Why You Can’t Ignore the GDPR Privacy Law, Even if You’re Not in the EU

Posted May 7, 2018 | Laura Christianson

If you collect email addresses or sell a product, service, or program, you’ll most likely need to make significant changes to the way you collect and process people’s personal data.

That’s because of a law that goes into force May 25, 2018, called the General Data Protection Regulation (GDPR). This European Union (EU) law relates to anything you do with the personal data (such as names, email addresses, phone numbers, mailing addresses, IP addresses) that you collect from people.

It applies to information you collect through pretty much any method, such as email opt-ins, quizzes or surveys, and phone calls.

But I’m not in the EU. Why should I care?

Even if you are in the US or other non-EU country, the GDPR is probably going to impact you, particularly since the law applies to existing email lists as well as to information you collect after May 25.

If you have even one EU customer or current subscriber to your list, you won’t be allowed to use any data you have that is subject to the GDPR as of May 25, 2018, unless you can prove a lawful basis to use that data.

In this article, I’m summarizing key points of the 261-page law that pertain specifically to email marketing, gleaned primarily from two sources:

  • Bobby Klinck’s Website Legal Forms. An intellectual property attorney, Bobby offers detailed information in plain English. I purchased Bobby’s Website Legal Policy Pack — easy-to-customize templates for a Privacy Policy, Terms of Use, and Disclaimer. (I also registered as an affiliate for his products. If you click my links to his services/products and decide to buy something from him, I will receive a commission.)

Disclaimer: This article is for informational purposes only, and you should not consider it legal advice. Nor is this information a comprehensive, definitive overview of the GDPR. Please seek legal and other professional counsel to determine exactly how the GDPR might apply to you.

If you haven’t requested your GDPR Checklist, do that right now by clicking the graphic below:

Who does the GDPR apply to?

If one or more parties is in one of the 28 EU Member States when you’re interacting with them, the law applies.

For example, if you are in the US and you have an email subscriber who lives in the EU or you offer a product or service to them (even a free one), the GDPR applies to you.

I know that 75% of my subscribers are in the US, and I know that less than 1% of them are in the EU, but I’m not sure about the other 24%. I’m taking the necessary steps to get GDPR-compliant consents from my EU and “unknown location” subscribers, and to update my email opt-in forms and privacy policies before May 25.

How to collect, store, and secure data under GDPR

Transparency. The focus of the GDPR is to collect data in a transparent manner… to be up-front about why you’re collecting the data and the specific purpose for which you’re using it.

Necessary. According to the law, you must limit the data you collect to only “what is necessary” for your purpose. When you ask someone to sign up for your email list, for example, all you really need is their email address and maybe their name. So don’t require them to enter their phone number, mailing address, birthdate, pet’s name, etc., unless you absolutely need it.

Sensitive Data. There are even higher standards for collecting and using sensitive information you gather from surveys and quizzes, such as racial or ethnic data, religious or philosophical beliefs, political opinions, trade-union membership, and genetic or biometric data.

Erasure. If you’re not using a person’s data anymore or someone requests to be deleted, you must completely delete their data from everywhere you store that person’s info. That includes spreadsheets onto which you may have transferred their data, custom audiences you may have uploaded to Facebook’s Ads Manager, etc.

Security. You also have to take reasonable steps to keep the info you collect secure (such as password-protecting the data you store).

Action steps for non-EU people

  1. Segment your mailing list by location, into people in the EU (including those whose location is unknown) and outside the EU. For assistance segmenting your list, contact your email marketing provider’s Help Desk.
  2. Before May 25, send an email sequence (also called a re-engagement campaign) to list members in the EU and in unknown locations and ask them to consent to continue receiving your emails. In your campaign, including enticing reasons for why they should want to stay on your list.
  3. Before May 25, remove anyone in the EU/Unknown segment of your list who has not given consent.

Get explicit, affirmative consent from subscribers

This is the part of the law that’s going to change the way most of us collect email addresses for our lists. Typically, we offer a lead magnet (some sort of free resource) in exchange for an email address. When someone signs up for our freebie, we automatically add them to our email list and they begin to receive our welcome campaign, e-newsletters, blog posts, podcast episodes, and other stuff we send them.

