Well, we're past May 25th and we're still here. Solo wasn't quite what we'd hoped, but we survived the GDPR go live date.
Wait, what? GDPR?
While many have been focused on GDPR, it's ramifications, and how to continue time-tested marketing and sales techniques as GDPR compliance requirements go into effect, for many others - especially those outside the European Union - the second sentence probably sums up their feelings on the subject.
It's not that people were surprised about it - you had to be living in a cave not to have heard about GDPR. But, while some guidance, like the use of cookie banners, has been straightforward, other advice has been a little squishy. Like that bit about 'make sure you collect the right opt-in information from EU residents, no matter where they're accessing your site from'.
Barry Levine wrote an interesting article about some of the unintended consequences of GDPR that are already popping up. Some large brands are bending over backward to comply - to the point of removing key features from their software to avoid potential penalties for violations. Other companies are forging a path through the murky recesses of GDPR articles for their own survival. Many are taking a 'wait and see' attitude, in the hopes that more clear guidance will present itself.
After bringing our company, and some of our clients, into compliance (or mostly compliance), here are some key tips to help compliance, lead generation, and sanity.
None of this is Legal Advice
First the obvious disclaimer. Nothing we say in this article is legal advice. Before making any decisions about how to bring your organization into GDPR compliance, you should consult a GDPR complaint lawyer.
If You're Only Getting Around To GDPR Now
If you're only now starting to look at GDPR, or want a more comprehensive view of what the regulation means, there are several good resources out there for you.
Some that we have used are:
- HubSpot's GDPR Playbook. The guidance is valid no matter what social media management and marketing automation you use.
- Forcepoint has a GDPR Resource Kit. This also covers the regulation and covers key actions organizations should take, and it also provides articles from lawyers that walk through the legal implications.
- Cookiebot has a page that talks about what to disclose and how to respond related to cookies under GDPR, and a page about making Wordpress websites compliant.
- If you actually want to read the EU's General Data Protection Regulation, Intersoft Consulting has it organized and presented out on a web page.
It's a good idea to make sure people know they're getting value from cookies.
Where do you get polices? There are several samples available:
- ActiveMIND has several sample templates for data protection and internal policies.
- Flank.org has documents, templates, and toolkits.
- SEQ Legal has a sample policy as well.
Every organization is different, and odds are that none of these samples will be a perfect fit for your organization. You'll likely need to modify and add to any template you start with - and while stealing is wrong, being inspired is a great thing.
Many of our clients took inspiration from partner, competitor, and resource websites to help them craft and modify their policies. Looking at live examples of polices can provide you a great starting point that can help you get your policies done faster.
Many have recommended that organizations appoint a privacy officer to keep up with changing regulations, address questions, and handle complaints. GDPR has a lot of uncharted territory, and there are many legitimate questions about what constitutes compliance - and no-one knows exactly how compliance will be enforced.
Regardless, we recommend everyone do the following:
- Create a privacy email address such as [email protected] that directs questions and complaints to your privacy officer, or the person in charge of compliance
- Keep up with news on GDPR. Keep up with articles outlets such as Social Media Today, Marketing Land, and others on the compliance, changing interpretations of requirements, and enforcement actions
- If you do business with, or get a lot of traffic from the EU, find a legal firm that's focusing on helping businesses like yours navigate GDPR. I'm not saying put them on retainer. Call them, get to know them, and get their rates so that you know where you can turn if you have questions, a complaint or an enforcement action.
Landing Page Forms - How to Get Tics
One of the most impactful, and most obvious, changes that GDPR brings are changes to how we allow people to opt-in, and how we communicate with people once we do.
Content offers like checklists, strategy guides, whitepapers, and eBooks are the grease that makes inbound marketing work - you offer something of value, a visitor downloads it by giving you an email address, and you start marketing to them. Some, hopefully, turn into customers.
Under GDPR, you have to ask permission to email people. The defacto way people do this is through checkboxes on the bottom of forms.
Visitors have to expressly tick the boxes, giving you permission to communicate with them. If they don't, you can't - so these are one type of tick you really want.
