As you probably know – or you’ve seen in your inbox – GDPR is everywhere right now.
While May 25th was the deadline to make changes to your website and email marketing, there are a few things you can still do after that date. In fact, we at Automation Agency had to do a fair bit ourselves to get our terms updated to ensure we could continue working with our EU & UK clients.
In my opinion, there is a lot of noise about what DOES and DOES NOT need to be done to be GDPR compliant.
Most small businesses that I know who are worrying about GDPR don’t have the same level of compliance as we did as they don’t work with EU/UK clients processing their clients data. Also, what you need to do to prepare for GDPR really depends on if you are in the EU, have EU clients, and how your business operates and what you sell.
I’m not a lawyer so I can’t provide you that guidance. Please seek your own independent advice. (If you are looking for that, I recommend you take a look at UK Lawyer, Suzanne Dibbles GDPR Pack. as well as speak to a lawyer in your own country.)
I can, however, give you a quick checklist of recommended actions from a tech perspective that you can easily do to prepare your online marketing.
Your Website
Whether you are EU-based or not, it’s important that you make a few changes to your website:
Step 1. Add a privacy policy notice to your website.
If you already have a privacy policy you may need to update it. You’ll want to make sure it says, in plain language, what you collect, how you collect it, and under what processing right you collect it (e.g. Consent or Legitimate Interest).
Not sure what “Consent vs Legitimate Interest” is all about? Check out this blog post.
Step 2. Update your WordPress website to 4.9.6.
The latest version of WordPress 4.9.6 has released some GDPR-specific features.
You can learn more about this in the video below:
Step 3. Consider adding a cookie notice popup.
One thing you’ll need to consider is getting consent for tracking identifying information, and cookies can track this information. So, a cookie notice can be seen as a form of getting the user’s consent.
Some say this step is not necessary, but if you want to be sure just in case we recommend installing Cookie-Notice plugin. It works with the new WordPress 4.9.6 features as well.
Step 4. Make some tweaks to your opt-in forms.
If you have forms on your website asking for name & email you may want to make some tweaks.
There are many arguments and, in my opinion, misinformation on what you actually need to do. Many people think you need to add checkboxes, others say you just need to tweak the language of your offer.
I’m not going to repeat the arguments, but you can read more in the following articles and decide for yourself what you will do.
- GDPR A Practical Guide To Compliance for Marketers – by OptimizePress
- ThriveThemes founder’s thoughts on GDPR and Email Marketing
Step 5. Turn on anonymized IP for Google Analytics tracking.
Most Google Analytics plugins have a setting to enable anonymized IP addresses. You just need to have this turned on.
If you aren’t using a Google Analytics plugin, then you need to generate some new code to add to your website to replace your current Google Analytics tracking code.
Your Email Marketing
So, email marketing gets a little more complicated.
If you don’t have anyone on your list thats from the EU or UK then you can safely ignore this. If you do, then depending on your risk appetite, you may want to do these steps.
Remember: I’m not a lawyer so I can’t advise on if you should or shouldn’t do this. Please seek your own legal advice.
Step 1. Unsubscribe anyone from EU/UK who was added to your list in a NON-CONSENT way (eg. Bought Lists, Scraped Data, Imported from LinkedIn, etc..)
While some people are saying you needed to get re-consent from everyone from the EU before May 25th, that’s not entirely true.
My understanding is you only needed to do this IF you don’t have earlier consent that was compliant (like them opting in for a form) or you don’t have legitimate interest grounds (like they are a customer who bought from you) to be marketing to them.
So, if you have people from the EU on your list and you didn’t send the re-consent emails but you can prove they consented or you have legitimate interest to continue emailing them, you should be fine.
However, if you did the dodgy and scraped or bought an email list from someone else and imported that into your Infusionsoft, Ontraport, ActiveCampaign…
…These are the people you don’t have clear proof of consent from and you would need to unsubscribe from your list based on GDPR EU laws (unless maybe you had legitimate interest grounds for this data.)
It could be argued if you aren’t in the EU and no one on those lists are EU based you don’t have to remove them. I think buying lists and scraping lists is just plain tacky, personally – and in many countries is against the privacy and spam laws – so I think you should unsubscribe them anyway.
Step 2. Consider turning on double opt-in.
Double opt-in is where when someone fills in your form, it first sends them an email with a link they have to click to confirm they want to receive ongoing messages before the Email system can email them anything.
Ontraport, Infusionsoft and ActiveCampaign all have this feature built in and have had it for many years. It’s easy to enable on a per form basis.
While I don’t believe this step is required, this can make for a higher quality email list of highly engaged subscribers, and there would be no arguments about if you have consent to email them or not.
Up to you. I recommend you have a read of the founder of Thrive Themes thoughts here.
You Can Relax
This is by no means a complete list of things you COULD do or that you may legally need to do depending on your personal circumstances. (Talk to a lawyer if worried.)
These are, however, the bare minimum things I believe that everyone should consider in becoming GDPR compliant in their marketing.
Over time I’m sure we will all learn what else, if anything, we actually need to do.
Keep in mind that these laws were designed for big companies like Facebook, Google, etc. They weren’t designed to screw small business owners under a compliance trap. So, relax!
Also, these laws still need to be tested in court to get clearer interpretations of the more grey and unclear language that many people are stressing about.
And finally, if you aren’t in the EU, the likelihood of them coming after you is small. It doesn’t mean you shouldn’t make a best effort attempt to comply, but it does mean you don’t need to stress out and worry you should close your business because of this (as I’ve seen some people say they are going to do!!)
Stay informed, but don’t let it consume you. Make your best efforts to comply and if you learn of something you need to change to be compliant, then change it.
Good luck.