Under GDPR, we can no longer add people to our general email list when they sign up for our freebie, because the ONLY thing they’ve consented to is getting our lead magnet.

As Pooh would say, “Oh, bother!”

Why You Can’t Ignore the GDPR Privacy Law, Even if You’re Not in the EU | BloggingBistro.com

Here’s another catch:

We can’t require them to join our general list as a condition for getting our freebie. We have to be willing to give them our freebie without them agreeing to subscribe to our email list.

If we want them to get the freebie and subscribe to our general email list, we need to provide them with a stand-alone means of freely giving consent.

On your opt-in form(s), explain exactly how you’ll use a person’s data. If you plan to use their data for multiple reasons, you must disclose all those purposes.

For example, if you send out a weekly e-newsletter, 3x weekly blog posts, and occasional promotional messages, you must explain on your signup form that subscribers will receive all of those things.

The subscriber has to take an affirmative action such as clicking a tick box or dropdown menu on your opt-in form where they can say “yes” to joining your general email list in addition to getting your freebie.

A word of caution about tick boxes

If your signup forms include tick boxes, the boxes can no longer be pre-checked. Subscribers must indicate “affirmative consent” by checking the box(es) themselves.

On your opt-in form, make it clear that the subscriber will get your freebie whether or not they sign up for your general list.

Take Action

Think about the specific value you offer to your list subscribers, separate from the freebie you give them. Draft promotional text that sells people on the value of being on your list.

Review your signup forms. Add language that clearly explains:

  1. How you will use a subscriber’s data
  2. What kind of content you will send them
  3. How often you will send it

Add a way for the subscriber to affirm their consent to subscribe to your general email list.


Would you also like to receive weekly emails that contain my latest blog post, marketing tips and tutorials, information about free trainings and other free resources, and promotions for my online courses?

An example opt-in form that Bobby Klinck uses:

Why You Can’t Ignore the GDPR Privacy Law, Even if You’re Not in the EU | BloggingBistro.com

Note the unchecked tick box next to Bobby’s hyperlinked affirmative consent statement:

I agree that you may handle my information as set out in your Privacy Policy.

In the text of the email in which you deliver your freebie, explain the benefits of joining your general list and invite them to opt in.

On your lead magnet itself, promote your general list and include a clickable link that allows people to opt in.

Update your privacy policy

The purpose of your Privacy Policy is to inform people in the EU of certain information at the time you collect it.

California law also requires you to disclose a lot of the same info, so trust me on this and create a Privacy Policy if you don’t already have one!

Items to include in your privacy policy:

  • The identity and contact information of your company (aka, you!).
  • The type of information you collect from subscribers, customers, and/or clients
  • The reason you collect this information and the legal basis for collecting or processing it
    • Disclose that you collect the information so you/your company can perform the services subscribers ask you to perform.
  • How you store and use the data, including third parties that might get access to the data
    • List categories of the types of people who might get access to the data, such as sub-contractors, vendors, or affiliates.
  • The period of time for which the data will be stored
  • Notification of the person’s right to request access, rectification, and erasure of their data
  • Notification of the person’s right to withdraw consent at any time
  • Notification of their right to lodge a complaint with a GDPR supervisory authority
  • Whether there are statutory or contractual requirements for providing personal data.
    • Your Privacy Policy can state something like, “We will not require you to provide any data beyond what is required for the purposes of completing a contract.”

Sample privacy policies

Free Privacy Policy for your website

If you need to craft a privacy policy, don’t attempt to cobble one together based on someone else’s policy. You might not cover everything, or you might create a policy that’s not GDPR-compliant.

I recommend Bobby Klinck’s FREE GDPR-compliant Privacy Policy template. It is exactly the same policy that you get when purchasing his Website Policy Pack.

The catch? When you request the free Privacy Policy, you’re signing up for Bobby’s email list.

In about an hour, I customized the Privacy Policy, Terms of Use, and Disclaimer, following Bobby’s clear and easy-to-understand video tutorials.

