14th Mar 2018 – GDPR and Your Marketing Funnel Part 1: Attract
So if you buy something from me, and we have a relationship—just maybe, I have more of a right to email you, than I do someone who snagged a PDF.
Here, it again comes down to what your audience would “reasonably” expect.
…and it breaks almost alllllll of the new rules.
superOffice CRM free collect data
A WARNING THOUGH: if you’re going to rely on a binary choice, each option has to be of equal prominence. No giant “yes” buttons, with teeny tiny “no” buttons.
One trust privacy preference center

Your cold emails:

I know there are a million and one ways you work to attract a potential lead. Your tripwires, your exit popups, your fancy fancy dance moves.
So if you’re like most marketers—trying desperately to elbow your way into your audience’s goldfish-like internet attention spans—you’re probably throwing some paid traffic their way.
….never reconsider the dance moves).
So here’s the deal.
But here’s where the trouble comes along.

  • “I would like to receive updates from Company A and trusted third parties.”

When they work, they work.

  • I would like to receive email updates from COMPANY A
  • I would like to receive email updates from YOUR COMPANY NAME.

In summary: Cold emails are pretty complicated. And, they’re frowned upon at best. If you haven’t already, diversifying your lead-gen strategy is probably a good idea.
Anyone who checked the second box, you can still contact.
Here are the solutions I’ve come up with so far.
Or this option…
But before we go any further…
The cookie wall is dead.
Your general social media ads, or your Google Search and Display network ads—they rely on Google or Facebook data to function. Data that you didn’t collect. Data that it depends on Google or Facebook or LinkedIn or whomever—to solicit consent for.
As it stands now legally, some EU countries are “opt-in” countries. Some are “opt-out.”
Only time and tests will tell.
If you think back to our list of “what counts as personal data,” you might remember these little buggers popping up:
~*~*VOCAB TIME*~*~
My copywriting brain short-circuits when I think about what asking for email list sign ups, separately from my lead magnet, will do for my email list conversion rate.
But let’s be honest. They probably didn’t set up their consent-ask like that. And if they did, they probably didn’t get too many folks willing to part with their email addresses.
No longer counts.
Like so:

Your paid ads:

Now in the attract phase, if you’re shooting for a totally cold audience—this should leave your processes pretty untouched.
Personally, they drive me absolutely mad.
Take me to Part 2: GDPR and Lead Nurturing >>>> 

Now let’s get consent to contact ‘em.
(And the ePrivacy Directive is looking to be replaced by a new law, the ePrivacy Regulations, within the year—by earliest projections).
If you want to use a cookie, you have to explain which ones, specifically, you want to use. You should give your audience an idea of what you’ll use them for. And then you need to get them to click “yes”—before you start tracking.

Cookies, which track users across sites, or across sessions, are considered personal data under GDPR.
So alright then. Let’s say you aren’t willing to take any gambles on bundling.
If I bought a 90 days of your 0 a month software, for a stupid low price of of —I’d probably expect you’d follow up. I’d assume, come month three, you’d want to see if I’m ready to commit.
It (tragically) says so right here.
(Jump to Part 2 – GDPR & Lead Nurturing)
The big thing to pay attention to here is how you ask for consent.
(PS. If you’re going to go the legitimate interests route, at any point, we recommend you read the full write-up we have on the process, here).
Or this option…
The long answer isn’t quite outlined in GDPR, so experts are defaulting to info from Article 29 of the old Data Protection Directive.

  • Audience engagement with your page or video.
  • Facebook data on user interests, or behaviors.
  • Regional and demographic data.

But they’re everywhere, because they work.
3. Personal, direct, highly-targeted outreach.
But one of the few things that seems to give people the go ahead with LI, has to do with the data for customers.
“How separate to separate purposes to be?”
Here’s a breakdown…
At this point, I’d give incentives a try.
Meaning, if you sign up to receive a PDF, you might not expect to receive weekly emails.

  • Unique identifiers like Device IDs, UserID, TransactionID, CookieID

Being an opt-out country means, in some cases, you may just need to allow them to easily unsubscribe.
Data processor: If a data controller uses a tool to collect or sort that data for them—that’s a data processor.
2. Contacts from third parties are probably a no. Now, in order to pass on personal data to a third party, you need active, affirmative consent. Plus, you need to name which third parties, specifically, will be receiving the data.
Enter: the legitimate interests condition.
If, by chance, though, your partners had a consent form that looks like this…
1. Generic, bought lists are a big no. They’re already illegal most places, and GDPR puts a definite nail in this coffin.
But I’ll admit, it’s some thin ice. Whether or not to walk it…I’ll leave that up to you.

