How to Comply with GDPR without Killing Your Marketing Efforts
How to Comply with GDPR without Killing Your Marketing Efforts
New Infographic from SmartClick Shows Program-by-Program, What Specifically You Need to Do to Comply with the EU’s new General Data Protection Regulation, without Over-Complying.
Ok, Are you ready for GDPR? We’re just weeks away from the May 25, 2018 deadline for marketers to comply with the regulations outlined by the EU’s new General Data Protection Regulation (a.k.a. GDPR.) Even if you’re a marketer outside the EU, you’re still bound to follow these strict new regulations, at least for your EU-based consumers.
Why? Because if you ignore compliance, you could be fined up to 4% of your brand’s annual revenue.
Most news and posting on GDPR we’ve seen surround the regulation itself, and not what specifically to do to comply. This has left agencies and marketers with a lot of shoulder shrugs on what to do.
The actual regulations contained in the GDPR are relatively straightforward and contained at https://www.eugdpr.org/the-regulation.html. However, there’s nothing here to help with the actual tactical implementation, ie. What does a brand actually need to do to comply?
SmartClick has realized that every client we work with is in a different place. A few brands are already complying with most or all of the regulation. Some brands are already complying with some aspects of the regulation and just need to tweak a few things to comply. Most brands, however, are not in any position to comply. Some don’t even care—and that could be costly.
Here are some examples:
- A brand may have been opting in purchasers at checkout to email lists for years with a pre-checked box, or no consent at all, and they’re now stuck with an email database of past customers that is non-compliant, because users did not actively opt in, and the brand didn’t actually let consumers know what they would be doing with the data.
- Another brand may have been tagging website visitors for retargeting or lookalike audiences, but may not have disclosed anywhere on their site, not even in their privacy policy, that simply by visiting the website, the brand will be sending marketing messages via ad buys to past website visitors.
- A brand may be so penned in by their legal team, that they’ve been forced to take an ultra-conservative approach and use language and mechanisms that kill conversion rates.
- Another brand may be complying universally with GDPR, not just for EU consumers, but for ALL website visitors. Or they may have made the call to purge entire databases because there might be a few EU consumers therein.
Over-compliance, could end up being worse than non-compliance, because it could stunt your brand’s marketing efforts outside the EU for years to come.
By following our recommendations, you’ll implement controls that comply with the GDPR only for EU consumers, without compromising your marketing efforts outside of the EU. You’ll put in sane controls and mechanisms to comply without killing your conversion rates even with EU consumers.
Click here to download SmartClick’s new Infographic: A Tactical Guide to Ensure GDPR Compliance in Your Online Marketing Efforts:
Practical Example
Here are some practical examples of how we recommend you implement GDPR compliance:
Disclosure and Consent
We recommend serving a disclosure and consent mechanism, but only to users browsing from the EU. This might be a slide in graphic like the image below, that discloses that, by visiting the site the user is providing data that we’ll use in marketing, but then finish with the relatively innocuous “…provide a better online experience.” Also, include a link to your privacy policy. This complies, just barely, without making it so obvious or intense sounding that a consumer would click away.
A relatively benign “allow cookies” button ensures that only the most cookie-phobic consumer gives consent. Once the EU user clicks this button and you have consent, and not before, then you can set your tag manager, analytics, retargeting, and other tags to fire.
It’s important to make sure that this disclosure and consent mechanism doesn’t fire on subsequent visits. That’s overkill that could hurt your EU marketing efforts more than you need to. Set it to only fire once per consumer, and never again once you have consent.
Here’s an example of a site disclosure and consent mechanism shown on the first visit from an EU visitor to SmartClick’s own website:
Email Opt-In
Consumers from the EU need to actively opt in to your email lists, whether they’re a customer, or just a prospect. This means, you need to disclose, just to EU users, that you’ll be using their data for marketing purposes at the point of sign up. It needs to be obvious, but it doesn’t need to be overly-explicit.
Note that we’re talking about using the consumer’s data for “marketing purposes” here. We don’t disclose here that we’re going to upload their browsing data to Facebook, Instagram, and Google and target them with 30 ads a month post visit. We’re not going to talk about how we’re going to use their data to profile people whose online behavior looks like them with retargeting and lookalike audience ads. We don’t disclose that we’re going to upload their email data to 3rd party tools to create custom audiences on Facebook and Instagram and Google for retargeting. Leave all that for your privacy policy, but even then, you probably don’t want to name specific tactics or websites.
The principle is that we don’t want to freak users out… and we don’t have to say all the above. We simply need to talk about using their data for “marketing purposes” and refer to a privacy policy that does go into more detail about how their data will be used.
Here’s an example shown to EU users on SmartClick’s own website:
Privacy Policy
Including a link to your privacy policy is important in both of the above instances, the disclosure and consent mechanism and the email capture mechanism. it’s important that your privacy policy covers, both the use of data for emails, as well as the fact that website visitors will receive marketing messages in the form of advertising based on their website browsing behavior and the email address they provide.
Here’s an example of a great privacy policy that discloses how data is used, as well as how consumers can opt out in many forms, really well: https://www.atlassian.com/legal/privacy-policy-may-25th?utm_source=alert-email&utm_medium=email&utm_campaign=privacy-change-notification_EML-3113#how-we-use-information-we-collect
A Middle Ground for Compliance
Following our philosophy probably won’t win you friends in your legal department, but it will completely comply with GDPR without being so explicit that you kill conversion rates.
We’re confident that this middle ground will ensure your brand will be complying with the spirit of the GDPR, with over-complying.
Need Help? Get in Touch with Us!
We wish you the best as you implement these changes! If you find yourself in over your head with implementation or design for compliance, don’t hesitate to contact SmartClick Advertising or call +1.385.448.4097.
No Comments