To help you understand GDPR a little better, we have put together this practical guide to GDPR. The aim here is to cover some of the most common questions and misconceptions when it comes to GDPR in relation to marketing and your websites.

If you’re operating a business based in the EU, you’re likely to have heard of GDPR by now.

This is a set of new data protection regulations coming into force on 25th May 2018 which set out new conditions for how you collect, process, store and share data. What you may not realise is, no matter where you are located, these new regulations have potential implications for your business.

There’s a lot of confusion, misinformation and misunderstanding around these new regulations, and many business owners are worrying about getting ready in time for the looming deadline.

In this post I will address these new regulations, and how they might impact your business. I’ll also share what we are doing here at OptimizePress to ensure that parts of our software that deal with collecting data (e.g. your opt-in forms and checkouts) are compliant with the new regulations.

But first, stop panicking (Please)

Before you continue with this article, if I can offer one piece of advice regarding GDPR, it is do not panic. Even the regulators who are supposed to be policing the new policies have stated they are not ready (see this post) so please don’t stress as it’s highly unlikely the walls are going to come closing in if you haven’t got all your ducks in a row by 25th May.

My aim with this article (and our aim here at OptimizePress) is to help you comply with these regulations whilst minimizing the impact on your business. Take your time to follow through the steps mentioned here and do your own research, consult with a legal professional who is familiar with your business and you should be all good to go.

To help you understand GDPR a little better, I’ve put together this practical guide to GDPR. The aim here is to cover some of the most common questions and misconceptions when it comes to GDPR in relation to marketing and your websites.

Please remember these are my interpretations of the regulations from the research our team here at OptimizePress has conducted, along with feedback from legal experts along the way.

GDPR is the General Data Protection Regulation. It replaces the current EU data protection policies and aims to harmonize national data protection laws with a single framework. It comes into effect on 25th May 2018 and will apply directly to all 28 EU member states. Compliance is mandatory for companies controlling and processing personal data of EU residents.

In short, it’s a new set of regulations which you need to comply with if you deal with data of any person within the EU (including prospects and customers on your websites).

If your business is established inside the EU, you must follow the GDPR regulations for all data that you handle, no matter where the data subject (person) is from. So that means all your customers and prospects, including those outside the EU, are covered by GDPR.

If your business is established outside the EU, you are only required to apply GDPR policies to EU residents. So if you have website visitors from the EU, or you offer goods or services to people from EU countries, you’ll need to ensure you apply GDPR processes when dealing with them.

Quick Note: For our customers located outside the EU, we’ll be including some unique functionality in our OptimizePress updates which will help you target only EU prospects (if you want to) with GDPR related features. More on this later in this post!

Every business is different and there is no one-size fits all process, but there are some key steps you need to consider if GDPR applies to your business.

Step 1: Create or update your Privacy Policy – your website needs a privacy policy which explains how you process the data of your prospects and customers in line with the terms of GDPR.

You should ensure your subscribers and customers are informed of your policy changes and sent a link to this content (this can be combined with sending out fresh consent requests if you need to do that).

If you need a solid privacy policy, I’d recommend the GDPR pack from Suzanne Dibble – the UK’s leading data protection expert. You can purchase the kit here.

Step 2: Update your Cookie Policy – this explains what cookies your website uses.

Step 3: Consider the Existing Lists Consent – consider whether you need to get your existing lists to re-confirm consent for you to send them marketing emails (more on this here)

Step 4: Updating Opt-in Forms – there are updated requirements on what you need to say and do when collecting emails from prospects (more on this later in this guide).

Step 5: Review checkouts and other locations where you collect data – You’ll need to notify your buyers and prospects of your privacy policy and how you handle their data

Step 6: Implement processes for optin and withdrawal of consent – Your data subjects have the right to withdraw consent at any time. You need a process to action this (usually this would be in the form of an unsubscribe link)

Step 7: Planning for data subject requests – Your data subjects (prospects/customers) can request the data you hold on them, as well as requesting removal of this data (in some cases). Make a plan for how you will retrieve this information.

Step 8: Build a Data Inventory – this means anywhere you obtain and process data.

This document will help you in the event of any audit or investigation.

This is only a brief overview of the steps you should start taking to compliance, and some of these may not apply to you. For a more detailed step by step, I would highly recommend downloading the free GDPR Checklist here.

This is (understandably) one of the biggest concerns for marketers when dealing with the introduction of GDPR. You’ve probably received many emails already from companies asking you to resubscribe otherwise you won’t hear from them again after 25th May 2018.

Obtaining fresh consent is an important consideration in your quest for GDPR compliance.

Whether or not you need to obtain fresh consent (i.e. asking your contacts to re-subscribe to your emails) may depend on the original consent you obtained when these contacts joined your list.

