Remember when “Y2K” was quickly approaching and everyone went crazy adapting their code so that the 2-digit year ‘00’ didn’t take us back to 1900?
Well everyone in the tech and marketing community is going crazy again–this time it’s about General Data Protection Regulations (GDPR).
All of the systems we’ve built to hold personal data (i.e. pretty much all of them) will need to be updated to comply with the new European legislation.
It doesn’t matter if your company isn’t based in Europe, if you’re not from Europe, nor that you’ve never been to Europe.
The legislation covers any technology that serves EU citizens, and given that most websites are available globally, that pretty much means all of them–including yours–hence why your inbox is inundated with GDPR emails.
What does this mean for the future of growth hacking?
To be honest, I’m not sure, but I will say that if you’re a “black-hat” growth hacker that scrapes email addresses and other personal information, you should be afraid–very afraid.
Alex Delivet, head growth hacker at Mailjet believes that “with the arrival of GDPR, these kinds of bad practices will be officially illegal and the best growth hackers will realize there are a lot of GDPR-compliant tactics we can try” instead.
Even the growth hacking tools you use may become illegal. For instance, the CEO of Convert.co wrote about the likely possibility of losing 3 percent of new revenue from their acquisition channel by removing 20 percent of the tools in their marketing stack, mainly used for reverse IP lookup services, data enrichment, and cold email outreach.
As a growth marketer, when I initially heard the news about GDPR, I was shocked and uncertain about what the future holds–I’m sure you can relate.
Shock is the first stage of “GDPR grief“, and I quickly cycled through the other six:
- 2. Guilt for the sheer time I’ll be spending on compliance rather than managing my staff or servicing my clients.
- 3. Anger at the EU for putting an unnecessary burden on businesses and handing Facebook and Google a regulatory moat to increase their duopoly.
- 4. Depression as I considered we might never be able to do as good a job at marketing for our clients again due to these strict rules.
- 5. Upward turn when I started to realize that this would make marketing experts more valuable and harm the worst spammy cowboy marketers.
- 6. Reconstruction as we outlined the job that needed to be done to get our company fully compliant.
- 7. Acceptance and hope when we realized in no time at all we had gained a level of understanding in an important topic, and could help others.
Now, we aren’t experts in GDPR or lawyers qualified to give legal advice, but we thought by sharing what we learned we could help our fellow growth hackers get to a good place with their GDPR compliance journey.
In this blog post, I’ll do my best to answer some of your frequently asked questions, like:
- What Is GDPR?
- What GDPR Means For Digital Marketing And Advertising
- GDPR Checklist: How to Collect Data While Complying With GDPR
- Becoming a GDPR Compliant Business
- How Ladder is Complying with GDPR While Maintaining Marketing Performance and Growth
Let’s jump right in!
What Is GDPR?
The General Data Protection Regulation (GDPR) is legislation set by the European Union in April 2016 and has to be implemented in all member states. The law differs a little from the resolution itself because it has to work in the given law system. We’re not lawyers at Ladder so we’ll let the lawyers get deeper into that.
On May 25, 2018, all the citizens of the European Economic Area will have the right to have their personal data protected.
And the punishment for not complying is severe: fines up to 20 million Euro or 4 percent of the company’s annual global turnover – whichever is greater.
What GDPR Means For Digital Marketing and Advertising
In the world of digital marketing and advertising, GDPR is revolutionary. Marketers eat data for breakfast, lunch and dinner–some, like me, even dream about it!. But your data-driven marketing strategy is going to have to go through some critical changes if you want to avoid those hefty fines.
To be GDPR compliant:
- Personal data cannot be stored, processed, or used without clear consent
- EU citizen data must be stored within the EU
- EU citizens must be clearly informed if their data is stored outside of the EU
What is considered personal data?
- First and last name
- ID number
- Location data
- Internet ID (@handles, Facebook ID, IP address, etc.)
- One or more factors describing
- Social identity of a physical person
For marketers and advertisers, “using” personal data can take many forms, which generally includes data gathering, compiling data, sharing data, deleting data, storing data and using data for targeting.
How are cookie pixels affected by GDPR?
If you’re tracking user’s web and browsing activity, that information “may be used to create profiles of the natural persons and identify them”, which is forbidden by Recital 30 of the GDPR.
