James Dyson
Last Updated: May 19, 2023
To help you understand GDPR a little better, we have put together this practical guide to GDPR. The aim here is to cover some of the most common questions and misconceptions when it comes to GDPR in relation to marketing and your websites.
Important Disclaimer: This post does not contain legal advice. Any information provided in this post is for information purposes only and should not be deemed as legal advice in any way. Always seek professional legal counsel to ensure you receive advice specific to your business. We will accept no responsibility for costs incurred as a result of using the information presented here. We can’t guarantee that if you follow these steps, you’ll be fully GDPR compliant – you’ll need a lawyer to help determine that.
If you’re operating a business based in the EU, you’re likely to have heard of GDPR by now.
This is a set of new data protection regulations coming into force on 25th May 2018 which set out new conditions for how you collect, process, store and share data. What you may not realise is, no matter where you are located, these new regulations have potential implications for your business.
There’s a lot of confusion, misinformation and misunderstanding around these new regulations, and many business owners are worrying about getting ready in time for the looming deadline.
In this post I will address these new regulations, and how they might impact your business. I’ll also share what we are doing here at OptimizePress to ensure that parts of our software that deal with collecting data (e.g. your opt-in forms and checkouts) are compliant with the new regulations.
But first, stop panicking (Please)
Before you continue with this article, if I can offer one piece of advice regarding GDPR, it is do not panic. Even the regulators who are supposed to be policing the new policies have stated they are not ready (see this post) so please don’t stress as it’s highly unlikely the walls are going to come closing in if you haven’t got all your ducks in a row by 25th May.
My aim with this article (and our aim here at OptimizePress) is to help you comply with these regulations whilst minimizing the impact on your business. Take your time to follow through the steps mentioned here and do your own research, consult with a legal professional who is familiar with your business and you should be all good to go.
To help you understand GDPR a little better, I’ve put together this practical guide to GDPR. The aim here is to cover some of the most common questions and misconceptions when it comes to GDPR in relation to marketing and your websites.
Please remember these are my interpretations of the regulations from the research our team here at OptimizePress has conducted, along with feedback from legal experts along the way.
GDPR is the General Data Protection Regulation. It replaces the current EU data protection policies and aims to harmonize national data protection laws with a single framework. It comes into effect on 25th May 2018 and will apply directly to all 28 EU member states. Compliance is mandatory for companies controlling and processing personal data of EU residents.
In short, it’s a new set of regulations which you need to comply with if you deal with data of any person within the EU (including prospects and customers on your websites).
If your business is established inside the EU, you must follow the GDPR regulations for all data that you handle, no matter where the data subject (person) is from. So that means all your customers and prospects, including those outside the EU, are covered by GDPR.
If your business is established outside the EU, you are only required to apply GDPR policies to EU residents. So if you have website visitors from the EU, or you offer goods or services to people from EU countries, you’ll need to ensure you apply GDPR processes when dealing with them.
Quick Note: For our customers located outside the EU, we’ll be including some unique functionality in our OptimizePress updates which will help you target only EU prospects (if you want to) with GDPR related features. More on this later in this post!
Every business is different and there is no one-size fits all process, but there are some key steps you need to consider if GDPR applies to your business.
Step 1: Create or update your Privacy Policy – your website needs a privacy policy which explains how you process the data of your prospects and customers in line with the terms of GDPR.
You should ensure your subscribers and customers are informed of your policy changes and sent a link to this content (this can be combined with sending out fresh consent requests if you need to do that).
If you need a solid privacy policy, I’d recommend the GDPR pack from Suzanne Dibble – the UK’s leading data protection expert. You can purchase the kit here.
Step 2: Update your Cookie Policy – this explains what cookies your website uses.
Step 3: Consider the Existing Lists Consent – consider whether you need to get your existing lists to re-confirm consent for you to send them marketing emails (more on this here)
Step 4: Updating Opt-in Forms – there are updated requirements on what you need to say and do when collecting emails from prospects (more on this later in this guide).