Now I know this isn’t a thrilling idea. We all know our odds are better if we head straight to the human person. But maybe, if your offer is good enough, and your pitch is persuasive—you just might get the go ahead to be passed from a generic info@, to the team.

Data controller: The entity that asks for, collects, and uses personal data. When you process, store, or decide the usage of personal data—you’re the controller.
We tackled the subject pretty comprehensively here. But to break down to the basics…
If you’re targeting an audience based on traffic you’ve collected—then you become the data controller. And you need to make sure that your data subjects have consented.

At this point, what GDPR says, actually comes second to what the ePrivacy Directive says.

But if you’re not already using binary opt-ins: it’s worth the time and tests.
Ahhh tripwires.

  • Any Facebook Custom Audience. If it comes from your custom pixel (aka if it’s sourcing your web traffic, or is a Lookalike Audience), or if its generated based on your uploaded list (manually, or from a third party).
  • Any personalized Google Audience. So, remarketing, affinity audiences, custom affinity audiences, in-market audiences, Floodlight cross-device tracking, Customer Match data, and demographic targeting.

Being an opt-in countries means: you need to get a clear opt-in to email folks from that country whom you don’t know.
Even if they commented on a post of yours on Linkedin, and accepted your connection request, and posted a status update screaming “I WANT TO BUY A PROJECT JUST LIKE YOURS”—you’ll have to find out which country they’re from. And you’ll have to know what specific rules that country has, before you send out that first introduction message.

Your lead magnet:

“How granular do we have to design our opt-ins?”
If your ad-targeting strategy relies on pixel data, it’s likely going to requires explicit user consent.
…should be okay. Facebook should only allow you to access their collected data on this front, if a user has consented to receive ads.
…and you were one of those “third parties”—those emails are no longer good. They’re now in violation of GDPR. And even if those standards were fine then, GDPR says to ditch those contacts now.
4. Generic Business Addresses are mostly fine. You can reach out to info@company.com….or sales@, or marketing@ without worry. As long as you can’t tie that address to a specific human person with other data, you should be okay.
You’re going to create separate out-in for email subscription access.
Answer: the data controller.

As a customer, I might expect a few emails walking me through how the software works. I might expect to get a content piece thrown my way, explaining some best practices. I might even expect to hear from a support person—who’s checking in to help out with onboarding.

Because it’s face it. They’re here for the download. If you can’t properly email-gate it anymore, why on earth would they sign up to be on your list?
facebook permission collect data

  1. Soft opt-ins no longer work. “By doing ____ you agree to ____” is a bad news formula under GDPR. Folks need to actively agree to give their data up, with a “clear, affirmative action” (Article 4).
  2. And if you’re going to use someone’s data for separate purposes—you need to ask them permission separately. Lumping these two asks together is called bundling, which is restricted under GDPR. So: if you’re going to take someone’s data to send them a PDF—that’s different than using it to send updates on “information about your services.” You need two different consent agreements for that (Article 7)Here’s an example done right:
So all your consent rules from above still apply for a pop up.
  1. GDPR requires something called “privacy by design.” A big part of this is data minimization—which basically means “If you don’t need to collect data, don’t.” This opt-in is collecting a lot of information that isn’t necessary for a user’s goal (aka: to get a PDF). The best practice here is: if you’re collecting data from someone, and it isn’t obvious as to why, tell them (Article 5). Or don’t collect it. Facebook does this particularly well with this popup…
Here’s the line they’re talking about:


  • If you’re going to reach out over phone, or mail, as well as email, users need to be able to consent to these different types of communications separately.
  • If your “I consent” box is pre-checked on your forms, that doesn’t count as “active, affirmative” consent.
  • If you make users check a box to refrain from subscribing, that’s also against the rules. Don’t put checkbox next to a statement like: “Don’t email me about products and offers.” That’s opt-out, not opt-in, language you’ve got there.

Which is more of a hassle now, because….
[I consent to receive emails with content from *COMPANY* (including, a free bonus chapter!)]
santander cookies message
And to save you from the absolute horror of reading even more legislation: the absolute angels at PageFair summarize the rules with this basic test…

Set expectations:

They also give you some new privileges when it comes to GDPR.
Sainsbury’s contact permission
So this is a pretty standard looking opt-in from the crazy smart marketers over at Unbounce.
Well…it’s predictable. It’s transparent. It sure sounds pretty specific.
But every opt-out country has its own crazy set of hyper-specific rules to follow. Some, for example, require your first email contain your company’s physical address. Some want a link to your privacy policy. Some have vastly different rules for B2C and B2B.


