OptimizePress & GDPR: A Practical Guide to Compliance

James Dyson

Last Updated: May 19, 2023

To help you understand GDPR a little better, we have put together this practical guide to GDPR. The aim here is to cover some of the most common questions and misconceptions when it comes to GDPR in relation to marketing and your websites.

Important Disclaimer: This post does not contain legal advice. Any information provided in this post is for information purposes only and should not be deemed as legal advice in any way. Always seek professional legal counsel to ensure you receive advice specific to your business. We will accept no responsibility for costs incurred as a result of using the information presented here. We can’t guarantee that if you follow these steps, you’ll be fully GDPR compliant – you’ll need a lawyer to help determine that.

If you’re operating a business based in the EU, you’re likely to have heard of GDPR by now.

This is a set of new data protection regulations coming into force on 25th May 2018 which set out new conditions for how you collect, process, store and share data. What you may not realise is, no matter where you are located, these new regulations have potential implications for your business.

There’s a lot of confusion, misinformation and misunderstanding around these new regulations, and many business owners are worrying about getting ready in time for the looming deadline.

In this post I will address these new regulations, and how they might impact your business. I’ll also share what we are doing here at OptimizePress to ensure that parts of our software that deal with collecting data (e.g. your opt-in forms and checkouts) are compliant with the new regulations.

But first, stop panicking (Please)

Before you continue with this article, if I can offer one piece of advice regarding GDPR, it is do not panic. Even the regulators who are supposed to be policing the new policies have stated they are not ready (see this post) so please don’t stress as it’s highly unlikely the walls are going to come closing in if you haven’t got all your ducks in a row by 25th May.

My aim with this article (and our aim here at OptimizePress) is to help you comply with these regulations whilst minimizing the impact on your business. Take your time to follow through the steps mentioned here and do your own research, consult with a legal professional who is familiar with your business and you should be all good to go.

GDPR – A Practical Guide to Compliance

To help you understand GDPR a little better, I’ve put together this practical guide to GDPR. The aim here is to cover some of the most common questions and misconceptions when it comes to GDPR in relation to marketing and your websites.

Please remember these are my interpretations of the regulations from the research our team here at OptimizePress has conducted, along with feedback from legal experts along the way.

Practical Guide Quick Links:

What is GDPR?

GDPR is the General Data Protection Regulation. It replaces the current EU data protection policies and aims to harmonize national data protection laws with a single framework. It comes into effect on 25th May 2018 and will apply directly to all 28 EU member states. Compliance is mandatory for companies controlling and processing personal data of EU residents.

In short, it’s a new set of regulations which you need to comply with if you deal with data of any person within the EU (including prospects and customers on your websites).

Does it apply to your business?

If your business is established inside the EU, you must follow the GDPR regulations for all data that you handle, no matter where the data subject (person) is from. So that means all your customers and prospects, including those outside the EU, are covered by GDPR.

If your business is established outside the EU, you are only required to apply GDPR policies to EU residents. So if you have website visitors from the EU, or you offer goods or services to people from EU countries, you’ll need to ensure you apply GDPR processes when dealing with them.

Quick Note: For our customers located outside the EU, we’ll be including some unique functionality in our OptimizePress updates which will help you target only EU prospects (if you want to) with GDPR related features. More on this later in this post!

What do you need to do to be compliant? (An overview)

Every business is different and there is no one-size fits all process, but there are some key steps you need to consider if GDPR applies to your business.

Step 1: Create or update your Privacy Policy – your website needs a privacy policy which explains how you process the data of your prospects and customers in line with the terms of GDPR.

You should ensure your subscribers and customers are informed of your policy changes and sent a link to this content (this can be combined with sending out fresh consent requests if you need to do that).

If you need a solid privacy policy, I’d recommend the GDPR pack from Suzanne Dibble – the UK’s leading data protection expert. You can purchase the kit here.

Step 2: Update your Cookie Policy – this explains what cookies your website uses.

Step 3: Consider the Existing Lists Consent – consider whether you need to get your existing lists to re-confirm consent for you to send them marketing emails (more on this here)

Step 4: Updating Opt-in Forms – there are updated requirements on what you need to say and do when collecting emails from prospects (more on this later in this guide).