Does this break Inbound Marketing? No, bu it does make it different.
Marketers may have to get help from salespeople and learn to craft better opt-in statements that show real value, and encourage engagement.
For example, this email communication opt-in statement is not very good:
"We'd like to communicate with you from time-to-time about services we offer, and special offers we have. Can we stay in touch with you?"
Why isn't this good? Go back to marketing 101 - people aren't interested in what you're selling or what you want, they're interested in their own problems. Treat your opt-in statements like blog titles, or calls-to-action. A better opt-in statement tells the visitor what's in it for them if they opt-in:
"We offer content like this to our email subscribers first. We also provide many exclusive subscriber-only offers. Would you like to subscribe to email communications? You can unsubscribe anytime."
Opt-ins for EU vs the Rest of the World
In places like the US there's another issue - we don't have to follow EU regulations with visitors who aren't citizens of the EU.
This is something many US brands are thinking about - inbound marketing works a lot more smoothly without those burdensome EU regulations.
If you don't have EU traffic or customers, you won't bother implementing GDPR components - but what if you only have a little EU traffic? Do you want to go 100% GDPR-friendly when most of your visits and opt-ins aren't from EU sources?
Not likely, so you have some decisions to make about how to, and where you're going to implement GDPR. Here are some options:
- GDPR self-identification plus workflow - Put a mandatory yes/no field on your form asking visitors if they are EU citizens. Yuo can then create a branching workflow that's part of the content delivery related to the landing page. For non-EU residents, they get opted in per your normal process, and get a link to the content. For people who self-identify as EU citizens, you can send them an email with the link to the content, and include the opt-in questions. If they confirm, you have legal basis for communication.
- Use Smart/Dynamic forms to identify visitors from EU countries - HubSpot has Smart Forms, and many other marketing automation and content management systems have the same thing called dynamic content. Dynamic content changes based on criteria you specify. You can show new visitors, returning visitors and customers different content when they view website or view your landing pages. Different systems may also enable you to segment visitors by buyer stage or other factors. Many will allow you segment by country. If this is the case, you can show visitors from EU countries GDPR compliant forms with those tick boxes - and show everyone else your standard forms.
Note: Lawyers will tell you that neither of these options covers all of your bases because EU regulations apply to EU citizens no matter where they are. In the first option, visitors can misidentify themselves, and you're still obligated to follow the regulation. The second example doesn't work for EU citizens visiting your website from outside the EU. Like I said, you have decisions to make.
Example: Website Pop-ups
Website pop-ups are a must have for many businesses - we get 1/3 to 1/2 of our opt-ins from pop-ups, and our clients that have pop-ups properly deployed see the same.
HubSpot calls pop-ups LeadFlows. Leadflows aren't smart yet so we couldn't show different leadflows to visitors from different countries. But honestly, that was beside the point. Just looking at the popups there was no way to make them look good with the GDPR tics.
Pop-ups are supposed to be impulse buys - they're the chewing gum and chocolate next the register. Those ticks often take up more text space than the offer and really kill the mood. We opted to use another smart/dynamic technology, smart email to make up for this.
We left our pop-ups alone. They have a simple description of the offer and ask for the first name (for personalization of follow-on emails) and email address. A workflow delivers the content offer, so we set up a smart email that has two different bodies - one for the EU and one for everyone else. The email body for everyone else provides a description of the download and a link to retrieve it - the EU email body provides that and a button to opt-in to email communications which directs to a simple landing page. Whenever an EU visitor opts-in, another workflow updates the legal basis for communication fields.
Legal Basis for Communication
The phrase 'legal basis for communication' is a term you're likely to hear more and more about - under GDPR you have to have documented proof that you have the right to communicate with someone (like send them an email).
Also, GDPR isn't limited to contacts added after GDPR went into effect - it's retroactive so it applies to all your contacts.
Again, if you don't have contacts that are EU citizens, and don't do business with EU states, then you likely don't have to worry about this. If you do, having GDPR compliant email marketing and marketing automation software will help, but you will also need to change things. You may have to take steps to get your system back to normal with all features behaving normally.
