to move forward and implement to get compliant before the deadline! -- Amy