Fulcrum Forge

View Original

11 Post GDPR Tips to Help Compliance, Conversion Optimization, and Sanity

Well, we're past May 25th and we're still here. Solo wasn't quite what we'd hoped but we survived the GDPR go live date!

Wait. What? GDPR?

While many have been focused on GDPR, it's ramifications, and how to continue time-tested marketing and sales techniques as GDPR compliance requirements go into effect, for many others, especially those outside the European Union, the second sentence of this post sums up their feelings on the subject.

It's not that people were surprised about it. You had to be living in a cave not to hear about GDPR. But, while some guidance, like the use of cookie banners has been straightforward, other guidance has been a little squishy. Like that bit about make sure you collect the right opt-in information from EU residents, no matter where they're accessing your site from.

Barry Levine wrote an interesting article about some of the unintended consequences of GDPR that are already popping up. Some large brands bending over backward to comply to the point of removing key features from their software to avoid potential stiff penalties for violations. Other companies forging a path through the murky recesses of GDPR articles for their own survival. Many are taking a wait and see attitude hoping clear guidance will present itself. After bringing our company and some of our clients into compliance (or mostly compliance), we're sharing 11 post GDPR tips to help compliance, lead generation, and sanity.

None of this is Legal Advice

First the obvious disclaimer. Nothing we say in this article is legal advice. Before making any decisions about how to bring your organization into GDPR compliance, you should consult a GDPR complaint lawyer.

If You're Only Getting Around To GDPR Now

If you're only now starting to look at GDPR or want a more comprehensive view of what the regulation means there are several good resources out there for you. Some that we have used are:

Cookie Banners

A cookie banner is simply a banner that displays for visitors once every 30 days that tells them your website uses cookies and asks them if they're okay with that. Many hosting platforms from Squarespace to HubSpot have banners that you can enable and customize as part of their service. Word press has published a number of plugins to help websites be compliant and check for compliance.

Most default cookie banners have a lot of text. A good banner will allow you customize the text, and link to your cookie or privacy policy. We recommend creating a cookie policy with the nitty gritty detail. Keep the text of the cookie banner short, and sweet and include a link to the cookie policy or privacy policy:


We use cookies to give you the best possible experience on our website. Read our Cookie Policy to learn more.


It's a good idea to make sure people know they're getting value from cookies.


Privacy Policy Updates for GDPR

Speaking of policies, you might be thinking:

Cookie policy? I thought I needed to update my privacy policy! Now I need a cookie policy?

No, you don't need a cookie policy. You can talk about cookie policies in your privacy policy, but it keeps both simpler and clearer if you separate them.

Where do you get polices? There are several samples available:

Every organization is different so the odds are that none of these samples or templates will be a perfect fit for your organization. You'll likely need to modify, and add to any template you start with and while stealing is wrong, being inspired is a great thing. Many of our client's took inspiration from partner, competitor, and resource websites to help them craft and modify their policies. Looking at live examples of polices can provide you a great starting point that can help you get your policies done faster.

Privacy Officers

Many recommend that every organization appoint a privacy officer to keep up with changing regulations, address questions, and handle complaints. GDPR has a lot of uncharted territory, and there are many legitimate questions about what constitutes compliance, and no-one knows how compliance will be enforced. Because of this, we think it's a very good idea companies of all sizes to have a privacy officer. For many large companies this may be a new position, an extension of an old position, or a legal firm. For many small businesses, the privacy officer will be the person, or one of the people who help craft your GDPR cookie and privacy policy.

Regardless, we recommend everyone do the following:

  • Create a privacy email address such as privacy@company.com that directs questions and complaints to your privacy officer, or the person in charge of compliance.

  • Keep up with news on GDPR. Keep up with articles outlets such as Social Media Today, Marketing Land, and others on the compliance, changing interpretations of requirements, and enforcement actions.

  • If you do business with or get a lot of traffic from the EU find a legal firm that is focusing on helping businesses like yours navigate GDPR. I'm not saying put them on retainer. Call them, get to know them, and get their rates so that you know where you can turn if you have questions, a complaint or an enforcement action.