Step 5: Review checkouts and other locations where you collect data – You’ll need to notify your buyers and prospects of your privacy policy and how you handle their data
Step 6: Implement processes for optin and withdrawal of consent – Your data subjects have the right to withdraw consent at any time. You need a process to action this (usually this would be in the form of an unsubscribe link)
Step 7: Planning for data subject requests – Your data subjects (prospects/customers) can request the data you hold on them, as well as requesting removal of this data (in some cases). Make a plan for how you will retrieve this information.
Step 8: Build a Data Inventory – this means anywhere you obtain and process data.
This document will help you in the event of any audit or investigation.
This is only a brief overview of the steps you should start taking to compliance, and some of these may not apply to you. For a more detailed step by step, I would highly recommend downloading the free GDPR Checklist here.
This is (understandably) one of the biggest concerns for marketers when dealing with the introduction of GDPR. You’ve probably received many emails already from companies asking you to resubscribe otherwise you won’t hear from them again after 25th May 2018.
Obtaining fresh consent is an important consideration in your quest for GDPR compliance.
Whether or not you need to obtain fresh consent (i.e. asking your contacts to re-subscribe to your emails) may depend on the original consent you obtained when these contacts joined your list.
You should check the ICO consent checklist to see if your existing methods complied with this. If this is the case, you may not need to obtain fresh consent from these people to communicate with them, but you should send them your updated privacy policy and terms (and make them aware of their ability to opt-out at any time).
It could also be argued that processing of data is done under legitimate interest, as Phil Lee argues in this article. If you do follow this stance, remember you would always need to provide the option to opt-out of these communications.
If existing contacts were not added with consent that is of a GDPR standard, you will need to consider running a fresh consent campaign with these contacts.
Action Steps:
The short answer here is in most cases you should be ok to send marketing emails to existing customers. You can argue that you are communicating with your customers/users on the grounds of legitimate interest (as long as your communications are relevant/related to your main product purchased).
Be aware that this can still be a grey area – if you are emailing customers based on the grounds of “legitimate interest” it’s advisable to complete a legitimate interest assessment and store that safely in the event of an investigation.
Suzanne Dibble’s GDPR pack includes a legitimate interest assessment form template you can complete for this purpose which I highly recommend.
Also be aware here that if you’re planning to email your customers, they should always have been provided with the right to opt-out within each email (through clear unsubscribe links in the footer of your emails).
Action Steps:
So you’ve decided you need to obtain fresh consent from your list. What is the best way to do this?
Firstly, try not to see this as the end of your email list!
This is a great opportunity to cleanse your list and boost your engagement. Remember you only want people on your list that WANT to hear from you anyway, so think of this as the perfect time to clear out those contacts that are not opening your emails or clicking your links anyway (they’ll hurt your deliverability in the long run).
To get clear consent from your list to continue emailing them, you need to send an email which explains:
This is also a great opportunity to remind your prospect of some of the great information, offers or other content you’ve been sending them in the past.
Online Fashion giant ASOS did this quite effectively with their fresh consent email:
In this email you can see a tick next to the current information I am receiving from ASOS – you could do something similar based on tags or lists that you have your contacts on inside your email list.
The “opt me in” button takes me directly to their site where I receive a confirmation that my preference has been updated. This experience is ideal as I don’t have to re-enter any information.
If you do want to send your users to a page where they have to check boxes to confirm the type of marketing they want to receive, try and autocomplete their email as many people will not enter their email again.
Here’s a few things to keep in mind:
Action Steps:
One of the biggest areas of confusion I have seen in the marketing community about GDPR is centred around what you can and can’t do with opt-in forms, lead magnets and landing pages post-GDPR.
Like many areas of GDPR, the waters around this can get a little murky, but I’ll try and clear up some of the common misunderstandings and misconceptions below.
So do you need checkboxes on your landing pages & opt-in forms?
Well, the answer is an annoying “maybe” in my view. It depends on a number of factors, including your proposed grounds for processing what you’re offering on your landing page, the specific wording of your offer, and your process after your prospect enters their email and submits the form.
Let me explain…
When you are sending any follow-up email to a new subscriber, this is all considered “processing” under the GDPR. In order to proceed with any “processing”, you must have a lawful basis for doing so.
This comes in two forms when considering opt-ins:
What is legitimate interest?