Step 5: Review checkouts and other locations where you collect data – You’ll need to notify your buyers and prospects of your privacy policy and how you handle their data

Step 6: Implement processes for optin and withdrawal of consent – Your data subjects have the right to withdraw consent at any time. You need a process to action this (usually this would be in the form of an unsubscribe link)

Step 7: Planning for data subject requests – Your data subjects (prospects/customers) can request the data you hold on them, as well as requesting removal of this data (in some cases). Make a plan for how you will retrieve this information.

Step 8: Build a Data Inventory – this means anywhere you obtain and process data.

Employee data
Prospect data
Customer data
Applicant data
Type of data
Details why you are processing the data
Time you will retain the data
Anyone who the data is sent to (e.g. Infusionsoft)
Review their safeguards if they are outside the EU (it is your responsibility to ensure that any data you are processing is protected at all stages of the process)

This document will help you in the event of any audit or investigation.

This is only a brief overview of the steps you should start taking to compliance, and some of these may not apply to you. For a more detailed step by step, I would highly recommend downloading the free GDPR Checklist here.

Do you need to obtain fresh consent from your existing email list of prospects?

This is (understandably) one of the biggest concerns for marketers when dealing with the introduction of GDPR. You’ve probably received many emails already from companies asking you to resubscribe otherwise you won’t hear from them again after 25th May 2018.

Obtaining fresh consent is an important consideration in your quest for GDPR compliance.


Whether or not you need to obtain fresh consent (i.e. asking your contacts to re-subscribe to your emails) may depend on the original consent you obtained when these contacts joined your list.

You should check the ICO consent checklist to see if your existing methods complied with this. If this is the case, you may not need to obtain fresh consent from these people to communicate with them, but you should send them your updated privacy policy and terms (and make them aware of their ability to opt-out at any time).

It could also be argued that processing of data is done under legitimate interest, as Phil Lee argues in this article. If you do follow this stance, remember you would always need to provide the option to opt-out of these communications.

If existing contacts were not added with consent that is of a GDPR standard, you will need to consider running a fresh consent campaign with these contacts.

Action Steps:

Consider your tolerance to risk vs cost of obtaining fresh consent (e.g. lost subscribers if they do not re-subscribe)
If you have bought a list or not obtained the opt-in yourself through a professional email marketing service with opt-out/unsubscribe messaging, you should definitely seek fresh consent.
Remember if you’re outside the EU, you technically only need to run fresh consent for your EU prospects (provided you can identify them). Check with your individual email service provider/CRM to see if they have steps on how to segment your list by country.

Do you need to obtain fresh consent from your customers list (people who have bought products from you in the past)?

The short answer here is in most cases you should be ok to send marketing emails to existing customers. You can argue that you are communicating with your customers/users on the grounds of legitimate interest (as long as your communications are relevant/related to your main product purchased).

Be aware that this can still be a grey area – if you are emailing customers based on the grounds of “legitimate interest” it’s advisable to complete a legitimate interest assessment and store that safely in the event of an investigation.

Suzanne Dibble’s GDPR pack includes a legitimate interest assessment form template you can complete for this purpose which I highly recommend.

Also be aware here that if you’re planning to email your customers, they should always have been provided with the right to opt-out within each email (through clear unsubscribe links in the footer of your emails).

Action Steps:

If you are using legitimate interest as your grounds for processing you should consider completing a legitimate interest assessment for each type of data. This will prove useful if you are audited in any way.
Ensure any communications you are sending are sent through a professional service with easy unsubscribe links on ALL communications.

How to run a Fresh Consent Campaign

So you’ve decided you need to obtain fresh consent from your list. What is the best way to do this?

Firstly, try not to see this as the end of your email list!

This is a great opportunity to cleanse your list and boost your engagement. Remember you only want people on your list that WANT to hear from you anyway, so think of this as the perfect time to clear out those contacts that are not opening your emails or clicking your links anyway (they’ll hurt your deliverability in the long run).

