01st Feb 2018 – 
Tool
WhoIsVisiting
Tool
Clearbit
Process
Uses IP for company lookup
Tool
Google Sheets
Tool
Zapier
Dennis van der Heijden, CEO of Convert.com
“Growth Hacking”— Or Sneaky Lead Capture?
Google admitted that it will be impossible to maintain multiple product privacy policies alive when data protection terms are changing across the globe.
On top of that, their offices in the UK and US have no entry in Privacy Shield—making transferability on IP between Brexit UK and US data even more risky.
Here is our public roadmap on how we as a company are working towards GDPR compliance.
GDPR Point of View
This service can be used to validate emails and collect information on key people in companies (when before, we before only had the domain). As of now, there’s a very limited privacy policy and no Privacy Shield registration.
Here I’ll share how we used “web snitchers” at Convert, and why we are stepping away from that practice.
Process
Uses IP for company lookup
Here’s what Enright had to say about it on a panel at the IAPP conference in December:
That information will be available in the WhoIsVisiting servers and so having it (even temporary) falls outside of GDPR consent.
Outbound Marketing & GDPR: Tense Relationship
Another worry, for us specifically, is that our team is located in Vietnam (think cross-border-data-transfers)
Plus, even our roadmap has a roadmap. We’’re changing our software to make compliance for our customers easier. You can find all the info on that here: GDPR compliant A/B testing software.
GDPR Point of View
Reply.io has Privacy Shield certification, and only this message on their privacy page: “The Reply team is currently working to make sure that, in spring 2018, Reply will be compliant with the GDPR requirements.” The Reply team gives us little more confidence than Hunter.io. It seems they really have just woken up to GDPR (since Privacy Shield could have been done before).
And in the meantime, here’s some good news.
With those tools we’d be able to add things like company size, funding, industry, traffic and more… lots more. The wonders of these enrichment tools is that most public company information (and key employee data is available) allowing us to get a clear profile on the company that visited our website. All this is then collected in a Google Sheet that filters the fitting companies and sends them off to the outbound team.
Yes, all this DOES affect you.
Pre-GDPR we might flatter ourselves in considering our tactics to be “clever.” They were a growth hack. They were innovative.
They use the dataset from your Google Analytics account, and grab the company names from the GA API. So they don’t store the actual IPs. They just enrich the existing GA dataset and offer an API on top of that.
GDPR Point of View
Harleen from WhoIsVisiting had an interesting response to my GDPR request: “With regards to the Whoisvisiting tool itself, we maintain our stance: The Data Protection Act regulates the collection and use of Personal Data. An IP address on its own is not personal data. This is because it is focused on a computer and not the individual using that device.”
We can’t recommend enough that you do the same. Inventory the tools you’re using. Look at where you scrape user data. Ask your vendors where they stand with GDPR compliance.
Tool
Reply.io
GDPR Point of View
We signed the latest DPA with Google. And, after we concluded we would not continue using this process as lead generation method, we deleted the Google sheet and removed it from trash.
Process
Key contact hunting
From there, we use tools like Hunter.io—which helps us find the emails of these key contacts. They’re added to our new Google Sheet and then loaded in Reply.io for email flows. Relevant emails in hand, we then send cold emails to our leads.
Next, we enriched these domains with company information. We use (and love) Clearbit and Mattermark (now FullContact) for this part of the process.
This response contradicts our findings. Here’s a court case that supports the European legal precedent that IP is personal data (even before GDPR starts).
Micah Bennett from Zapier wrote me and said “We can’t claim GDPR compliance quite yet, but we’re working on making sure we have everything covered. We’ll spread the word on that front so you can make sure you know you’re covered. We don’t have a public facing page to point you to I’m afraid, but we’ve been working on this for a number of months and definitely understand the gravity of needing to ensure compliance.”
Chapter V (Articles 44 through 49) of the GDPR governs cross-border transfers of personal data.
Chapter V (Articles 44 through 49) of the GDPR governs cross-border transfers of personal data.
We relied on multiple reverse IP tools in order to limit the error margin. From there, we used an API (like Snitcher). Or, in the case of WhoIsVisiting, we a hacked a scraper together.
GDPR Point of View
FullContact, the new owner of Mattermark, is Privacy Shield compliant and emailed us the following details: “FullContact has appointed a Data Protection Officer (Hector Rodriguez, CIPP/E), and we’re staying ahead of upcoming regulations. As you know, GDPR differentiates data ‘Controllers’ from data ‘Processors.’ FullContact’s role is as a data Processor, and we are compliant as such. “
GDPR Point of View
We used Clearbit to enrich the domains we got from WhoIsVisiting and Snitcher (after deduplication) and Clearbit is pretty well informed on GDPR. They are Privacy Shield certified. Plus, companies and individuals have ongoing access to data since Clearbit’s services allow customers to access and modify personal information collected by Clearbit (via https://claim.clearbit.com), This helps them address any data subject access requests they may receive for modification and erasure.