Landing Page Forms - How to Get Tics

One of the most impactful and most obvious changes that GDPR brings are changes to how we allow people to opt-in, and how we can communicate with people once we do. Content offers like checklists, strategy guides, whitepapers, and ebooks are the grease that makes inbound marketing work. You offer something of value, a visitor downloads it by giving you an email address, and you start marketing to them. Some, hopefully, turn into customers.

Under GDPR, you have to ask permission to email people. The defacto way people do this is through checkboxes on the bottom of forms.

Visitors have to expressly tic the boxes, and give you permission to communicate with them. If they don't, you can't so these are one type of tic you really want. Does this break Inbound Marketing? No. It does make it different.

Marketers may have to get help from sales people and learn to craft better opt-in statements that show real value, and encourage engagement.

This email communication opt-in statement is not very good:

We'd like to communicate with you from time-to-time about services we offer, and special offers we have. Can we stay in touch with you?

Why isn't in good? Go back to marketing 101. People aren't interested in what you're selling or what you want, they're interested in their own problems. Treat your opt-in statements like blog titles, or calls-to-action. A better opt-in statement tells the visitor what's in it for them if they opt-in:

We offer content like this to our email subscribers first. We also provide many exclusive subscriber only offers. Would you like to subscribe to email communications? You can unsubscribe anytime.

Opt-ins for EU vs the Rest of the World

In places like the US there's another issue. We don't have to follow EU regulations with visitors who aren't citizens of the EU. This is something many US brands are thinking about. Inbound marketing works a lot more smoothly without those burdensome EU regulations.

If you don't have EU traffic or customers, you won't bother implementing GDPR components, but what if you only have a little EU traffic? Do you want to go 100% GDPR friendly when most of your visits and opt-ins aren't from EU sources? Not likely. So you have some decisions to make about how to and where you're going to implement GDPR. Here are some options:

  • GDPR self identification plus workflow: Put a mandatory yes/no field on your form asking visitors if they are EU citizens. Create a branching workflow that is part of the content delivery related to the landing page. For non EU residents, they get opted in per your normal process and get a link to the content. For people that self identify as EU citizens, send them an email with the link to the content and include the opt-in questions. If they confirm, you have legal basis for communication.

  • Use Smart/Dynamic forms to identify visitors from EU countries. HubSpot has Smart Forms, and many other marketing automation and content management systems have the same thing called dynamic content. Dynamic content changes based on criteria you specific. You can show new visitors, returning visitors, and customers different content when they view website or view your landing pages. Different systems may allow to segment visitors by buyer stage or other factors. Many will allow you segment by country. If that's the case, you can show visitors from EU countries GDPR compliant forms with those tic boxes, and show everyone else your standard forms.

Note: Lawyers will tell you that neither of these options cover all of your bases because EU regulations apply to EU citizens no matter where they are. In the first option visitors can misidentify themselves, and you're still obligated to follow the regulation. The second example doesn't work for EU citizens visiting your website from outside the EU. Like I said, you have decisions to make.

Example: Website Pop-ups

Website pop-ups are a must have. We get 1/3 to 1/2 of our opt-ins from pop-ups, and our clients that have pop-ups properly deployed see the same. HubSpot calls pop-ups LeadFlows. Leadflows aren't smart yet so we couldn't show different leadflows to visitors from different countries. But honestly, that was beside the point. Just looking at the popups there was no way to make them look good with the GDPR tics.

Pop-ups are supposed to be impulse buys. They are the chewing gum and chocolate next the register. Those tics often take up most text space than the offer and really kill the mood. We opted to use another smart/dynamic technology, smart email to make up for this.

We left our pop-ups alone. They have a simple description of the offer, and ask for first name (for personalization of follow-on emails) and and email address. A workflow delivers the content offer, so we setup a smart email that has two different bodies. One for the EU and one for everyone else. The email body for everyone else provides a description of the download and a link to retrieve it. The EU email body provides that and a button to opt-in to email communications which directs to a simple landing page. Whenever an EU visitor opts-in, another workflow updates the legal basis for communication fields.

Legal Basis for Communication

The phrase legal basis for communication is likely a term that you will hear more and and more. Under GDPR you have to have documented proof that you have the right to communicate with someone (like send them an email). Also, GDPR isn't limited to contacts added after GDPR went into effect, it's retroactive so it applies to all your contacts.