I could spend a whole blog post just explaining the concept of legitimate interest, so for the purposes of this post, I’ll try to shorten it. Essentially, It’s the idea that you have a reasonable reason to process the data which someone would reasonably expect, and that is ethical and legal.
Now there is a lot more to it than that, and you can read more about this on the ICO website which includes the full three-part consideration test that you should use to evaluate your legitimate interest reasoning (if you choose to use this as your basis for processing – more on that in a moment).
If you can justify legitimate interest for your grounds for processing, in the case of opt-in forms this means that you may not need a checkbox to conform to GDPR.
What is consent?
The idea of consent is seemingly clearer than the idea of legitimate interest, and yet it is still open to much interpretation.
In terms of GDPR, consent is a clear, affirmative action to give permission to processing.
For the purposes of opt-in forms and landing pages, this could be the action of inputting an email into a form and clicking submit, or it could be checking a box next to confirm agreement to a privacy message or condition under your form. These are all types of consent.
So what does all this mean for your opt-in forms?
Well the first thing to note is, if you can justify legitimate interest as your grounds for processing the data (i.e. collecting it on your opt-in form and then sending up follow-up emails) then this could mean you do not need a checkbox on your forms.
It’s important to note that although it might sound like the easy option here – you do need to have a solid evaluation of your reasoning for legitimate interest and have this well documented in case of any kind of audit or investigation. Not all situations will fit legitimate interest grounds so this shouldn’t be used as a one-size fits all solution.
A few steps to consider if you plan to use legitimate interest as your grounds for processing on opt-in forms:
How to get consent on your opt-in forms
If you’re not comfortable with using legitimate Interest as your grounds for collecting emails and marketing to your audience, you’ll need to rely on the basis of consent.
Using consent as your grounds for processing means that you are seeking a clear affirmative consent from the individual for any data processing you plan to initiate after the opt-in.
Before you immediately think that you need to add a ton of checkboxes below your forms, remember that the act of submitting your opt-in form (entering an email and submitting the form) is a clear affirmative action. So you should consider how you can word the copy around your opt-in form to indicate that your visitor is giving consent through the submission of their email.
For example: Let’s say I had a bonsai tree training business and wanted to send out a newsletter to my audience each week with bonsai news and the occasional promotion. I could potentially use a form like this:
In the headline above the opt-in field I have clearly identified what will happen when the prospect enters their email – in this case they will receive my newsletter. I have also made the button text clear and affirmative as giving consent. I’ve also included a link to my privacy policy below the form and further information on what the subscriber will get including the frequency of my emails.
It could be argued that this form (without any checkboxes) gives a clear affirmative consent. The person who subscribes to this form is clear on what they will receive after opting in.
What is Granularity of consent or bundled consent?
The only potential grey area with an example like above is something the GDPR calls “Granularity of consent”. Ok, I know you’re tired of legal terms and confusion, but bear with me here…
The requirement for Granularity of consent essentially means that if you are asking for permission to do different kinds of processing, you need to have separate consent for each of these. You cannot bundle different permissions together.
So in the example above, I am offering my Bonsai Pro Newsletter which is sent via email weekly. This is ONE consent. Now I also mention in my privacy message that the newsletter will include occasional promotions – I think you *could* argue that this is part of the newsletter, but some people may argue you should obtain separate consent for this (it really depends on your attitude to risk as none of this has been tested in the real world yet).
In other examples, the requirement for separate consent is more clear.
Let’s look at this example from the recent Impacting Millions online course launch by Selena Soo.
In this example, a free video training series is being offered as part of the launch. After opt-in you are directed to the first of three video trainings which are also sent out via email.
The complication comes in the fact that as part of the follow-up after opt-in, you will also be sent marketing emails related to the launch of the new Impacting Millions course.
This follows the standard process used on most landing pages:
In order to do this and be compliant with GDPR when using consent as the lawful basis for processing, there would need to be some changes to this landing page.
Here’s how the revised landing page might look:
In our view, this meets the main criteria of the GDPR and should be considered compliant.
So how do you know if your form will be compliant?
Right now it’s difficult to be 100% confident in what constitutes a GDPR compliant form and opt-in process. There are no legal precedents to rely on or refer to yet, so we only have to go by our own interpretation of the GDPR terms.
