If you run a business online… if you are an online marketer, affiliate marketer, or bottom line do any business online, you need to be paying attention to the GDPR. This short guide is for email marketers and list builders who will be now wanting (and/or needing) to get consent for processing personal data under the European Union’s new General Data Protection Regulation.
What is the GDPR?
You may or may not have heard of the GDPR (General Data Protection Regulation). It’s basically a privacy law from the European Union that goes into effect on May 25th, 2018. While this is an EU law, it pertains to ALL online entrepreneurs or marketers that not only do business IN the EU, but do business or generate leads from people within the EU. So everyone needs to be paying attention. (Unless of course you want to just cut out an upwards of 512 million people from your marketing…)
What does the GDPR cover?
At its core, GDPR is a new set of rules that is designed to give persons in the EU more control over their personal data… so in its raw form, it applies to the processing and handling of EU personal data. This covers everything that you do with personally identifying data that you collect from anyone in the EU… and how you handle that data. From collection, to deletion.
This comes in to play for email marketers in an important way. Under the GDPR, an organization (you, your business, etc.) must be able to justify each type of data processing activity it conducts using one of the ‘six lawful bases of processing.’
Email marketing involves the processing of contact’s personal data (typically, but not limited to, an email address and a name). So, using consent makes sense as a way to justify collecting a users data.
What comes along with that? What do we mean by consent? If you are using consent to comply with the GDPR, you need to be able to prove that consent was freely given, and be prepare to share a record of consent with regulators - if asked. You need to prove that your EU lead consented to you gathering their information for the specific purpose(s) you are using it for.
On top of that, EU data subjects must be able to withdraw consent at any time. (This part makes sense, and most all of you are or should be doing this already with options for your user to ‘unsubscribe’ from your lists)
We are going to cover consent here, show you some examples, and give you some updates on what MLSP is doing for its members to be fully compliant.
What is GDPR-friendly Consent?
The new regulations are pretty clear when it comes to consent. It needs to be both ‘informed and explicit.’ Also, the EU user needs to know how their data is going to be used using ‘clear and plain language.’ (Leave the lawyer talk out of it - tell them what you are going to use their data for, and give them the option to say no.)
What does this mean? Let’s break it down:
- An EU user must have the opportunity to make an actual choice to provide consent. They have to be able to take action to provide consent, and you need to be able to prove that. (EX. A pre-checked checkbox on a form no longer qualifies as consent under the GDPR because the user did not take a specific action to give consent… you implied it. EU users must check the box themselves, or take some other form of action to express consent)
- The choice to provide consent must be clearly distinguishable and separate from other initiatives. (i.e. requests for consent cannot be buried in a document)
There are a couple of strong ways you can obtain GDPR-friendly consent:
- Add a checkbox in a form that EU contacts must check in order to provide consent
- Turn on that ‘confirmed opt-in’ option in your autoresponder
If you don’t have a way to add some kind of checkbox to an existing form you are using, you can fall back to using your autoresponders ‘2 step opt-in’ - meaning they submit a form, and they get an email asking them to confirm that they would like to be added to your list, or whatever action you are asking them to consent to.
Let’s take a look at some examples of what we are talking about here…
Getting Consent via Checkboxes on Your Forms
As we stated before, you can use checkboxes in a lead capture form on your site to get consent from new EU leads.
Some things that you want to make sure you include:
- Provide a clear explanation of what information an EU contact can expect to receive by submitting your form
- Provide a checkbox to get consent for each action you are going to be taking with the EU user’s personal data. Each action must be distinguishable and requires separate consent.
If that sounds confusing, think of it this way. If you have a ‘lead-magnet’ form offering a free download in return for an email address, they are consenting to give you their email address for that download if they fill out your form. HOWEVER - they are not consenting to also be added to your marketing email list. That is another action you would be taking with their data so it would require consent.