Again, if you don't have contacts that are EU citizens and don't do business with EU states, then you likely don't have to worry about this. If you do, having GDPR compliant email marketing and marketing automation software will help, but you will also change things. You may have to take steps to get your system back to normal with all features behaving normally.

Take HubSpot for example. HubSpot has a switch that allows you to turn on GDPR features.

Once you turn on GDPR compliance, GDPR features such as the consent tic boxes become available for forms. All other features are turned on by default, meaning all of your contacts need to have a legal basis of some sort.

Once GDPR was enabled we started seeing the following when sending emails to leads and clients.

We needed to add a subscription or give one-time legal basis for consent.

While this applies specifically to HubSpot, I suspect most other GDPR compliant marketing automation software operates in similar fashion. The software has to be GDPR compliant, and it has to keep you compliant, so your contacts need to have these fields filled out.

Two things to note, from the list of legal basis for communication:

  1. Not applicable. This is the basis for any non-EU contact. You still need to provide a reason, which we usually put as lead, customer partner, or vendor, depending on how we know or work with them.

  2. Legitimate Interest - prospect/lead. This is very open ended. If someone browses your website have they shown legitimate interest? That's debatable, but GDPR laws are not. If that person is from the EU, and/or an EU citizen you need their express consent to email them. As I understand it, you can call them a prospect. If you do, that may constitute legitimate interest and allow you send a follow up email - but this is very murky territory that still needs to be figured out. It may take a while before we see defined boundaries for that type of outreach. Stay tuned.

There is a third field on that form that is obscured in the screenshot named Explanation for communication consent. This field allows you to input additional detail as to why communication is legal. We add the reason why they are in our list; prospect, lead, customer, partner, or vendor.

To manage contacts and ensure GDPR compliance you should do the following:

  • Make sure your subscription types are clear and defined in your marketing automation tool.

  • Create workflows to segment known non-EU contacts in to a list, then update the contacts making sure everyone has a subscription, a legal basis for communication.

  • For EU contacts, and contacts that may be EU citizens run a permission pass email campaign. You have likely seen a few of these emails from EU companies in your inbox. In the email you ask the contact for permission to keep communicating with then.

This is the permission email we sent to our EU and unknown contacts:

HubSpot has a good article that walks you through how to run a permission pass campaign that worked with HubSpot and translates well to other email marketing and marketing automation systems.

Look Out for Diminishing Features

One thing we've noticed in marketing automation tool of choice, HubSpot is some features have been diminishing and others have been disappearing. HubSpot tracks email opens and clicks as many email marketing tools do. In HubSpot you can be notified when a contact opens an email. After GDPR features were enabled, only contacts with legal basis fields properly populated would show in the notifications. You'd still get the notification that an email was being read, but the name was ambiguated to "someone."

More frustrating was that HubSpot nerfed their Prospects tool. The Prospects tool runs code on your web pages and tells you the domains and pages viewed for anonymous visitors. At least it used to. Now it only tells you the domain. That change makes the tool far less useful.

If you know the domain, and the pages they were looking at you could call, ask for the department in charge of buying services you offer and ask if they need help in areas discussed on the pages they're viewing. It's a great way to break the ice by engaging on a topic you know the prospect is interested in.

Now it's gone, and, in order to make sure they remain GDPR compliant, HubSpot says it has no plans to bring it back. And let me be clear, this feature has been removed regardless of the GDPR setting in the software. HubSpot wants to make sure their software complies fully with GDPR. There are third party options like Visual Visitor and others that provide similar information, but it's a little disturbing the way that feature and its data disappeared with only a banner based notice.

The big lesson here is to be on the lookout for feature changes related to contacts and their information. Features you use may become less useful, or go away altogether forcing you to find alternative tools or approaches.

Just the Start

Stay tuned to media outlets like Social Media Today, and Marketing Land, because most brands are still trying to figure out how to run their business and be successful in a post GDPR world. At the same time enforcement agencies are also trying to figure out how regulations will be interpreted, and enforce. There's a long way to go, and marketers that deal with EU citizens need to stay plugged in as guidance on compliance and best practices evolves.