To get clear consent from your list to continue emailing them, you need to send an email which explains:

What you will be sending them going forward (what content should they expect from you)
Gives a clear option to say YES to further marketing (or whatever you wish to send them)
This consent needs to be trackable inside your CRM/Email service provider
Your email should include a clear link to your (GDPR compliant) privacy policy

This is also a great opportunity to remind your prospect of some of the great information, offers or other content you’ve been sending them in the past.

Online Fashion giant ASOS did this quite effectively with their fresh consent email:


In this email you can see a tick next to the current information I am receiving from ASOS – you could do something similar based on tags or lists that you have your contacts on inside your email list.

The “opt me in” button takes me directly to their site where I receive a confirmation that my preference has been updated. This experience is ideal as I don’t have to re-enter any information.

If you do want to send your users to a page where they have to check boxes to confirm the type of marketing they want to receive, try and autocomplete their email as many people will not enter their email again.

Here’s a few things to keep in mind:

Be completely clear and transparent about what you will be sending in your future emails. Try and make this as enticing and interesting as possible
Technically you should obtain separate consent for each different type of email you will be sending, but most emails I have received have so far focused on re-subscribing me to their email newsletter which is quite broad and wide-ranging but probably allows enough movement for them to send promotions as well as value-packed content emails.
You might consider offering a “Yes” or “No” option on your email. There’s some potential psychological effect to giving people a yes and no option as it makes them feel like they must make a choice, versus just providing one button where they are more likely to close this email and are not pushed into making a decision. Air New Zealand did this on their fresh consent email:

Action Steps:

(If you’re outside the EU) First, identify & segment those prospects who are within the EU. This might be tricky depending on the information you have from signup but if your autoresponder tracks location you may be able to determine this.
Remember that you’re [most likely] to be covered by grounds of legitimate interest for customers (not prospects) so exclude these from any fresh consent campaign if you are comfortable that legitimate interest grounds cover your reason for emailing.
Try and make the process of resubscribing as frictionless as possible. Sending out an email with one button the individual needs to click is the ideal experience.

How to set up opt-in forms to be GDPR compliant (and do you need consent checkboxes)?

One of the biggest areas of confusion I have seen in the marketing community about GDPR is centred around what you can and can’t do with opt-in forms, lead magnets and landing pages post-GDPR.

Like many areas of GDPR, the waters around this can get a little murky, but I’ll try and clear up some of the common misunderstandings and misconceptions below.

So do you need checkboxes on your landing pages & opt-in forms?

Well, the answer is an annoying “maybe” in my view. It depends on a number of factors, including your proposed grounds for processing what you’re offering on your landing page, the specific wording of your offer, and your process after your prospect enters their email and submits the form.

Let me explain…

When you are sending any follow-up email to a new subscriber, this is all considered “processing” under the GDPR. In order to proceed with any “processing”, you must have a lawful basis for doing so.

This comes in two forms when considering opt-ins:

Legitimate Interest (you can read more about this on the ICO website here)

What is legitimate interest?

I could spend a whole blog post just explaining the concept of legitimate interest, so for the purposes of this post, I’ll try to shorten it. Essentially, It’s the idea that you have a reasonable reason to process the data which someone would reasonably expect, and that is ethical and legal.

Now there is a lot more to it than that, and you can read more about this on the ICO website which includes the full three-part consideration test that you should use to evaluate your legitimate interest reasoning (if you choose to use this as your basis for processing – more on that in a moment).

If you can justify legitimate interest for your grounds for processing, in the case of opt-in forms this means that you may not need a checkbox to conform to GDPR.

What is consent?

The idea of consent is seemingly clearer than the idea of legitimate interest, and yet it is still open to much interpretation.

In terms of GDPR, consent is a clear, affirmative action to give permission to processing.

For the purposes of opt-in forms and landing pages, this could be the action of inputting an email into a form and clicking submit, or it could be checking a box next to confirm agreement to a privacy message or condition under your form. These are all types of consent.

So what does all this mean for your opt-in forms?