You should check the ICO consent checklist to see if your existing methods complied with this. If this is the case, you may not need to obtain fresh consent from these people to communicate with them, but you should send them your updated privacy policy and terms (and make them aware of their ability to opt-out at any time).

It could also be argued that processing of data is done under legitimate interest, as Phil Lee argues in this article. If you do follow this stance, remember you would always need to provide the option to opt-out of these communications.

If existing contacts were not added with consent that is of a GDPR standard, you will need to consider running a fresh consent campaign with these contacts.

Action Steps:

The short answer here is in most cases you should be ok to send marketing emails to existing customers. You can argue that you are communicating with your customers/users on the grounds of legitimate interest (as long as your communications are relevant/related to your main product purchased).

Be aware that this can still be a grey area – if you are emailing customers based on the grounds of “legitimate interest” it’s advisable to complete a legitimate interest assessment and store that safely in the event of an investigation.

Suzanne Dibble’s GDPR pack includes a legitimate interest assessment form template you can complete for this purpose which I highly recommend.

Also be aware here that if you’re planning to email your customers, they should always have been provided with the right to opt-out within each email (through clear unsubscribe links in the footer of your emails).

Action Steps:

So you’ve decided you need to obtain fresh consent from your list. What is the best way to do this?

Firstly, try not to see this as the end of your email list!

This is a great opportunity to cleanse your list and boost your engagement. Remember you only want people on your list that WANT to hear from you anyway, so think of this as the perfect time to clear out those contacts that are not opening your emails or clicking your links anyway (they’ll hurt your deliverability in the long run).

To get clear consent from your list to continue emailing them, you need to send an email which explains:

This is also a great opportunity to remind your prospect of some of the great information, offers or other content you’ve been sending them in the past.

Online Fashion giant ASOS did this quite effectively with their fresh consent email:

In this email you can see a tick next to the current information I am receiving from ASOS – you could do something similar based on tags or lists that you have your contacts on inside your email list.

The “opt me in” button takes me directly to their site where I receive a confirmation that my preference has been updated. This experience is ideal as I don’t have to re-enter any information.

If you do want to send your users to a page where they have to check boxes to confirm the type of marketing they want to receive, try and autocomplete their email as many people will not enter their email again.

Here’s a few things to keep in mind:

Action Steps:

One of the biggest areas of confusion I have seen in the marketing community about GDPR is centred around what you can and can’t do with opt-in forms, lead magnets and landing pages post-GDPR.

Like many areas of GDPR, the waters around this can get a little murky, but I’ll try and clear up some of the common misunderstandings and misconceptions below.

So do you need checkboxes on your landing pages & opt-in forms?

Well, the answer is an annoying “maybe” in my view. It depends on a number of factors, including your proposed grounds for processing what you’re offering on your landing page, the specific wording of your offer, and your process after your prospect enters their email and submits the form.

Let me explain…

When you are sending any follow-up email to a new subscriber, this is all considered “processing” under the GDPR. In order to proceed with any “processing”, you must have a lawful basis for doing so.

This comes in two forms when considering opt-ins:

What is legitimate interest?

I could spend a whole blog post just explaining the concept of legitimate interest, so for the purposes of this post, I’ll try to shorten it. Essentially, It’s the idea that you have a reasonable reason to process the data which someone would reasonably expect, and that is ethical and legal.

Now there is a lot more to it than that, and you can read more about this on the ICO website which includes the full three-part consideration test that you should use to evaluate your legitimate interest reasoning (if you choose to use this as your basis for processing – more on that in a moment).

If you can justify legitimate interest for your grounds for processing, in the case of opt-in forms this means that you may not need a checkbox to conform to GDPR.

What is consent?

The idea of consent is seemingly clearer than the idea of legitimate interest, and yet it is still open to much interpretation.

In terms of GDPR, consent is a clear, affirmative action to give permission to processing.

For the purposes of opt-in forms and landing pages, this could be the action of inputting an email into a form and clicking submit, or it could be checking a box next to confirm agreement to a privacy message or condition under your form. These are all types of consent.

So what does all this mean for your opt-in forms?

Well the first thing to note is, if you can justify legitimate interest as your grounds for processing the data (i.e. collecting it on your opt-in form and then sending up follow-up emails) then this could mean you do not need a checkbox on your forms.

It’s important to note that although it might sound like the easy option here – you do need to have a solid evaluation of your reasoning for legitimate interest and have this well documented in case of any kind of audit or investigation. Not all situations will fit legitimate interest grounds so this shouldn’t be used as a one-size fits all solution.

