If you collect email addresses or sell a product, service, or program, you’ll most likely need to make significant changes to the way you collect and process people’s personal data.
That’s because of a law that goes into force May 25, 2018, called the General Data Protection Regulation (GDPR). This European Union (EU) law relates to anything you do with the personal data (such as names, email addresses, phone numbers, mailing addresses, IP addresses) that you collect from people.
It applies to information you collect through pretty much any method, such as email opt-ins, quizzes or surveys, and phone calls.
But I’m not in the EU. Why should I care?
Even if you are in the US or other non-EU country, the GDPR is probably going to impact you, particularly since the law applies to existing email lists as well as to information you collect after May 25.
If you have even one EU customer or current subscriber to your list, you won’t be allowed to use any data you have that is subject to the GDPR as of May 25, 2018, unless you can prove a lawful basis to use that data.
In this article, I’m summarizing key points of the 261-page law that pertain specifically to email marketing, gleaned primarily from two sources:
- Suzanne Dibble’s Facebook Group, GDPR For Online Entrepreneurs (UK, US, CA, AU). Suzanne is a business lawyer and data protection expert in the UK. You can also sign up for her free 6-page GDPR checklist.
Disclaimer: This article is for informational purposes only, and you should not consider it legal advice. Nor is this information a comprehensive, definitive overview of the GDPR. Please seek legal and other professional counsel to determine exactly how the GDPR might apply to you.
If you haven’t requested your GDPR Checklist, do that right now by clicking the graphic below:
Who does the GDPR apply to?
If one or more parties is in one of the 28 EU Member States when you’re interacting with them, the law applies.
For example, if you are in the US and you have an email subscriber who lives in the EU or you offer a product or service to them (even a free one), the GDPR applies to you.
I know that 75% of my subscribers are in the US, and I know that less than 1% of them are in the EU, but I’m not sure about the other 24%. I’m taking the necessary steps to get GDPR-compliant consents from my EU and “unknown location” subscribers, and to update my email opt-in forms and privacy policies before May 25.
How to collect, store, and secure data under GDPR
Transparency. The focus of the GDPR is to collect data in a transparent manner… to be up-front about why you’re collecting the data and the specific purpose for which you’re using it.
Necessary. According to the law, you must limit the data you collect to only “what is necessary” for your purpose. When you ask someone to sign up for your email list, for example, all you really need is their email address and maybe their name. So don’t require them to enter their phone number, mailing address, birthdate, pet’s name, etc., unless you absolutely need it.
Sensitive Data. There are even higher standards for collecting and using sensitive information you gather from surveys and quizzes, such as racial or ethnic data, religious or philosophical beliefs, political opinions, trade-union membership, and genetic or biometric data.
Erasure. If you’re not using a person’s data anymore or someone requests to be deleted, you must completely delete their data from everywhere you store that person’s info. That includes spreadsheets onto which you may have transferred their data, custom audiences you may have uploaded to Facebook’s Ads Manager, etc.
Security. You also have to take reasonable steps to keep the info you collect secure (such as password-protecting the data you store).
Action steps for non-EU people
- Segment your mailing list by location, into people in the EU (including those whose location is unknown) and outside the EU. For assistance segmenting your list, contact your email marketing provider’s Help Desk.
- Before May 25, send an email sequence (also called a re-engagement campaign) to list members in the EU and in unknown locations and ask them to consent to continue receiving your emails. In your campaign, including enticing reasons for why they should want to stay on your list.
- Before May 25, remove anyone in the EU/Unknown segment of your list who has not given consent.
Get explicit, affirmative consent from subscribers
This is the part of the law that’s going to change the way most of us collect email addresses for our lists. Typically, we offer a lead magnet (some sort of free resource) in exchange for an email address. When someone signs up for our freebie, we automatically add them to our email list and they begin to receive our welcome campaign, e-newsletters, blog posts, podcast episodes, and other stuff we send them.
Under GDPR, we can no longer add people to our general email list when they sign up for our freebie, because the ONLY thing they’ve consented to is getting our lead magnet.
As Pooh would say, “Oh, bother!”
Here’s another catch:
We can’t require them to join our general list as a condition for getting our freebie. We have to be willing to give them our freebie without them agreeing to subscribe to our email list.