Well the first thing to note is, if you can justify legitimate interest as your grounds for processing the data (i.e. collecting it on your opt-in form and then sending up follow-up emails) then this could mean you do not need a checkbox on your forms.

It’s important to note that although it might sound like the easy option here – you do need to have a solid evaluation of your reasoning for legitimate interest and have this well documented in case of any kind of audit or investigation. Not all situations will fit legitimate interest grounds so this shouldn’t be used as a one-size fits all solution.

A few steps to consider if you plan to use legitimate interest as your grounds for processing on opt-in forms:

  1. I’d highly recommend you get the GDPR Pack from Suzanne Dibble which includes a legitimate Interest assessment (as mentioned earlier) and review each of your forms/landing pages/opt-ins.
  2. Keep a clearly documented record of the outcome and your reasoning for each opt-in in the legitimate interest assessment form (this obviously needs to meet the requirements of legitimate interest to use this)
  3. Ensure you review the assessment if you change the nature of your processing in the future
  4. Remember that you must give prospects/subscribers the “right to object” at any time – so have clear unsubscribe/opt-out links on all emails and throughout the process. You may also want to highlight this in a privacy message below your forms.
  5. You must clearly tell individuals what your grounds for processing is (include this in your privacy policy. You could include some text like “When we offer you reports and other items of value which are offered for free, we are relying on legitimate interest to send you marketing communications”. You should link to this privacy policy in a notice located close to your form (most likely you will place this in notice under your form submit button).
  6. Keep all opt-in form wording as clear as possible – make it crystal clear what the individual is subscribing to and what they will be sent after opt-in. It’s advisable to include information that you will send marketing emails (or whatever you plan to do) in copy somewhere on your opt-in form – perhaps in the copy with the privacy link below the submit button.

How to get consent on your opt-in forms

If you’re not comfortable with using legitimate Interest as your grounds for collecting emails and marketing to your audience, you’ll need to rely on the basis of consent.

Using consent as your grounds for processing means that you are seeking a clear affirmative consent from the individual for any data processing you plan to initiate after the opt-in.

Before you immediately think that you need to add a ton of checkboxes below your forms, remember that the act of submitting your opt-in form (entering an email and submitting the form) is a clear affirmative action. So you should consider how you can word the copy around your opt-in form to indicate that your visitor is giving consent through the submission of their email.

For example: Let’s say I had a bonsai tree training business and wanted to send out a newsletter to my audience each week with bonsai news and the occasional promotion. I could potentially use a form like this:


In the headline above the opt-in field I have clearly identified what will happen when the prospect enters their email – in this case they will receive my newsletter. I have also made the button text clear and affirmative as giving consent. I’ve also included a link to my privacy policy below the form and further information on what the subscriber will get including the frequency of my emails.

It could be argued that this form (without any checkboxes) gives a clear affirmative consent. The person who subscribes to this form is clear on what they will receive after opting in.

What is Granularity of consent or bundled consent?

The only potential grey area with an example like above is something the GDPR calls “Granularity of consent”. Ok, I know you’re tired of legal terms and confusion, but bear with me here…

The requirement for Granularity of consent essentially means that if you are asking for permission to do different kinds of processing, you need to have separate consent for each of these. You cannot bundle different permissions together.

So in the example above, I am offering my Bonsai Pro Newsletter which is sent via email weekly. This is ONE consent. Now I also mention in my privacy message that the newsletter will include occasional promotions – I think you *could* argue that this is part of the newsletter, but some people may argue you should obtain separate consent for this (it really depends on your attitude to risk as none of this has been tested in the real world yet).

In other examples, the requirement for separate consent is more clear.

Let’s look at this example from the recent Impacting Millions online course launch by Selena Soo.


In this example, a free video training series is being offered as part of the launch. After opt-in you are directed to the first of three video trainings which are also sent out via email.

The complication comes in the fact that as part of the follow-up after opt-in, you will also be sent marketing emails related to the launch of the new Impacting Millions course.

This follows the standard process used on most landing pages:

  1. You give away something of value (in this case a video course).
  2. After you’ve built up a relationship with the prospect, you send promotions about your related products and services.

