GDPR For Digital Marketers
Email Marketing, Opt In Magnets, Affiliates and Cookies
As a digital marketer, to comply with GDPR I changed the way I build email lists using opt in gifts – freebies – lead magnets because I have websites that are available to European residents to purchase services.
However if a European resident stumbles upon my US-focused website which is not targeted at Europe in any way, then it’s likely that website is not caught by GDPR. This is an opinion piece, not legal advice, but you should get legal advice about GDPR.
When someone gives you their name and email to get your freebie, under GDPR you cannot automatically store their email and use it to send them further emails.
2017-style list building tactics typically don’t comply – you give your name and email to get a freebie and then you’re on the list to get all sorts of stuff without that being declared and without your explicit permission.
- People who’ve signed-up to your lead magnet might not realize that they’re joining your mailing list as well.
- You can’t make receipt of further emails a condition of getting the magnet, each requires specific consent.
- As marketers, we don’t want to explicitly ask people to check a box to get our auto email sequences, because many won’t.
A number of commentators suggest that it is sufficient to state clearly on your opt-in forms that people will receive further relevant content.
When you offer your lead magnet, if you specifically state that by entering their email the person will receive the magnet and they’ll also receive emails about the same or very similar products that are highly likely to be of interest, then this may be sufficient. You would need to be very clear that the person is accepting two distinct things and only send emails that will be useful or can solve a problem for them, ie; beneficial information.
I created a digital marketing quiz for list building purposes and I wanted to be able to do 2 things
- send participants their recommendations
- send them further relevant emails including a sales sequence for relevant products and services.
People enter their name and email to get info and recommendations – I explicitly state that they will get info.
Consent Beyond The Magnet
Sending a variety of marketing emails after the magnet has been standard marketing practice – you get the magnet, you’re added to the email list and get the auto sequence and often much more, even if you did not expect this. You might get info about other products and you might get affiliate offers.
Related products is a step further and affiliate offers is probably a step too far. It appears that you need explicit consent for each affiliate – eg check the box if you’d like us to send you info about XYZ.
Facebook and Google pixels/tags are probably ok.
You’ll need a cookie notice if your website is available in Europe. If you use your own cookies or those from a 3rd party other than Facebook or Google, you’ll need to comply or make sure that the 3rd party complies.
Facebook and Google Database Audiences
You need explicit permission to add email addresses to your Facebook or Google database audiences and to continue using your existing database audiences.
Many marketers are not able to segment their email list to identify European residents. It’s not enough to simply not target Europe with your ads, the issue is that you have stored info about a European resident that enables them to be identified e.g. name and email. Who knows for sure how many European residents are on their email list?
Compliance or OTT?
We loaded a GDPR compliant plugin to a website and on the contact form it requires a user to check this: “By using this form you agree with the storage and handling of your data by this website.” So even though they went to our contact form and gave us their name and email they are still required to check the box. Other commentators say that the provision of a name and email is sufficient consent but this isn’t clear.
Should You Comply?
Totally local businesses e.g. in the USA are generally not caught but you need to be clear about how this works.
You could try to geo-restrict your website from Europe to avoid this but
- you may already have European residents’ data eg on your email list or database audiences in which case GDPR may apply
- geo-restrictions are not a guarantee that a EEA resident cannot access your site
- this type of regulation might become the standard for other countries so compliance would be future-proofing
- you’d be missing out on a big market
- fines are the greater of €20 million or 4% of global turnover
- while small businesses may not be the main target here, complaints from the pubic or competitors are possible.
Demonstrate that you have legitimate interest in asking for an email address, adhere to GDPR data protection principles, use good marketing practices and document your reasoning for asking for and retaining data.
Our view is that even if you don’t think GDPR applies to your business, it’s good practice to adopt as many of the standards as possible. If your products and services are available to EEA residents then you should comply.
PS This is not legal advice, get some!