If we want them to get the freebie and subscribe to our general email list, we need to provide them with a stand-alone means of freely giving consent.
How to get affirmative consent
On your opt-in form(s), explain exactly how you’ll use a person’s data. If you plan to use their data for multiple reasons, you must disclose all those purposes.
For example, if you send out a weekly e-newsletter, 3x weekly blog posts, and occasional promotional messages, you must explain on your signup form that subscribers will receive all of those things.
The subscriber has to take an affirmative action such as clicking a tick box or dropdown menu on your opt-in form where they can say “yes” to joining your general email list in addition to getting your freebie.
A word of caution about tick boxes
If your signup forms include tick boxes, the boxes can no longer be pre-checked. Subscribers must indicate “affirmative consent” by checking the box(es) themselves.
On your opt-in form, make it clear that the subscriber will get your freebie whether or not they sign up for your general list.
Think about the specific value you offer to your list subscribers, separate from the freebie you give them. Draft promotional text that sells people on the value of being on your list.
Review your signup forms. Add language that clearly explains:
- How you will use a subscriber’s data
- What kind of content you will send them
- How often you will send it
Add a way for the subscriber to affirm their consent to subscribe to your general email list.
Would you also like to receive weekly emails that contain my latest blog post, marketing tips and tutorials, information about free trainings and other free resources, and promotions for my online courses?
An example opt-in form that Bobby Klinck uses:
Note the unchecked tick box next to Bobby’s hyperlinked affirmative consent statement:
In the text of the email in which you deliver your freebie, explain the benefits of joining your general list and invite them to opt in.
On your lead magnet itself, promote your general list and include a clickable link that allows people to opt in.
- The identity and contact information of your company (aka, you!).
- The type of information you collect from subscribers, customers, and/or clients
- The reason you collect this information and the legal basis for collecting or processing it
- Disclose that you collect the information so you/your company can perform the services subscribers ask you to perform.
- How you store and use the data, including third parties that might get access to the data
- List categories of the types of people who might get access to the data, such as sub-contractors, vendors, or affiliates.
- The period of time for which the data will be stored
- Notification of the person’s right to request access, rectification, and erasure of their data
- Notification of the person’s right to withdraw consent at any time
- Notification of their right to lodge a complaint with a GDPR supervisory authority
- Whether there are statutory or contractual requirements for providing personal data.
Sample privacy policies
If you want to view my policies, follow the links in the footer of BloggingBistro.com. Keep in mind that these policies are customized for my website. Yours will look different, depending on what products and services you offer. So please don’t succumb to the temptation to copy & paste. Just gut it up, like I did, and buy Bobby’s forms. You’ll be glad you did.
- Link to your policy in any other places where you collect data, such as:
- landing pages
- sales pages
- webinar registration pages
- event registration pages
- thank-you pages
- pop-up forms
- opt-in forms
- in the email where you deliver your freebie
Free GDPR Checklist: 4 Steps to Get GDPR-Compliant
Countries in the European Union (EU):
Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and *the UK.
*The UK is leaving the EU as of March 29, 2019.
Amy Porterfield: GDPR for entrepreneurs: What you need to know
Amy’s guest, Bobby Klinck, an intellectual property attorney, succinctly walks you through the most important points of GDPR, and the show notes give an excellent overview, as well. Transcript available for download.
Rick Mulready (The Art of Paid Traffic): Episode #188: GDPR: Everything you need to know and how to ensure you’re compliant
Rick’s guest, Suzanne Dibble, a business lawyer and data protection expert in the UK, gets very granular with the myriad things we need to know about GDPR. While I found the information helpful, my blood pressure rose a few notches as I attempted to ingest the plethora of info.
- 6 Myths about the GDPR and Email Marketing Debunked (AWeber)
- Checklist: 5 things you can do to update your email marketing strategy for GDPR (AWeber)
- How to prepare for the new EU Data Law (AWeber)
- The General Data Protection Regulation (What it is, what we are doing, and what you can do) (MailChimp)
- Collect Consent with GDPR Forms (MailChimp)
- About the General Data Protection Regulation (MailChimp)
- How GDPR impacts marketers (Social Media Examiner)