If you want to view my policies, follow the links in the footer of BloggingBistro.com. Keep in mind that these policies are customized for my website. Yours will look different, depending on what products and services you offer. So please don’t succumb to the temptation to copy & paste. Just gut it up, like I did, and buy Bobby’s forms. You’ll be glad you did.

Take Action

  1. Create or update your privacy policy and publish it on a stand-alone page of your website.
  2. In your website’s footer, link to your privacy policy.
  3. Link to your policy in any other places where you collect data, such as:
  • landing pages
  • sales pages
  • webinar registration pages
  • event registration pages
  • thank-you pages
  • pop-up forms
  • opt-in forms
  • in the email where you deliver your freebie


Aweome GDPR-Compliant Legal Forms (Privacy Policy, Terms of Use, Disclaimer)

Countries in the European Union (EU):

Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and *the UK.

*The UK is leaving the EU as of March 29, 2019.


Amy Porterfield: GDPR for entrepreneurs: What you need to know 

Amy’s guest, Bobby Klinck, an intellectual property attorney, succinctly walks you through the most important points of GDPR, and the show notes give an excellent overview, as well. Transcript available for download.

Rick Mulready (The Art of Paid Traffic): Episode #188: GDPR: Everything you need to know and how to ensure you’re compliant 

Rick’s guest, Suzanne Dibble, a business lawyer and data protection expert in the UK, gets very granular with the myriad things we need to know about GDPR. While I found the information helpful, my blood pressure rose a few notches as I attempted to ingest the plethora of info.


Return to Posts

11 responses to “Why You Can’t Ignore the GDPR Privacy Law, Even if You’re Not in the EU”

  1. Linda Thomas says:

    Laura, you always have such significant info for us. Many thanks. I have a question: This pertains only to email lists, right? And that means emails for people who subscribe to a newsletter? Am I correct in thinking that you’re not talking about those who sign up to receive my blog posts by email ? Again, Laura, thanks so much.

  2. It pertains to pretty much any way you would collect and process emails from people. So I would think it also applies to people who sign up to receive your blog posts by email. Many people have that functionality integrated into their email list. If you are using Feedblitz or another third-party system that specializes in collecting emails of blog subscribers, I suggest contacting them and asking what they’re doing to get compliant with the GDPR, and what they may require you to do from your end.

  3. A reader emailed me today with this question, and I think it’s important to address it here:

    “I’m curious. I am subscribed to dozens of mailing lists and I have received precisely ONE email asking me to re-up based on the GDPR. I’m surprised that no one is taking this seriously, even the national organizations. What am I missing? I haven’t even seen anything from Mail Chimp, which I use. I would assume they would have sent something out to users. Any idea why the lack of interest?”

    I think people who live in the EU have been hearing about the law, since it applies to all of them. The law has been around for two years, but it is going to start getting enforced May 25, 2018. It’s kind of like the distracted driver laws regarding cell phone use while driving — most people didn’t stop holding their phone to their ear while driving until it became a primary offense (in my state), punishable by a hefty fine.

    Most of us in the U.S. didn’t even hear about the GDPR until a week or two ago. And then, of course, people started panicking about it when the occasional email asking us to confirm our subscription landed in our inboxes (like you, I have received only one such message, and I subscribe to quite a few email lists, too).

    If you are 100% positive that NONE of your subscribers or clients are in the EU, I imagine you can get away with not sending out the “affirmative assent” message. I segmented my list, and discovered that very few of my subscribers are in the EU or in unknown locations, so I’m sending my “affirmative assent” message to ONLY those two segments.

    As for the email marketing providers who don’t seem to be doing much about it, I am mystified, as well. I spent a couple of hours chatting with my email marketing service and asked them what they are doing to make sure their customers are GDPR-compliant, and they didn’t have an answer for me. In fact, they kind of acted like I was a weirdo for even asking about it! Eventually, we did figure stuff out but it took some inventive workarounds to make it happen (I told them they should hire me, since I came up with the workaround!)

    Another reason people in non-EU countries may be taking this lightly is because they have very few EU subscribers. But the catch is that if you have even ONE EU subscriber or client, the law DOES apply to you.