In order to do this and be compliant with GDPR when using consent as the lawful basis for processing, there would need to be some changes to this landing page.

  1. We would need to include a privacy policy link and basic privacy reassurance somewhere close to the form (below the form usually works best).
  2. We would need to ensure it is clear what the prospect is getting when they initially sign up (add copy above the form to explain what they get by entering their name and email) – this also acts as an affirmative consent for sending this information.
  3. If you’re sending follow-up emails or promotions – you would be advised to add a consent checkbox to this below the form.

Here’s how the revised landing page might look:


In our view, this meets the main criteria of the GDPR and should be considered compliant.

So how do you know if your form will be compliant?

Right now it’s difficult to be 100% confident in what constitutes a GDPR compliant form and opt-in process. There are no legal precedents to rely on or refer to yet, so we only have to go by our own interpretation of the GDPR terms.

We can however, follow a few guidelines to try and ensure that our processes are compliant…

  1. First consider your grounds for processing individuals’ data (see above). Document your assessment of this and keep detailed records of your reasoning in the case of any audit (particularly if you are using Legitimate Interest as your processing grounds).
  2. I’ve said it before – but always think about whether someone would be surprised to be receiving what you are sending them based on what you stated on your landing page/opt-in form. Aim to make your intentions as clear as possible at the start so there is no misunderstanding and you can show you are not trying to mislead any of your prospects.
  3. Always use a professional CRM or email marketing service when sending out marketing emails – ensure you have clear unsubscribe/opt-out messaging at the bottom of every email (don’t try to hide this) and ensure there is no delay in someone being removed from your mailings if this is not automated.
  4. Remember pre-checked boxes, or required checkboxes are no longer allowed within GDPR, so your boxes need to be 100% optional.
  5. Consent from your forms should be tracked – so if you are using checkboxes you need to ensure you can track who said yes or no to your terms and segment these audiences appropriately (e.g. you shouldn’t send marketing emails to someone who didn’t give you consent).
  6. Finally consider your attitude to risk when it comes to GDPR. I am not supporting ignoring the rules in any way, but as long as you can show that you can justify your decisions in consideration to all aspects of GDPR and have this well documented then you can mount a strong case in the event of an audit.

OptimizePress GDPR Product Readiness

As well as helping you understand GDPR with the FAQ’s above, I want to also explain what we’re working on here at OptimizePress to reassure you that we (as a company) will be doing everything we can to comply with GDPR.

This comes in two parts:

Our own compliance in terms of our policies and handling of your data
Updating our products to help your websites comply with GDPR

Our Own Compliance

Here at OptimizePress, we’ve always been extremely protective over any data that you (as our customers or prospects) have shared with us. You’ll know if you’ve been on any of our lists for any amount of time, we only send valuable content to you that you have agreed to receive, and never blast our lists with offers or anything else disrespectful like that.

With this in mind, we will shortly be updating our privacy policy and cookie policy to reflect our handling of your information in line with GDPR.

As an EU based company, we have evaluated all of the companies we work with where your data may be transferred (such as Amazon servers for our website hosting, or HelpScout as our helpdesk provider). We will be ensuring that any data which is transferred is to these processors covered by adequate privacy provisions as set out within GDPR.

OptimizeLeads Users Data Processing Agreement

In the case of most of the OptimizePress tools Suite, these are self-hosted and we do not interact with any data from your websites. This means you are the controller (in terms of GDPR) and normally your autoresponder is the processor.

However in the case of our OptimizeLeads product, there is a small part of this platform which acts as a “processor” for our users.

This means that for a very brief period, data from your opt-in forms (from your prospects) is stored on our server. This happens because our system uses “queues” which means this data is temporarily stored while we attempt to send it through to the API of the external service e.g. MailChimp, AWeber etc.

We do this to make our platform more efficient, and it also adds a layer of protection in the case of your external service being unavailable, we retry sending the data until the external service is back online (so no subscriber data is lost).

Once the subscriber data is sent to the external service, it is immediately deleted from our platform and servers. In most cases this process happens in a matter of seconds, and we do not log or keep a record of any data sent through our system (for your security).