A few steps to consider if you plan to use legitimate interest as your grounds for processing on opt-in forms:

1. I’d highly recommend you get the GDPR Pack from Suzanne Dibble which includes a legitimate Interest assessment (as mentioned earlier) and review each of your forms/landing pages/opt-ins.
2. Keep a clearly documented record of the outcome and your reasoning for each opt-in in the legitimate interest assessment form (this obviously needs to meet the requirements of legitimate interest to use this)
3. Ensure you review the assessment if you change the nature of your processing in the future
4. Remember that you must give prospects/subscribers the “right to object” at any time – so have clear unsubscribe/opt-out links on all emails and throughout the process. You may also want to highlight this in a privacy message below your forms.
5. You must clearly tell individuals what your grounds for processing is (include this in your privacy policy. You could include some text like “When we offer you reports and other items of value which are offered for free, we are relying on legitimate interest to send you marketing communications”. You should link to this privacy policy in a notice located close to your form (most likely you will place this in notice under your form submit button).
6. Keep all opt-in form wording as clear as possible – make it crystal clear what the individual is subscribing to and what they will be sent after opt-in. It’s advisable to include information that you will send marketing emails (or whatever you plan to do) in copy somewhere on your opt-in form – perhaps in the copy with the privacy link below the submit button.

How to get consent on your opt-in forms

If you’re not comfortable with using legitimate Interest as your grounds for collecting emails and marketing to your audience, you’ll need to rely on the basis of consent.

Using consent as your grounds for processing means that you are seeking a clear affirmative consent from the individual for any data processing you plan to initiate after the opt-in.

Before you immediately think that you need to add a ton of checkboxes below your forms, remember that the act of submitting your opt-in form (entering an email and submitting the form) is a clear affirmative action. So you should consider how you can word the copy around your opt-in form to indicate that your visitor is giving consent through the submission of their email.

For example: Let’s say I had a bonsai tree training business and wanted to send out a newsletter to my audience each week with bonsai news and the occasional promotion. I could potentially use a form like this:

In the headline above the opt-in field I have clearly identified what will happen when the prospect enters their email – in this case they will receive my newsletter. I have also made the button text clear and affirmative as giving consent. I’ve also included a link to my privacy policy below the form and further information on what the subscriber will get including the frequency of my emails.

It could be argued that this form (without any checkboxes) gives a clear affirmative consent. The person who subscribes to this form is clear on what they will receive after opting in.

What is Granularity of consent or bundled consent?

The only potential grey area with an example like above is something the GDPR calls “Granularity of consent”. Ok, I know you’re tired of legal terms and confusion, but bear with me here…

The requirement for Granularity of consent essentially means that if you are asking for permission to do different kinds of processing, you need to have separate consent for each of these. You cannot bundle different permissions together.

So in the example above, I am offering my Bonsai Pro Newsletter which is sent via email weekly. This is ONE consent. Now I also mention in my privacy message that the newsletter will include occasional promotions – I think you *could* argue that this is part of the newsletter, but some people may argue you should obtain separate consent for this (it really depends on your attitude to risk as none of this has been tested in the real world yet).

In other examples, the requirement for separate consent is more clear.

Let’s look at this example from the recent Impacting Millions online course launch by Selena Soo.

In this example, a free video training series is being offered as part of the launch. After opt-in you are directed to the first of three video trainings which are also sent out via email.

The complication comes in the fact that as part of the follow-up after opt-in, you will also be sent marketing emails related to the launch of the new Impacting Millions course.

This follows the standard process used on most landing pages:

1. You give away something of value (in this case a video course).
2. After you’ve built up a relationship with the prospect, you send promotions about your related products and services.

In order to do this and be compliant with GDPR when using consent as the lawful basis for processing, there would need to be some changes to this landing page.

1. We would need to include a privacy policy link and basic privacy reassurance somewhere close to the form (below the form usually works best).
2. We would need to ensure it is clear what the prospect is getting when they initially sign up (add copy above the form to explain what they get by entering their name and email) – this also acts as an affirmative consent for sending this information.
3. If you’re sending follow-up emails or promotions – you would be advised to add a consent checkbox to this below the form.

Here’s how the revised landing page might look:

In our view, this meets the main criteria of the GDPR and should be considered compliant.

So how do you know if your form will be compliant?

Right now it’s difficult to be 100% confident in what constitutes a GDPR compliant form and opt-in process. There are no legal precedents to rely on or refer to yet, so we only have to go by our own interpretation of the GDPR terms.