    Plus, I’ve heard rumblings that something similar will eventually come to the U.S. And it certainly is a good idea to have a strong privacy policy on your site, and to be transparent about what people who join your list are going to get from you, and how often they’ll hear form you.

    I just heard from a brand new client who commented, “I’m kinda glad I am coming in fresh now and don’t have to go back and redo things!”

    So, my take is to do it right from the get-go. If you’re not in the EU, prepare for this sort of privacy protection to come your way sooner, rather than later. Be prepared. Take pro-active action now so you don’t have to deal with a big mess later.

  4. Louise Lester says:

    Hi Laura ……. I am a small cottage industry, I paint crafts and also run workshops and art classes, and it is the classes and workshop students who i would email new class dates to ….. I have an email list of people who wanted contacting.
    At the moment I simply email them and give them the dates, with a simple email form ‘Outlook Express’.
    Am i able to simply email each person now and ask them to reply with an email, saying they ‘agree’ to continue being contacted, or do i need to send an email with a ‘tick box’ in it for them to agree to? ……. i don’t know if i can do the ‘tick box’.
    Any help would be greatly appreciated please …. many thanks, Louise.

  5. Louise Lester says:

    Hi Laura ……. I am a small cottage industry, I paint crafts and also run workshops and art classes, and it is the classes and workshop students who i would email new class dates to ….. I have an email list of people who wanted contacting.
    At the moment I simply email them and give them the dates, with a simple email form ‘Outlook Express’.
    Am i able to simply email each person now and ask them to reply with an email, saying they ‘agree’ to continue being contacted, or do i need to send an email with a ‘tick box’ in it for them to agree to? ……. i don’t know if i can do the ‘tick box’.
    Any help would be greatly appreciated please …. many thanks, Louise.

  6. Hi Louise, From your comment, it sounds as if you are emailing your students individually. Is that the case? While that can work if you are emailing only a handful of people, as your list of students who attend workshops and classes grows, your email could get flagged as spam and your email address blacklisted if you are bulk emailing them.

    Your safest bet would be to get set up with an email marketing service (MailChimp is free for the first 2,000 subscribers and up to 12,000 emails per month). I recommend setting up a MailChimp list (or ConvertKit, or Drip, or any other email marketing system you choose) and then emailing each individual privately with the link to sign up for your list. You could give them the info about “agreeing” in your invite email, which I think would work as you’re in the beginning stages of building your list. Keep in mind that this is not legal advice, just my thoughts and opinions on what I think might work.

    If you need help getting set up with MailChimp, adding the forms to your website, etc, contact me: info@bloggingbistro.com. We have an Email Marketing Starter Package that would be perfect for you.

  7. Louise Lester says:

    Thank you so much Laura …… I really appreciate your opinion, I will have a wee look into ‘Mailchimp’.
    Would you mind please if I asked you one more query and get your opinion on it, i’m abit stuck with it.
    I have a customer who placed her order for a painted craft over the phone, she doesn’t have a computer so doesn’t do the web, doesn’t have an email and doesn’t have a mobile phone …… she just has a landline phone number. How would I get her agreement? and would I need to get her agreement? Her details will only be used once to complete her order, by myself to contact her, I don’t email out a newsletter or phone people for my selling painted crafts the way I maybe would to tell people about my art class dates.
    Is a verbal agreement over the phone enough?

    Sorry it is not a web or email based question ….. just wandering on another person’s perspective. Many thanks and again thank you so much, Louise

  8. Louise, If she doesn’t have a computer or email, she wouldn’t need to agree to anything email list-related, since she wouldn’t be on your list. However, if she is a customer and she is in the EU, you would want to notify her about where she can find your privacy policy, how long you retain her personal info, and how you keep her info secure.

  9. Louise Lester says:

    Thank you so much Laura …. I really appreciate the time and effort you have given me with such great replies …… very best and good wished for your own business.
    Louise & Gloria 🙂

  10. […] Read Part 1, Why You Can’t Ignore the GDPR Privacy Law, Even If You’re Not In The EU […]

  11. […] Why You Can’t Ignore the GDPR Privacy Law, Even If You’re Not In The EU […]

Leave a Reply

Your email address will not be published. Required fields are marked *