We can however, follow a few guidelines to try and ensure that our processes are compliant…
As well as helping you understand GDPR with the FAQ’s above, I want to also explain what we’re working on here at OptimizePress to reassure you that we (as a company) will be doing everything we can to comply with GDPR.
This comes in two parts:
Here at OptimizePress, we’ve always been extremely protective over any data that you (as our customers or prospects) have shared with us. You’ll know if you’ve been on any of our lists for any amount of time, we only send valuable content to you that you have agreed to receive, and never blast our lists with offers or anything else disrespectful like that.
With this in mind, we will shortly be updating our privacy policy and cookie policy to reflect our handling of your information in line with GDPR.
As an EU based company, we have evaluated all of the companies we work with where your data may be transferred (such as Amazon servers for our website hosting, or HelpScout as our helpdesk provider). We will be ensuring that any data which is transferred is to these processors covered by adequate privacy provisions as set out within GDPR.
OptimizeLeads Users Data Processing Agreement
In the case of most of the OptimizePress tools Suite, these are self-hosted and we do not interact with any data from your websites. This means you are the controller (in terms of GDPR) and normally your autoresponder is the processor.
However in the case of our OptimizeLeads product, there is a small part of this platform which acts as a “processor” for our users.
This means that for a very brief period, data from your opt-in forms (from your prospects) is stored on our server. This happens because our system uses “queues” which means this data is temporarily stored while we attempt to send it through to the API of the external service e.g. MailChimp, AWeber etc.
We do this to make our platform more efficient, and it also adds a layer of protection in the case of your external service being unavailable, we retry sending the data until the external service is back online (so no subscriber data is lost).
Once the subscriber data is sent to the external service, it is immediately deleted from our platform and servers. In most cases this process happens in a matter of seconds, and we do not log or keep a record of any data sent through our system (for your security).
Because this process makes us a processor for our OptimizeLeads users, we will be making a data processing agreement available for these users in the run up to the GDPR launch. We’ll share more about this when it is ready.
As you’ve probably gathered by now if you’re still reading, some parts of GDPR relate to your collection of prospects and customers data on your website through opt-in forms.
To help you comply with GDPR, our team are working hard to build brand new compliance features into our OptimizePress suite of tools.
Here’s a summary of what we’re currently working on:
Checkboxes on Opt-in Forms for Active Consent
Although it might be argued that you will not always need checkboxes on your forms (see above), we know there are some cases where checkboxes may be required on your opt-in forms.
To help you accomplish this, we are adding the functionality to enable up to 2 checkboxes below your opt-in forms inside OptimizePress & OptimizeLeads. You will be able to define the text next to each checkbox, and checkboxes will NOT be required as per the guidelines of GDPR.
Timescale: Done
Recording Consent
Adding checkboxes to the forms in OptimizePress is relatively easy – the more complex part comes with the additional requirements of GDPR which is the recording of the consent status for each subscriber.
If you have checkboxes on your forms, you are required to track whether or not a box was checked, as well as the wording on each submitted form.
With over 20 individual integrations inside OptimizePress products, this is quite an undertaking. We’re working on ways to pass through the consent information in the most effective way for each provider we integrate with.
This will most likely work in one of two ways (depending on the integration partner):
This is important because as well as recording consent, you need to know who has said “yes” to your marketing or follow-up emails so you can segment these subscribers and send them the appropriate follow-up messages.
Intelligent Form Customization
We recognise that many of our non-EU customers want to try and remain compliant with GDPR whilst not affecting their existing marketing activities to other parts of the world. For this reason, we are also developing a unique feature which will allow you to only show opt-in checkboxes to EU visitors if you wish.
I’ll be sharing more about the progress of these features as they are developed, and welcome your comments and questions below on GDPR, our features or anything else OptimizePress!
Get FREE access to our Premium Marketing Training Library
OptimizeUniversity gives you the latest marketing training courses, strategies & tactics to grow your business fast.
