It seems that privacy breaches are everywhere and the world is responding. Just as Canada shook up the online marketing world when it implemented The Canadian Anti-Spam Law (CASL) a few years ago, the European Union has now introduced its own set of requirements when dealing with data the General Data Protection Regulation (GDPR). And again, for many, the law feels convoluted and hard to understand. There are plenty of grey areas that are open to interpretation, and while we do need to comply (this new regulation goes into effect May 25, 2018), we don’t need to immediately and completely cull our lists. Here is a link to a checklist that this blog was based upon. https://gdprchecklist.io
Disclaimer: I am not a lawyer and this blog post is based on my own research and interpretation of the General Data Protection Regulation (GDPR) and e-Privacy Regulation. You are advised to seek legal counsel that specializes in the GDPR and e-Privacy Regulation to ensure that your company conforms to these regulations. GDPR is complex and interpretations vary.
What does the GDPR mean for Professional Speakers who market online?
Let’s take a few moments to unpack this law in plain language.
You may be thinking, ‘but I don’t live in the EU’, or ‘I don’t sell there” but hold on – this does still apply to you!
[bctt tweet=”What does the GDPR means for Professional Speakers who market online? Answers here!” username=”@pibworth”]
First – the GDPR is mainly about personal data. All types of personal data, whether gathered online or in person. That means the regulations apply equally when someone opts into your free offer online, joins your newsletter, or drops their business card in a bowl at your booth at a tradeshow.
Personal data includes: names, email addresses, physical addresses, and most people agree it includes IP addresses and other info collected automatically (usually collected by Google Analytics). It also includes any type of processing and information that you’re adding to your contact database. This could be information that you collect automatically, through an opt-in on your website or any other collection method. (ex: surveys, questionnaires, etc.), or through tagging or segmenting in your CRM database. These activities are included because you are effectively “monitoring” what people are doing.
The GDPR applies to any relationship or transaction (commercial or free) where one or more of the parties is in the EU. It is not based on citizenship, it’s based on where they are when you are interacting with them. If you are a Professional Speaker, or really anyone who markets online who is based outside of the EU, you must comply with the GDPR when we are interacting with or collecting data from people in the EU. That means if you offer any product or service to anyone in the EU, either paid or free (which means a lead magnet or audience follow up counts) or if you monitor the behaviour of people in the EU (and if you have Google Analytics then there is a good chance you are).
There is a grey zone here though – what if you don’t know you are collecting this information? It is possible that although you are not actively marketing to people in the EU, or even outside of North America, you cannot control who finds your website, clicks on your facebook add, refers you to a friend, and so on. Remember, the law is not based on the citizenship of the person who interacts with you. but on where they are when they make the connection. Honestly, it feels like overkill in my opinion, but we have to follow the law. That’s why they call it a law. 😉
The 6 main principles of the GDPR
#1: Data shall be processed “lawfully, fairly, and in a transparent manner.”
- You have to be transparent and upfront about why you are collecting their data.
#2: Data shall be “collected for specified, explicit and legitimate purposes.”
- You can’t collect their data without explaining how you are using it, and those purposes have to be legit.
#3: Data processing shall be “limited to what is necessary” for the purpose.
- You can’t collect all kinds of data on a person if all you need is an email address (like for your opt-in or newsletter list). You may only collect the minimum amount of data needed for the purpose you are collecting it for. Once you have collected the necessary data, you can only use it for the intent you disclosed.
#4: Data shall be accurate, kept up to date, and correct.
- Doesn’t really apply to us. This is more for the Google and Facebooks of the world.
#5: Data shall be kept so it identifies a person “no longer than is necessary.”
- You should not keep data about people forever if there is no reason to keep it.
#6: Data shall be “processed in a manner that ensures appropriate security.”
- You have to take reasonable steps to protect the data. You should already have https security on your website and have installed SSL certificates and registered the certificates on Google Search Console, added sitemaps for each and requested indexing. You also need to ensure you have updated Google Analytics to HTTPS for all of your sites. In addition, you should regularly update your website’s themes and plugins and have protection in place to keep up with malware and hacking attempts etc., all of which will be helpful in ensuring your data’s security. Data should always be stored behind a secure wall (password protected).