And some of them you might want to reconsider, come the GDPR-instate date.
But what if you consent to something like this…
A few other things to watch out for on your consent forms:
(But not the dance moves…
As you can imagine, when pixels require consent—you’ll have fewer users to target. PageFair has some great original research on the topic, saying that, as it stands: only about 21% of your current page visitors would actively opt-into tracking.
(You can read more on their efforts to comply with GDPR here).
Is that bundling then?
It depends.


You are probably used to these.
In the attract, cold traffic, phase—these ads probably don’t have to change.
What this means for you:
So now if you’re asking, “BUT HOW DO I GET THEM ON MY EMAIL LIST THEN?”—you are preaching to the choir.
Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. –Recital 47
But if you’re planning to retarget a web visitor, or create a profile based on your current audience’s data—then you have to get consent.
Which means, you’ve got a pretty good case for not jumping through so many of those on-fire consent hoops.

Your pop-ups, overlays, and blog post CTAs:

So for example, creating audiences on Facebook that are targeted based on…
Introducing the binary opt in!
Turns out—soliciting consent is not the only lawful way to process personal data.
In short: if you’re going to contact people from EU countries, even with a good reason, you’ve got a few more jumps to hop through.

Warning: This is just an example of a binary opt-in. Not all binary opt-ins are created equal. This one is not GDPR compliant.
Warning: This is just an example of a binary opt-in. Not all binary opt-ins are created equal. This one is not GDPR compliant.

But I wanted to take a second to spotlight here something that makes GDPR happy, and that might boost your conversion rates.
So we’ll be blunt: it’s not pretty. Cold emails are pretty dangerous territory under GDPR. In fact, there are already mountains of legislation concerning these throughout Europe.
Now before you get excited: what counts as a “legitimate interest” is strict. Relying on this condition to process data is very tricky.
So basically it has to be specific, transparent, and predictable. You have to know what you’re signing up for—and sign up anyway.
Still—likely a problem.

[I consent to receive emails with content from COMPANY] [I won’t need any more information on TOPIC – Don’t email me again]

For example, if your lead magnet is a ebook, and you want people to opt-in NOT to just download that, but to agree to receiving further content.

[Send me an SMS with personalized, soon-to-expire promotions!] [Don’t message me; I’m okay with missing deals]

For example, if your lead magnet is a ebook, and you want people to opt-in NOT to just download that, but to agree to receiving further content.
Begging the question: whose job is it going to be to get that consent?

[Personalize away! – I accept the use of cookies] [My style is generic; I prefer generic recommendations.]

If your landing page does its job, and your audience already trusts you enough to part with that email address—maybe that bonus content might win you over a bit more contact permission.

What more can you do to get people to check that box?

It could work.
[I agree to receive emails with promotions and content, like LEAD MAGNET NAME, from COMPANY NAME]
Pretty much all the data you’re going to rely on for paid advertising, is going to use personal data.

Your tripwire:

Or this option, from the folks at Sainsbury’s:
So if in the past, a partner has had a consent form that looks like this….
Similarly I wouldn’t worry about Google Search and Display ads, which aren’t personalized, but are instead based on keywords or direct placement selection.
That means it’s going to require consent.
Those tiny, irresistible, “too good to be true,” low-ticket offers, that turn prospects into buyers.
If a purpose is sufficiently specific and clear, individuals will know what to expect: the way data are processed will be predictable.’ The objective is to prevent ‘unanticipated use of personal data by the controller or by third parties and in loss of data subject control [of these personal data]
This site provides recommendations customized to suit your style. For that, we use cookies:
(If you’re interested, Copyhackers has a great case study on “why”)
oli gardner´s framework get ebook

You got someone to your page. Legally!

And who on earth is that?
So here are the ad types you need to get consent to run:
We’ll start by breaking down what not to do:
Pretty much all them still give a “no,” to reaching out to anyone you don’t have a pretty good explanation for reaching out to.
The point here is, maybe you’ll have a better chance of persuading someone when you give them this option:
So as you walk me, your now customer, through your nurture campaign—and as you go to pitch a bigger purchase my way, you’ve got a pretty good case legitimate interest applies.

To sum it up:

  • Cold Emails are “no” at worst, and “danger” at best. Approach with caution, and start diversifying your lead-acquisition streams now.
  • Set yourself up to properly ask for consent, if you’re going to use a Google remarketing campaign, or anything that touches the Facebook pixel.
  • Asking consent the right way means making sure it’s: unambiguous, affirmative, specific, freely given, and informed. Do this the right way, at any stage of your funnel.
  • Binary choices are good for GDPR and conversions. Just make sure to display them at equal prominence.
  • If you can get someone to buy, you can justify some follow emails with legitimate interest. If you’re not already considering a tripwire, now might be the time.

Google’s well aware of the changes to come, and is approaching GDPR head on.

Similar Posts