The IT Governance Blog does a great job of breaking down how to be compliant with GDPR if you’re a company using cookies. Here are four things to keep in mind:
- Implied consent is no longer sufficient. Consent must be given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a site doesn’t count as consent.
- ‘By using this site, you accept cookies’ messages are also not sufficient for the same reasons. If there is no genuine and free choice, then there is no valid consent. You must make it possible to both accept or reject cookies. This means:
- It must be as easy to withdraw consent as it is to give it. If organizations want to tell people to block cookies if they don’t give their consent, they must make them accept cookies first.
- Sites will need to provide an opt-out option. Even after getting valid consent, sites must give people the option to change their mind. If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.
Moreover, any pixel that gathers behavioral data also falls under these consent terms. The Facebook Pixel, Google Analytics Tag, Live Chat, and more all require consent from the user in order to be used. This means that unless the users agree to it, things like the Facebook Pixel or Google Analytics script cannot be fired.
And even after getting valid consent, sites must give people the option to change their mind. Sites will need to provide an opt-out option.
If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.
The good news is that Google Analytics allows you to turn on data anonymization which should allow you track users on your website without permission, but only if there’s absolutely no personally identifiable information (including IP addresses).
GDPR Checklist: How To Acquire Data While Complying With GDPR
To be GDPR compliant, you need to be cautious and transparent about how you collect personal information. Here’s a short GDPR checklist to help you learn how to acquire personal data the right way.
- Are you informing users that you are processing their personal data in accordance with the GDPR legislation?
- Are you being transparent about why you are gathering their data?
- Do you need that data or want that data? You cannot keep data longer than it is necessary to achieve your goal.
- Is your data true, complete, and factual?
- Are you able to tell users who made what changes and/or has access to their personal data at any given time?
Also, check out Hubspot’s comprehensive GDPR Checklist to help you determine if you’re GDPR ready.
Moreover, if you have an opt-in form, then you need to have a separate checkbox for each type of processing you do and the wording needs to be clear and transparent. You can’t group anything together.
Examples of bad consent phrasing:
- Consent to use browser data.
- Consent to use browser data for marketing.
- Consent to use browser data to optimize our website.
Examples of good consent phrasing:
- Consent to use browser data for visitor tracking to optimize our website for marketing.
- Consent to use browser data to identify your approximate geographical location to show the correct language.
Note: It is forbidden to implement checkboxes that are ticked by default; users have to make the decision by checking them themselves.
Also note that you’ll need to ask separate consent in order to be allowed to use their personal data for email marketing purposes, Facebook targeting, and to share it with third parties.
This means that if you plan to use your users’ data for Facebook ads and also upload it to a CRM (third-party tool), then you need two separate checkboxes.
What about existing email list members where we don’t have a record of opt-in?
Luckily, just because you don’t have the record of opt-in doesn’t mean you don’t have a lawful basis to process a contact record. To address this, the GDPR legislation outlines what they call “lawful basis of processing”, which states that you’ll need to have a legal reason for using someone’s personal data. Let’s see the different ways this can apply to your imaginary user named Laura:
- Necessary for the performance of a contract – If Laura buys products from you, you can send her emails related to onboarding, billing, etc.
- Legitimate interest – You could email Laura about related products or services.
- Consent (with notice) Freely given, affirmative, opt-in consent accompanied with a transparent explanation of your purpose for acquiring/using the data – If Laura directly opted-in and clearly gave consent to receive specific emails.
Hubspot’s product roadmap for GDPR does an excellent job of clarifying this information above.
However, for those outside lawful basis, you must get consent in order to send them marketing emails.
We recommend launching a one-time email campaign that requests any contacts that haven’t opted into your marketing emails yet. Only the contacts that confirm their subscription status are then kept on your list. Those who don’t confirm it will have to be opted out from your marketing emails.
As a result, you will be left with a highly engaged list of contacts that have proven they want to continue receiving emails from you.
Pro Tip: You should incentivize them to opt-in by offering something special in return. We have recently seen companies offering a number of industry reports if a user opts in, but you should figure out what resonates most with your users.
The Right to be Forgotten
GDPR rules now give EU citizens the right for his/her data to be deleted and no longer processed, if the data is no longer necessary to perform actions for which reason the data was gathered.