The GDPR is a very ambitious law, but it’s just a starting point. One of the greatest dangers large organizations face is tacking toward 2018 and thinking you’re done. We are seeing nearly daily guidance from national authorities, society, academia, the Article 29 Working Party – it’s a conversation we’re just beginning. It won’t begin and end in Europe – this will eventually affect the policy discussion in the US and globally. Don’t hard code your program to just GDPR compliance – you’re setting yourself up for a lot of pain when the next challenge comes.
GDPR Point of View
Snitcher founder shares it only uses publicly available information and sits on top of Google Analytics API. Servers are hosted in Europe and they say to be compliant.
Tool
Snitcher
And, if you’re in the US—you might be wondering why.
Process aside, here’s what you need to know:
Process
Domain Enriching
Anyone in CRO will be familiar with the concept; “You lose 98% of your website visitors…so convert more”. It’s a line we’ve noted many times, in articles and sales pitches. And honestly—it’s true. For most of our customers, Convert Experiences is just one of the many tools they use to lower that loss and increase conversion rates.
Anyone in CRO will be familiar with the concept; “You lose 98% of your website visitors…so convert more”. It’s a line we’ve noted many times, in articles and sales pitches. And honestly—it’s true. For most of our customers, Convert Experiences is just one of the many tools they use to lower that loss and increase conversion rates.
All it took us to isolate a company that may be interested in our tool, learn about their size, their key decision-making employees, and their site traffic—was a single visit to our website.
All our replies are followed up personally, and interested parties are moved to appointments with the account executives.
During our GDPR inventory, it quickly became clear that our marketing stack had to change. We’re dedicated to complying with the full GDPR—which means the way we generated leads for our products, how we used tools, and our attempts to growth hack—had become problems.
But from what’s publically available: WhoIsVisiting isn’t clear on whether personal data or company data can be correlated with stored IP information.
This is not our only flow in place. These are not the only tools we use. We have to look at every piece of our strategy—outbound, inbound, referral—and follow the same steps as above.
But this was an easy call to make.
Once key company details pop-up in the outbound team’s pipeline, we start to rely on old school manual labor. We dive into the company info we have, and find out who the key contacts are to reach out to.
According to GDPR, the moment they store an IP-address, they need to ask consent from each individual that is not a company.
GDPR Point of View
We outsource to an email team which manually searches information from key contacts in LinkedIn. If they can find the emails—great. Then they add them manually If not the next step is Hunter.io.
Around 3% of our new revenue depended on using tools like Snitcher and WhoIsVisiting— apps let us reverse IP lookups on visitors on our websites. When people visited more than 3 pages, or hung out on our pricing pages—we tagged them for further processing.
Process
Domain Enriching
The EU has GDPR. Asia Pacific and India has APEC. The US is looking to following the EU’s footsteps soon.
Tool
Mattermark (FullContact)
So we’ve admitted it. We’re cutting 3% of new revenue out of our acquisition channel.
We rely on similar software. And to comply with GDPR, we’ll likely cut out 20% of the tools of our marketing stack.
At the CPD2018 conference in January, Keith Enright, Google’s privacy lawyer, declared that GDPR will restart standards globally. They strive to offer the most uniform products possible—which means making GDPR compliance a part of their policy across the globe.
So, our old outbound tricks are out. What now?
We’re not saints. We’re a corporation that needs to grow and make money. Outbound marketing is part of that.
In the past, we used reverse IP lookup services, data enrichment, and cold email outreach. All of these were ways we captured non-converting leads, and convinced them to convert anyway.
If you are A/B testing and are with Convert as your vendor—we’ve got out stuff together on this.
But GDPR changes everything.
Tool
LinkedIn
Independently of that: Jeff and Isaac—our outbound email team—explore LinkedIn and company websites that seem a good fit for our A/B testing and experience tools. I can’t call it any other then “hunting down” the head of analytics, a VP of marketing, or if we’re lucky, the appointed conversion rate optimizer of the company.
We are cutting around 20% of our marketing software to comply to GDPR and ePrivacy Regulations
Process
Email verify and collection
But in Europe things are shifting with GDPR, and the bar is rising to give end-users (or, as they call them, data-subjects) more power over their personal data.