As an example take a look at the screenshot below of what the new MLSP campaigns will look like under GDPR compliance. (NOTE: This is an example of one of the many ways MLSP is helping its members be compliant. The cool thing here is that that the checkbox will only show to users from the EU - users not in the EU will not see this checkbox so it won’t interrupt your marketing elsewhere)
Most (if not all) autoresponder services have moved toward GDPR compliance and you should be able to create these checkboxes for your custom forms without issue. (If you are using WordPress for your site, most form plugins are either GDPR compliant or have pledged to be so by the May 25th deadline - so be on the lookout for updates)
Getting Consent via Confirmed Opt-In
If for some reason you can’t add these consent checkboxes to your form, you can utilize the ‘confirmed opt-in’ email that autoresponders typically default to. These are the emails that get sent out after a user opts-in asking them to confirm their subscription.
Because the contact must click on the ‘confirmation link’ provided in this email before they are added to your list, this constitutes consent.
This is the easiest way to get consent as there isn’t much else to do other than turning on the ‘confirm optin’ option in your autoresponder. (Remember, with most email service providers, this option is on by default)
Getting Consent From Your Existing List
The GDPR does not just apply to new leads after May 25th. The new consent standard applies to your EXISTING list. If you can’t show that you have the right kind of consent from people who are already on your list, and to whom the GDPR applies, (these are people who opted-in to your offer while physically in the EU), then you cannot email them any longer beginning May 25, 2018, if following best practices.
Depending on your email service provider, there are probably multiple ways you’ll find to do this should you need to. The easiest and least intense option (if your autoresponder allows it) would be to just add a link to an email where, when they click on it, they are tagged as having given consent.
Another option is to link them to a form and have them re-opt-in. This is a bit more intensive and your conversion rates will most likely not be as high.
Something you can/should start doing now? Start figuring out a re-engagement campaign so you can get consent from people on your list from the EU. Most e-mail marketing systems will allow you to segment lists based on location/IP/country where they were when they opted in. If you can, segment your list - work on getting consent from EU subscribers so you can keep them on your list. Provide massive value up till the 24th and make sure you provide links in there so you can say something like ‘If you want to continue to get awesome value like this, just click on this link’ - Sell them on the value that they get from your list and why they should WANT to stay on.
Recording Your Proof of Consent
Lastly, according to the GDPR, you need to be able to prove that the EU user gave consent. This is going to vary wildly depending on your autoresponders service and/or website/page builder. For example, with MLSP, our updated campaigns will provide you proof of consent in your Customer Relationship Manager (as well as stats on if the user is from the EU).
If you are using a custom form, make sure that responses to the checkboxes you are adding to your form are recorded, so when EU people submit the form with those checked, you have that data collected.
If you are doing a re-engagement campaign, make sure that if the EU user clicks your ‘re-consent’ link they are tagged as having consented, and you have a copy/proof of what they clicked on.
Here are some things we are doing to make sure our system is fully GDPR compliant and continues to help you market online like a champ.
- We have implemented consent checkboxes on all MLSP campaigns so that EU users will be able to give clear consent to join marketing emails. These consents will be stored for you. (NOTE: We aren’t just going to be showing these to everyone - remember - this is only for EU users, so we will only be showing these boxes to EU users so it should not affect too much of your marketing)
- We have implemented a cookie consent process for any EU users that visit a MLSP campaign. These consents are stored and tracked automatically.
- We are providing functionality within Funnelizer to add these checkboxes to your forms to get consent. Again, based on your settings, these boxes can only be shown to EU users, not affecting all of your marketing.
- MLSP Sites users: There is more to think about when it comes to site owners. (cookies, tracking, plugins, etc.) We are providing some custom plugins as well as information and action steps you can take to be GDPR compliant.
While this is a big change - MLSP is working diligently to provide our members with the tools and training to make sure that you are able to be compliant with the General Data Protection Regulation. Please take the time to get informed on the overall GDPR and how it’s going to affect your marketing and websites using the links above. (Or just simply google some information - there is loads out there). Just to caution though, do not get overwhelmed. Your goal should be to start moving toward compliance and to start making the effort now.
Here are some more resources should you want to do some more research on the GDPR