Because this process makes us a processor for our OptimizeLeads users, we will be making a data processing agreement available for these users in the run up to the GDPR launch. We’ll share more about this when it is ready.

Helping You Comply with GDPR

As you’ve probably gathered by now if you’re still reading, some parts of GDPR relate to your collection of prospects and customers data on your website through opt-in forms.

To help you comply with GDPR, our team are working hard to build brand new compliance features into our OptimizePress suite of tools.

Here’s a summary of what we’re currently working on:

Checkboxes on Opt-in Forms for Active Consent

Although it might be argued that you will not always need checkboxes on your forms (see above), we know there are some cases where checkboxes may be required on your opt-in forms.

To help you accomplish this, we are adding the functionality to enable up to 2 checkboxes below your opt-in forms inside OptimizePress & OptimizeLeads. You will be able to define the text next to each checkbox, and checkboxes will NOT be required as per the guidelines of GDPR.

Timescale: Done

Recording Consent

Adding checkboxes to the forms in OptimizePress is relatively easy – the more complex part comes with the additional requirements of GDPR which is the recording of the consent status for each subscriber.

If you have checkboxes on your forms, you are required to track whether or not a box was checked, as well as the wording on each submitted form.

With over 20 individual integrations inside OptimizePress products, this is quite an undertaking. We’re working on ways to pass through the consent information in the most effective way for each provider we integrate with.

This will most likely work in one of two ways (depending on the integration partner):

  1. We will pass through consent tags (which you specify) based on a confirmed or declined checkbox.
  2. We will pass through a message to custom fields (which you specify) inside your email service provider.

This is important because as well as recording consent, you need to know who has said “yes” to your marketing or follow-up emails so you can segment these subscribers and send them the appropriate follow-up messages.

Intelligent Form Customization

We recognise that many of our non-EU customers want to try and remain compliant with GDPR whilst not affecting their existing marketing activities to other parts of the world. For this reason, we are also developing a unique feature which will allow you to only show opt-in checkboxes to EU visitors if you wish.

I’ll be sharing more about the progress of these features as they are developed, and welcome your comments and questions below on GDPR, our features or anything else OptimizePress!

Join the OptimizePress University

Get FREE access to our Premium Marketing Training Library

OptimizeUniversity gives you the latest marketing training courses, strategies & tactics to grow your business fast.

    39 replies to "OptimizePress & GDPR: A Practical Guide to Compliance [UPDATED]"

    • Carlos

      The GDPR options on the Optimizepress Plugin seems to have a lot of issues. I spent a great deal of time trying to set it up as you can see on this video to no avail. So if any of you guys are having similar issues please report it to the tech support guy. Maybe after hearing it from a few of us he will look into it with an open mind that it may be a bug on the app (Note: bug is a funny term used by tech guys that refers usually to an error made by the programmer).


    • Alex

      What happens with Google Fonts & Optimizepress? How can we solve this issue?

    • Rob

      Can you confirm which version of OptimizePress the GDPR options will be in? I have V2.153

      • David Frosdick

        Did you try the “label span, legend span” CSS options? I’ve not tested this myself but it might work for now.

    • Travis Roesler

      Guys, am I taking crazy pills? The new forms aren’t GDPR compliant whatsoever… if the “I agree to the Privacy Policy” is not REQUIRED to be checked, then the user is not agreeing, and his data is still being taken and tracked. In it’s current form, you’re going to get us fined 2% of our yearly income. If the box is NOT CHECKED, they should be getting a pop up that says, “Hey… you need to agree to the Privacy Policy to continue”. Right now, that is not happening. Please fix this.

    • Andrea

      Ok for the Checkbox for optin, but how to register the user’s consent or the fact that flag the checkbox? Please Help Me. We use GetResponse as autoresponder and i see in the document that there’isnt

      • David Frosdick

        Hey Ryan! Thanks for stopping by. Always a pleasure to have you grace us with your presence 🙂

        Thanks for the feature request. We’ll look into those. Emoji’s might be an option at server level character encoding set. I’ll dig around for that. Also there might be a plugin that support it inside form fields. Obviously it’s in WordPress as we can use it here 🙂

    • Ryan Robinson

      Oh! and #3… how about the ability to change the text color? The optin right at the top of my homepage has a colored background, so the black text gets washed out quite a lot 🙁

    • Ryan Robinson

      Hey guys! Awesome as per usual. Two pertinent questions for you.