‘The Right to Be Forgotten’ means that EU citizens can access the data you have gathered about them AND that they can also demand it deleted – which you must respect and fulfill within a reasonably short amount of time (about 5-10 business days).
However, you only need to delete (“forget”) the data if it’s no longer necessary to fulfill the contract it was gathered for. For instance, an eCommerce shop needs an address in order to send the purchased goods, the subject cannot have their data forgotten until the contract stating that “the goods purchased are to be delivered” has been completed.
Becoming a GDPR Compliant Business
For businesses – well, this strongly depends on the size of the company.
If your company is storing and/or planning to store any kind of personal data of even one EU citizen, you must take action to comply with GDPR.
What does GDPR mean for US-based companies?
If your business is US-based, you may still receive website visitors from the EU. Which means if you are using website analytics or a newsletter subscriber or a lead capture, you must take steps to comply with GDPR for your EU website traffic.
All it takes is one EU citizen who is conscious of his rights and notices that you are not compliant.
What does GDPR mean for UK-based companies?
The UK is implementing a new Data Protection Bill which largely includes the provisions of the GDPR. This Bill is designed to bring the UK’s data protection laws in line with the GDPR. Stay tuned!
What does GDPR mean for the rest of the world?
Companies around the globe must be compliant if they store, process or use any EU citizen data.
What happens if there is a security breach and you leak user data?
The GDPR requires you to report the breach to authorities within 72 hours of the discovery of the breach and admit that it happened. You should also be able to determine how many records were leaked, how are you going to make sure such breach is not going to happen again, and inform any users whose data may have been leaked about the incident.
What is considered a security breach under GDPR?
- Destruction of personal data
- Loss of personal data
- Modification of personal data
- Unauthorized revelation of personal data
- Unauthorized access by third parties to personal data
Are you a Data Controller or a Data Processor?
A Data Controller is the entity that determines the purposes, conditions and means of the processing of personal data. For example, those who’ve signed up to the Ladder newsletter are under the control of Ladder and we are the Data Controller.
A Data Processor is the entity which processes personal data on behalf of the controller. For example, when working with a client’s newsletter list, Ladder is then processing the data that this client is controlling. In this scenario Ladder is the Data Processor and the client is the Data Controller.
Whenever you are holding users’ personal data (like an email list) and upload it to Facebook to create a custom audience – then you are the Data Controller and Facebook is the Data Processor. You actually need to get your users’ permission in order to use their data in this way.
On the other hand, when you create a Facebook lookalike audience – then Facebook is the Data Controller and you are the Data Processor simply because the personal data that is used to create the lookalike audience is inside Facebook’s servers and it was not obtained by you.
How Ladder is Complying with GDPR While Maintaining Marketing Performance and Growth
At Ladder, we take GDPR compliance and business growth very seriously. As such, we’ve attended training sessions, had our lawyers review our terms of service and privacy documents, and we’ve read a LOT about the issue to try and figure out our obligations.
We’re also conducting a company-wide team training on the matter.
Here are our own action items for GDPR compliance as a growth marketing agency:
- Detect IP address location, if EU then show EU compliant version
- Restricting our GDPR version of our website to only show for those in the EU will help maintain conversion rates in all other locations
- Use a GDPR Wall on EU traffic
- A wall in front of our website so that all EU users who want to enter must agree to your conditions such as collecting their data with cookies.
- gdprwall.com is something we’re leaning toward
- For our leads acquisition on-site we’ll detail why we’re collecting their data, where it’s going and how long we’ll keep their data
- For our newsletter list acquisition, we’ll detail why we’re collecting their data, where it’s going and how long we’ll keep their data
- For current members on our newsletter list we don’t have a record of opt-in we’ll be sending an activation email for them to opt-in to the list, and we’ll be incentivizing this via a juicy offer
- This will ensure compliance while also ensuring that our newsletter is made up of only those who are most engaged with our content
- Enable anonymization in Google Analytics
- In our proprietary growth testing platform, we’ll ensure that users have the ability to delete their account, personal info and data
And for the companies we’re working with to grow and scale their businesses, we’ve sent updates to each with details on the steps we’re taking, how GDPR will affect their marketing experiments, and the options at hand to ensure compliance while maintaining optimal performance.