39 replies to "OptimizePress & GDPR: A Practical Guide to Compliance [UPDATED]"
The GDPR options on the Optimizepress Plugin seems to have a lot of issues. I spent a great deal of time trying to set it up as you can see on this video to no avail. So if any of you guys are having similar issues please report it to the tech support guy. Maybe after hearing it from a few of us he will look into it with an open mind that it may be a bug on the app (Note: bug is a funny term used by tech guys that refers usually to an error made by the programmer).
https://youtu.be/60RN-bFqNLg
What happens with Google Fonts & Optimizepress? How can we solve this issue?
Can you confirm which version of OptimizePress the GDPR options will be in? I have V2.153
Did you try the “label span, legend span” CSS options? I’ve not tested this myself but it might work for now.
Update to 2.5.15
Hi Travis, the GDPR checkboxes are for GDPR content. Try our Privacy Policy Plugin for what you need.
Guys, am I taking crazy pills? The new forms aren’t GDPR compliant whatsoever… if the “I agree to the Privacy Policy” is not REQUIRED to be checked, then the user is not agreeing, and his data is still being taken and tracked. In it’s current form, you’re going to get us fined 2% of our yearly income. If the box is NOT CHECKED, they should be getting a pop up that says, “Hey… you need to agree to the Privacy Policy to continue”. Right now, that is not happening. Please fix this.
Ok for the Checkbox for optin, but how to register the user’s consent or the fact that flag the checkbox? Please Help Me. We use GetResponse as autoresponder and i see in the document that there’isnt
Hey Ryan! Thanks for stopping by. Always a pleasure to have you grace us with your presence 🙂
Thanks for the feature request. We’ll look into those. Emoji’s might be an option at server level character encoding set. I’ll dig around for that. Also there might be a plugin that support it inside form fields. Obviously it’s in WordPress as we can use it here 🙂
Oh! and #3… how about the ability to change the text color? The optin right at the top of my homepage has a colored background, so the black text gets washed out quite a lot 🙁
Hey guys! Awesome as per usual. Two pertinent questions for you.
1. Will there be (or is there) the ability to control the order/placement of where the checkbox is within an opt-in? For example, I’d love to place the checkbox above the CTA button so that more people actually read it and consider opting in for additional content.
2. Could you guys please add emoji support to the text field for the privacy notice? Hoping to add an emoji there to make it stand out more to readers and encourage more people to consider opting in. When I pop an emoji in there now, it just throws me a bunch of ?????? after updating the live page.
Thanks for the all around fantastic update guys! 🙂
Hi,
great conten!
Is the data processing agreement ready for us to sign and download?
Greetings!
Hey Marc, OptimizeMember is a plugin of OptimizePress. You would make sure you own site is compliant. OptimizeMember would only use the registration forms of WordPress.
That was a typo Peter! It now reads “We will not sell your information to third parties…”
Hey, great summary! What about optimizemember, is this also GDPR-compliant. Need to know that soon since I have secured my membership area with the help of OP member 🙂
Hi, I leave in Italy and so, sorry for my bad english.
Here is time 10:04 PM of 23 May.
I write for Checkbox GDPR compliant, news for this?
Another day and game over.
Thanks for your answer,
Marco
Thanks a lot,
this is very useful feature, by the way, may I ask you in which way I can investigate in case of customers complains?
Are there any log that can be used as a proof of previous ticked optin as a response to the specific GDPR disclaimer?
Mauro
Hey Amy. GDPR does state that you can’t force consent to marketing emails.
However some people say entering your name and email is enough consent… (no check box needed).
I would suggest using double optin for all lists and make it clear what your emails are about. Double should be enough consent to allow you to followup emails.
Again, don’t quote me on this. It’s not legal advice. If people want your email they’ll have no problem agreeing to your policies and giving consent.
Hey Mauro,
When the checkbox is ticked and submitted it will add the info as a tag or custom field in your email provider. This could act as a log for proof if ever needed.
We’re an online retailer in the uk and I’m wondering if we need to get re-consent. When customers placed the order the tick box to subscribe to the mailing list was pre ticked. Plus any eBay sales were automatically added to the mailing list as there’s no way to give them an opt in at the time of placing an order. So do I need to get reconsent? Or can I conclude that because they placed an order they have shown legitimate interest?
Thanks!
That’s what we aimed for 🙂
We will sell your information to third parties as you wrote in the Selina Soo example is probably not risky, but what customer would want to sign this? So I’m hoping it’s just a typo and not a suggestion.