      1. Will there be (or is there) the ability to control the order/placement of where the checkbox is within an opt-in? For example, I’d love to place the checkbox above the CTA button so that more people actually read it and consider opting in for additional content.

      2. Could you guys please add emoji support to the text field for the privacy notice? Hoping to add an emoji there to make it stand out more to readers and encourage more people to consider opting in. When I pop an emoji in there now, it just throws me a bunch of ?????? after updating the live page.

      Thanks for the all around fantastic update guys! 🙂

    • Gregor

      great conten!
      Is the data processing agreement ready for us to sign and download?

      • David Frosdick

        Hey Marc, OptimizeMember is a plugin of OptimizePress. You would make sure you own site is compliant. OptimizeMember would only use the registration forms of WordPress.

        • James Dyson

          That was a typo Peter! It now reads “We will not sell your information to third parties…”

    • Marc

      Hey, great summary! What about optimizemember, is this also GDPR-compliant. Need to know that soon since I have secured my membership area with the help of OP member 🙂

    • Marco Bisterzo

      Hi, I leave in Italy and so, sorry for my bad english.

      Here is time 10:04 PM of 23 May.

      I write for Checkbox GDPR compliant, news for this?

      Another day and game over.

      Thanks for your answer,

    • Mauro

      Thanks a lot,
      this is very useful feature, by the way, may I ask you in which way I can investigate in case of customers complains?
      Are there any log that can be used as a proof of previous ticked optin as a response to the specific GDPR disclaimer?

      • David Frosdick

        Hey Amy. GDPR does state that you can’t force consent to marketing emails.

        However some people say entering your name and email is enough consent… (no check box needed).

        I would suggest using double optin for all lists and make it clear what your emails are about. Double should be enough consent to allow you to followup emails.

        Again, don’t quote me on this. It’s not legal advice. If people want your email they’ll have no problem agreeing to your policies and giving consent.

        • David Frosdick

          Hey Mauro,

          When the checkbox is ticked and submitted it will add the info as a tag or custom field in your email provider. This could act as a log for proof if ever needed.

    • Amy

      We’re an online retailer in the uk and I’m wondering if we need to get re-consent. When customers placed the order the tick box to subscribe to the mailing list was pre ticked. Plus any eBay sales were automatically added to the mailing list as there’s no way to give them an opt in at the time of placing an order. So do I need to get reconsent? Or can I conclude that because they placed an order they have shown legitimate interest?


    • Peter

      We will sell your information to third parties as you wrote in the Selina Soo example is probably not risky, but what customer would want to sign this? So I’m hoping it’s just a typo and not a suggestion.

    • Sandra

      Thank you! I’m looking forward to seeing the updates so I can make my optin forms GDPR compliant.

      • David Frosdick

        No problem!

        • David Frosdick

          As above, some people are saying placing an order is enough consent to receive emails. I’ve read some privacy policies recently that read exactly that. Did your Policy states this?

          However that said, if the boxes were pre-ticked it’s not like they had a choice.

          If you have been emailing those people regularly they would have unsubscribed by now if you made it easy to do so.

          For future orders you should follow up with an email asking if they want to join your email list and receive future offers, promotions and news etc.

          In that follow up email you have a big buttons saying “Yes Join” or “Yes I Give Consent”

          So the process is:
          Customer places order > Receives service/order emails > You add to mailing list software > Send email asking for consent to.

    • Amy

      Thank you. I have a few customers in Europe, randomly, and am based in the US. Couldn’t I have a special double opt-in type message that goes to only European IP addresses that says they understand they will be getting the following emails from me and they need to click the link to proceed? If they don’t confirm their opt-in, then they aren’t approved to get emails. I hate making the checkbox form required for my big majority of US customers.