Data security, as well as data privacy, is covered under the GDPR. That means you need to ensure that you have a published privacy policy on your website and any other published pages such as your opt-in page, sales page etc.. Your privacy policy should include:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
So what does all this mean to ME?
How will my marketing efforts be affected?
Well, it means you will need to make some changes across the board, but don’t panic, it is not the end of the world.
How you collect email addresses
Gone are the days when you can automatically add someone to your email list because they downloaded a freebie. (I know, that stinks.)
- Downloading a freebie does not equal permission to be added to your email list. You cannot require someone join your list in order to receive their free gift.
- You must obtain consent separately to add anyone to your marketing ist, and you must tell them what they are getting
- You cannot add a checkbox to your opt-in and not deliver the lead magnet if they don’t check the box
Ultimately, to be added to your email list, a prospect must specifically and affirmatively agree to be added to your marketing list. And you may not require that they join your list to receive a freebie, attend a webinar, etc. Instead, we have to sell prospects on the value of being added to our list. That means consistent producing content that they find valuable enough to sign up for separately.
The new consent standard applies to your EXISTING list. Come May 25, you cannot email your existing contacts who signed up through a lead magnet.
So now what? How do I preserve my existing list AND stay compliant?
First, segment your list. Hopefully, you have collected your prospect’s location and can easily segment that way. If not, you may have to go through your list individually. If you do not know if they are from the EU, you must treat them as if they are. You want to segment the list because you are going to treat these people differently for a bit.
Then re-engage. The subscribers not under GDPR rules will see no change in how you communicate, but you are going to have to try to re-engage those who do fall under GDPR. Don’t send consent emails to those not under GDPR rules, and I strongly urge you to spend some time nurturing those who DO fall in the new category because unless you give them a compelling reason to stay, you are likely to lose a good number of these subscribers. Make sure that you have a system set up so that when someone does consent, you are taking them off this special “EU-non consent” segment of your list and moving them on to an “EU confirmed consent” list. You will want to send multiple “consent” emails and make them enticing. The trick will be to get people to open the emails. Use catchy and well-planned subject lines.
Anyone who doesn’t give the necessary consent by May 24, should be deleted from your list. Remember, even storing or deleting their info is “processing,” so this work needs to be done before May 25, 2018.
Moving forward with compliance.
As mentioned earlier in this article, you cannot force someone to join your email list just by downloading your opt-in – so – there now has to be a clear distinction between your opt-in and your email list. What I suggest is that you deliver your opt-in and keep that list separate, then further down your marketing funnel, you pitch them to join your list.
For example:
- Make your opt-in a series of emails, like a mini-course, or a short series of videos. Make it SUPER high value, and in a separate area in the opt-in delivery, invite them to join your list to receive further information and valuable content from you. This clickable link would lead to a separate list from your opt-in list.
- Deliver your opt-in via a sales or squeeze page and then offer the newsletter list as a secondary offer. Once they say ‘yes’ to the opt-in, have a pop-up or secondary page that says – “one more thing – don’t miss our weekly/monthly tips” and have them opt into receive that as well. Remember – there must be a ‘no thanks’ option that still allows them to receive the opt-in. The choice must be completely voluntary.
- One thing is consistent – make sure you are completely up front that you are asking them to join an email list, and tell them how often the emails will be delivered. You may want to consider emailing twice monthly instead of weekly or daily.
The long and the short of it is this, follow the rules, but do it wisely and consider the options. Are you ACTIVELY using your marketing list? Do you send regular correspondence through those lists and do you nurture those leads? This is a lot of work to do in order to become compliant if you are not USING the customer data. You may have something else to consider. Either use the data well and actively market to these prospects or consider giving your opt ins away for free without gathering data. It goes against everything in my marketing brain to suggest it, but I have worked with Speakers for too long not to bring the idea up. If you have a product to sell, yes you need to build a list. If you never email the people on your list, do you need it?
And finally – Google Analytics
If you have Google Analytics installed on your site, it is considered your data processor and you are responsible for making sure no personal data is collected. This article outlines the steps necessary to make that happen. http://www.blastam.com/blog/5-actionable-steps-gdpr-compliance-google-analytics
Additional Sources
https://gdprchecklist.io/
https://members.youronlinegenius.com/GDPR