We can however, follow a few guidelines to try and ensure that our processes are compliant…

1. First consider your grounds for processing individuals’ data (see above). Document your assessment of this and keep detailed records of your reasoning in the case of any audit (particularly if you are using Legitimate Interest as your processing grounds).
2. I’ve said it before – but always think about whether someone would be surprised to be receiving what you are sending them based on what you stated on your landing page/opt-in form. Aim to make your intentions as clear as possible at the start so there is no misunderstanding and you can show you are not trying to mislead any of your prospects.
3. Always use a professional CRM or email marketing service when sending out marketing emails – ensure you have clear unsubscribe/opt-out messaging at the bottom of every email (don’t try to hide this) and ensure there is no delay in someone being removed from your mailings if this is not automated.
4. Remember pre-checked boxes, or required checkboxes are no longer allowed within GDPR, so your boxes need to be 100% optional.
5. Consent from your forms should be tracked – so if you are using checkboxes you need to ensure you can track who said yes or no to your terms and segment these audiences appropriately (e.g. you shouldn’t send marketing emails to someone who didn’t give you consent).
6. Finally consider your attitude to risk when it comes to GDPR. I am not supporting ignoring the rules in any way, but as long as you can show that you can justify your decisions in consideration to all aspects of GDPR and have this well documented then you can mount a strong case in the event of an audit.

As well as helping you understand GDPR with the FAQ’s above, I want to also explain what we’re working on here at OptimizePress to reassure you that we (as a company) will be doing everything we can to comply with GDPR.

This comes in two parts:

Here at OptimizePress, we’ve always been extremely protective over any data that you (as our customers or prospects) have shared with us. You’ll know if you’ve been on any of our lists for any amount of time, we only send valuable content to you that you have agreed to receive, and never blast our lists with offers or anything else disrespectful like that.

With this in mind, we will shortly be updating our privacy policy and cookie policy to reflect our handling of your information in line with GDPR.

As an EU based company, we have evaluated all of the companies we work with where your data may be transferred (such as Amazon servers for our website hosting, or HelpScout as our helpdesk provider). We will be ensuring that any data which is transferred is to these processors covered by adequate privacy provisions as set out within GDPR.

OptimizeLeads Users Data Processing Agreement

In the case of most of the OptimizePress tools Suite, these are self-hosted and we do not interact with any data from your websites. This means you are the controller (in terms of GDPR) and normally your autoresponder is the processor.

However in the case of our OptimizeLeads product, there is a small part of this platform which acts as a “processor” for our users.

This means that for a very brief period, data from your opt-in forms (from your prospects) is stored on our server. This happens because our system uses “queues” which means this data is temporarily stored while we attempt to send it through to the API of the external service e.g. MailChimp, AWeber etc.

We do this to make our platform more efficient, and it also adds a layer of protection in the case of your external service being unavailable, we retry sending the data until the external service is back online (so no subscriber data is lost).

Once the subscriber data is sent to the external service, it is immediately deleted from our platform and servers. In most cases this process happens in a matter of seconds, and we do not log or keep a record of any data sent through our system (for your security).

Because this process makes us a processor for our OptimizeLeads users, we will be making a data processing agreement available for these users in the run up to the GDPR launch. We’ll share more about this when it is ready.

As you’ve probably gathered by now if you’re still reading, some parts of GDPR relate to your collection of prospects and customers data on your website through opt-in forms.

To help you comply with GDPR, our team are working hard to build brand new compliance features into our OptimizePress suite of tools.

Here’s a summary of what we’re currently working on:

Checkboxes on Opt-in Forms for Active Consent

Although it might be argued that you will not always need checkboxes on your forms (see above), we know there are some cases where checkboxes may be required on your opt-in forms.

To help you accomplish this, we are adding the functionality to enable up to 2 checkboxes below your opt-in forms inside OptimizePress & OptimizeLeads. You will be able to define the text next to each checkbox, and checkboxes will NOT be required as per the guidelines of GDPR.

Timescale: Done

Recording Consent

Adding checkboxes to the forms in OptimizePress is relatively easy – the more complex part comes with the additional requirements of GDPR which is the recording of the consent status for each subscriber.

If you have checkboxes on your forms, you are required to track whether or not a box was checked, as well as the wording on each submitted form.

With over 20 individual integrations inside OptimizePress products, this is quite an undertaking. We’re working on ways to pass through the consent information in the most effective way for each provider we integrate with.

This will most likely work in one of two ways (depending on the integration partner):

1. We will pass through consent tags (which you specify) based on a confirmed or declined checkbox.
2. We will pass through a message to custom fields (which you specify) inside your email service provider.

This is important because as well as recording consent, you need to know who has said “yes” to your marketing or follow-up emails so you can segment these subscribers and send them the appropriate follow-up messages.

Intelligent Form Customization

We recognise that many of our non-EU customers want to try and remain compliant with GDPR whilst not affecting their existing marketing activities to other parts of the world. For this reason, we are also developing a unique feature which will allow you to only show opt-in checkboxes to EU visitors if you wish.

I’ll be sharing more about the progress of these features as they are developed, and welcome your comments and questions below on GDPR, our features or anything else OptimizePress!

The all-in-one platform for marketers using WordPress.  100% of this page was built with OptimizePress.

Copyright © 2010-2023 OptimizePress® · All Rights Reserved.   Privacy Policy   ·   Legal Information