    • Andrea Feinberg

      Thank you; this was clear and comprehensive 🌺

      • David Frosdick

        Hi David, Thanks for you input.

        1. Not sure if there’s a question her or just a rant? 🙂
        2. If someone has given you consent to send them marketing emails then you can email them. I’m sure if you’ve had double optin enable prior to GDPR that can be classed as consent.

        This is not legal advice.

        I believe if you have a clear policy, explain how you store date, what companies you use, how you track data and you make it easy for someone to contact you to request data/request removal of data, then you are being transparent enough.

        Make it easy for people to unsubscribe from all your emails.

        If you run an ethical business and show how you use data you have nothing to worry about. Lets see what happens over the next few months.

    • Beatriz Falero

      Thank you. I’ll wait for the new forms

    • David

      First of all: thank you for this overview.

      Here some thoughts:

      1) While you provided us with great details about what has to happen on the *fron* end, what needs to happen on the *back* end was only mentioned as a side note (you link to a GDPR package, and you state above “Step 7: Build a Data Inventory – this means anywhere you obtain and process data”. Maybe I am wrong, but since I am actually working on GDPR compliance with an expert (a certified data protection officer), I do know that the documentation part on the backend is quite the undertaking! So, here’s my personal take: In order to be on the safe side, I guess it’s only the second best option to do that based on a package you can buy, because you will have questions. no doubt. Who will answer these? The person that sold the package? If so. good, if not: not good. Because how will you know then that you are truly compliant? Either way: the amount of work that goes into documenting your processes will take time (meaning: you need to think about where you get in touch with personal data, and then you have to *document* it (as in: write down), so you can show that in case of an audit). It’s questionable, of course, if and when you’ll be ever subject to such an audit, but who knows… So, for sure, getting the frontend aspects up and running may seem to have the highest priority, but for the sake of all those business owners out there, I wish there’d be more emphasis on stressing the documentation part – because I believe many people are simply not aware of it, or of its full scope.

      2) Regarding being specific what you want to send people: Can’t I simply write that they will be contacted by me via email? This would then include everything.

      3) I do agree with the aspect of this being a chance to cleanse our email lists.

      Best regards

    • Sarah Marie

      Really useful article – thanks guys! Now need to get started on implementing all this

      • Shannon

        Thank you James – this is so helpful!

      • Carlos

        The GDPR options on the Optimizepress Plugin seems to have a lot of issues. I spent a great deal of time trying to set it up as you can see on this video to no avail. So if any of you guys are having similar issues please report it to the tech support guy. Maybe after hearing it from a few of us he will look into it with an open mind that it may be a bug on the app (Note: bug is a funny term used by tech guys that refers usually to an error made by the programmer).

      • Carlos

        The GDPR options on the Optimizepress Plugin seems to have a lot of issues. I spent a great deal of time trying to set it up as you can see on this video to no avail. So if any of you guys are having similar issues please report it to the tech support guy. Maybe after hearing it from a few of us he will look into it with an open mind that it may be a bug on the app (Note: bug is a funny term used by tech guys that refers usually to an error made by the programmer).

        • David Frosdick

          Hi Alex, please contact our support team for that one 🙂

          • esther

            What is that plugging? has it additional cost? and how can I put the link to redirect to my privacy policy page?

            • David Frosdick

              Hey Carlos, have you reached out to our support team about this. I’m sure they can assist.

Leave a Reply

Your email address will not be published.

Free access to our university

Get Instant Access to the Optimize University

Discover the latest marketing strategies and tactics in our comprehensive training library designed to help digital marketers and entrepreneurs grow their businesses faster. 

Join today for free instant access!

Create Your Free Account

Enter your name and email below:

By entering your email, we'll also send you marketing emails related to OptimizePress. You can unsubscribe anytime. See our privacy policy.


Let's Get Started

Congratulations... Your account is being created!

You will shortly receive an email from our OptimizeUniversity team with your account set-up link. Please close this window to continue on the OptimizePress website.

Want to discover how to use OptimizePress to get more leads and sales?