Take HubSpot for example. HubSpot has a switch that allows you to turn on GDPR features.
Once you turn on GDPR compliance, GDPR features such as the consent tick boxes become available for form - all other features are turned on by default, meaning all of your contacts need to have a legal basis of some sort.
Once GDPR was enabled, we started seeing the following when sending emails to leads and clients.
We needed to add a subscription or give a one-time legal basis for consent.
While this applies specifically to HubSpot, I suspect most other GDPR-compliant marketing automation software operates in similar fashion. The software has to be GDPR compliant, and it has to keep you compliant, so your contacts need to have these fields filled out.
Two things to note, from the list of legal basis for communication:
- Not applicable - This is the basis for any non-EU contact. You still need to provide a reason, which we usually put as lead, customer partner, or vendor, depending on how we know or work with them.
- Legitimate Interest - prospect/lead. This is very open-ended - for example, if someone browses your website have they shown legitimate interest? That's debatable, but GDPR laws are not. If that person is from the EU, and/or an EU citizen, you need their expressed consent to email them. As I understand it, you can call them - iIf you do, that may constitute legitimate interest and allow you send a follow-up email. But this is very murky territory that still needs to be figured out. It may take a while before we see defined boundaries for that type of outreach. Stay tuned.
There is a third field on that form that is obscured in the screenshot named 'Explanation for communication consent'. This field allows you to input additional detail as to why communication is legal. We add the reason why they are in our list; prospect, lead, customer, partner, or vendor.
To manage contacts and ensure GDPR compliance you should do the following:
- Make sure your subscription types are clear and defined in your marketing automation tool
- Create workflows to segment known non-EU contacts into a list, then update the contacts to ensure everyone has a subscription, a legal basis for communication
- For EU contacts, and contacts that may be EU citizens, run a permission pass email campaign. You've likely seen a few of these emails from EU companies in your inbox. In the email you ask the contact for permission to keep communicating with then.
This is the permission email we sent to our EU and unknown contacts:
HubSpot has a good article which walks you through how to run a permission pass campaign that worked with HubSpot and translates well to other email marketing and marketing automation systems.
Look Out for Diminishing Features
One thing we have noticed in many of the marketing automation tools of choice is that some features have been diminishing, and others have been disappearing.
HubSpot, for example, tracks email opens and clicks, as many email marketing tools do. In HubSpot, you can be notified when a contact opens an email. After GDPR features were enabled, only contacts with legal basis fields properly populated would show in the notifications. You'd still get the notification that an email was being read, but the name was ambiguated to "someone."
More frustrating was that HubSpot nerfed their Prospects tool. The Prospects tool runs code on your web pages and tells you the domains and pages viewed for anonymous visitors. At least it used to. Now it only tells you the domain. That change makes the tool far less useful.
If you knew the domain, and the pages they were looking at, you could call and ask for the department in charge of buying the services you offer, and ask if they need help in areas discussed on the pages they're viewing. It's a great way to break the ice by engaging on a topic you know the prospect is interested in.
Now it's gone, and, in order to make sure they remain GDPR compliant, HubSpot says it has no plans to bring it back. And let me be clear, this feature has been removed regardless of the GDPR setting in the software. HubSpot wants to make sure their software complies fully with GDPR. There are third party options like Visual Visitor and others that provide similar information, but it's a little disturbing the way that feature and its data disappeared with only a banner based notice.
The big lesson here is to be on the lookout for feature changes related to contacts and their information. Features you use may become less useful, or go away altogether forcing you to find alternative tools or approaches.
Just the Start
Stay tuned to media outlets like Social Media Today, and Marketing Land, because most brands are still trying to figure out how to run their business and be successful in a post-GDPR world. At the same time, enforcement agencies are also trying to figure out how regulations will be interpreted, and enacted. There's a long way to go, and marketers that deal with EU citizens need to stay plugged-in as guidance on compliance and best practices evolves.