Thank you! I’m looking forward to seeing the updates so I can make my optin forms GDPR compliant.
No problem!
As above, some people are saying placing an order is enough consent to receive emails. I’ve read some privacy policies recently that read exactly that. Did your Policy states this?
However that said, if the boxes were pre-ticked it’s not like they had a choice.
If you have been emailing those people regularly they would have unsubscribed by now if you made it easy to do so.
For future orders you should follow up with an email asking if they want to join your email list and receive future offers, promotions and news etc.
In that follow up email you have a big buttons saying “Yes Join” or “Yes I Give Consent”
So the process is:
Customer places order > Receives service/order emails > You add to mailing list software > Send email asking for consent to.
Thank you. I have a few customers in Europe, randomly, and am based in the US. Couldn’t I have a special double opt-in type message that goes to only European IP addresses that says they understand they will be getting the following emails from me and they need to click the link to proceed? If they don’t confirm their opt-in, then they aren’t approved to get emails. I hate making the checkbox form required for my big majority of US customers.
Thank you; this was clear and comprehensive 🌺
Hi David, Thanks for you input.
1. Not sure if there’s a question her or just a rant? 🙂
2. If someone has given you consent to send them marketing emails then you can email them. I’m sure if you’ve had double optin enable prior to GDPR that can be classed as consent.
This is not legal advice.
I believe if you have a clear policy, explain how you store date, what companies you use, how you track data and you make it easy for someone to contact you to request data/request removal of data, then you are being transparent enough.
Make it easy for people to unsubscribe from all your emails.
If you run an ethical business and show how you use data you have nothing to worry about. Lets see what happens over the next few months.
Thank you. I’ll wait for the new forms
First of all: thank you for this overview.
Here some thoughts:
1) While you provided us with great details about what has to happen on the *fron* end, what needs to happen on the *back* end was only mentioned as a side note (you link to a GDPR package, and you state above “Step 7: Build a Data Inventory – this means anywhere you obtain and process data”. Maybe I am wrong, but since I am actually working on GDPR compliance with an expert (a certified data protection officer), I do know that the documentation part on the backend is quite the undertaking! So, here’s my personal take: In order to be on the safe side, I guess it’s only the second best option to do that based on a package you can buy, because you will have questions. no doubt. Who will answer these? The person that sold the package? If so. good, if not: not good. Because how will you know then that you are truly compliant? Either way: the amount of work that goes into documenting your processes will take time (meaning: you need to think about where you get in touch with personal data, and then you have to *document* it (as in: write down), so you can show that in case of an audit). It’s questionable, of course, if and when you’ll be ever subject to such an audit, but who knows… So, for sure, getting the frontend aspects up and running may seem to have the highest priority, but for the sake of all those business owners out there, I wish there’d be more emphasis on stressing the documentation part – because I believe many people are simply not aware of it, or of its full scope.
2) Regarding being specific what you want to send people: Can’t I simply write that they will be contacted by me via email? This would then include everything.
3) I do agree with the aspect of this being a chance to cleanse our email lists.
Best regards
David
Really useful article – thanks guys! Now need to get started on implementing all this
Thank you James – this is so helpful!
The GDPR options on the Optimizepress Plugin seems to have a lot of issues. I spent a great deal of time trying to set it up as you can see on this video to no avail. So if any of you guys are having similar issues please report it to the tech support guy. Maybe after hearing it from a few of us he will look into it with an open mind that it may be a bug on the app (Note: bug is a funny term used by tech guys that refers usually to an error made by the programmer).
The GDPR options on the Optimizepress Plugin seems to have a lot of issues. I spent a great deal of time trying to set it up as you can see on this video to no avail. So if any of you guys are having similar issues please report it to the tech support guy. Maybe after hearing it from a few of us he will look into it with an open mind that it may be a bug on the app (Note: bug is a funny term used by tech guys that refers usually to an error made by the programmer).
Hi Alex, please contact our support team for that one 🙂
What is that plugging? has it additional cost? and how can I put the link to redirect to my privacy policy page?
Hey Carlos, have you reached out to our support team about this. I’m sure they can assist.