You’ve probably heard about it by now — that thing that has every online entrepreneur around the globe scrambling to overhaul their current email management systems, privacy policies, and lead gathering strategies. What am I talking about?
I’m talking about the GDPR.
In case you haven’t heard about it yet, GDPR stands for General Data Protection Regulation, and what some people don’t realize is that it’s actually not new. The GDPR was actually created on April 14, 2016. (Yes, it’s been around that long!)
So what is all the fuss about now if the GDPR isn’t actually new?
Well, up until this point, online entrepreneurs didn’t really have to do anything to become GDPR compliant because the GDPR wasn’t enforceable.
But as of May 25, 2018, it will be.
What is the GDPR?
To break it down into layman’s terms, the GDPR governs how you collect, store, and use data gathered from anyone living within the European Union. Now, before you click away and think, “Well, I don’t live in the EU, so this doesn’t apply to me,” think again.
If you have anyone on your email list that resides in the European Union or you collect any data (via cookies, opt-in forms, order forms, etc.) from anyone that resides in the EU, you are 100% affected by this new law.
The GDPR was created as a way to protect the rights of European Union residents with regard to how their data is gathered, stored, and used.
This new law affects any online business (yes, even blogs) that collect, store, and use data gathered from anyone residing in the EU. So if you have someone who lives in France opt into your email list, you need to make sure you’re GDPR compliant.
And because pretty much all websites use cookies to some extent, you are definitely affected.
Getting GDPR Compliant
Getting GDPR compliant can be, let’s say, a bit complicated. So I’m going to break down a few of the key points of focus for us bloggers to hopefully make this a bit easier for you. Here goes:
Your Email List
Explicit Permission
According to the GDPR, you need something that’s called “explicit consent” before you send any mass emailings out to subscribers on your list (more specifically, to anyone on your list residing in the EU). The kicker is that a simple opt-in form is not considered enough to constitute explicit consent.
Yikes.
What this means is that putting up a simple opt-in form with a freebie on your site will not automatically give you the right to add them to your email list. So what does give you the right to email them?
You’ll need to add a checkbox on your opt-in form that says something like, “Yes! Please add me to your email list so I can receive exclusive updates, promotions, and offers only available to subscribers!”
Wait, there’s more.
You’ll need to make sure this checkbox follows two very specific rules:
- The checkbox cannot be checked by default. You need to make sure the checkbox is unchecked by default so subscribers can manually check it themselves.
- The checkbox, when checked, needs to add a tag to your subscriber within your email service provider that signifies that they have given you consent to send them marketing emails, including email newsletters. This will help you identify who on your email list has given you permission to email them, and who hasn’t.
Right to Be Forgotten
Within the GDPR is something called the Right to Be Forgotten. This article within the GDPR basically gives the subscriber the right to say, “I don’t want to be on your list anymore, and I want you to remove all of my data from your systems.”
What this means is that you are required to do two things:
- Make sure they know where/how they can request to be erased from your system.
- Erase all of their data as soon as you receive their request.
Right to Access
Another important article within the GDPR is the Right to Access, which gives the subscriber the right to receive a copy of all of the data you have that’s owned by them. So if someone emails in and says, “I’d like to see all of my data that’s housed in your systems,” you need to be able to provide that to them.
What this means is that you’ll need to do two things:
- Make sure they know where/how they can request to get access to the data that you keep in your system.
- Make sure you send it to them promptly.
Your Privacy Policy
Under the GDPR, there are a couple things you may need to address when it comes to your current privacy policy (yes, you need a privacy policy!)
- You need to have specific information within your privacy policy that explains the visitors rights under the GDPR.
- You need to make sure to link to your privacy policy within close proximity to opt-in forms and other points of entry, like order forms. (Basically, wherever you gather data from people.)
Here’s an example of what a GDPR compliant opt-in form may look like:
Want More Help Getting Compliant?
These are a few of the ways you can start getting your site and email GDPR compliant before the May 25th deadline. I am not a GDPR expert, nor is this post to be interpreted as legal advice. If you would like some legal advice from a GDPR trained attorney, I highly recommend Bobby Klinck’s FREE GDPR training.
Bobby is a highly esteemed attorney who specializes in online entrepreneurship (especially blogging) and the laws surrounding it. He is offering his GDPR training for FREE for anyone who wants to sign up.
His training videos take a very complicated law and breaks it down into understandable bite-sized pieces so you can focus more on implementing the important changes you need to get compliant, and less on trying to understand legalese.
Need help with your privacy policy and other important disclosures? Bobby also offers a super affordable package to help you create your 3 most important disclosures for your website: your privacy policy, your terms of use, and your disclaimer. We purchased this from him and it saved us hours of time and effort!
His Website Forms package even includes helpful videos so you know exactly what’s in your disclosures, why they’re there, and how they protect you and your visitors!
Getting GDPR compliant may feel tedious and complicated, but with the right guidance, you’ll be able to get your site and your list compliant in no time!
Thank you so much for this helpful information, Crystal. I just signed up for the webinar you suggested.
You’re so welcome! A big thank you to Katie on my team who has spent hours researching this for us and making changes so that we are compliant.
There’s been a lot of talk on this subject and I might add the fact, and I’ve read that becoming GDPR compliant by the deadline will not be enforced. And, from what I understand, the legal community isn’t even setup to handle complaints.
Of course marketer’s are already pushing WordPress plugins addressing the issue, using the deadline to drive sales by instilling fear of legal intervention. There is still time to get compliant beyond the deadline, giving the online community more time to learn about GDPR and it’s potential impact.
I’m updating my privacy policy but who actually reads them? My site went live earlier this week and I’m still trying to wrap my head around this subject. My biggest hangup is having subscribers jump through additional requirements to grab a freebie when I’m only targeting U.S. residents.
I’m all for freedom of information and being able to control your own personal identity. Website owners should consider setting expectations first, rather than having potential customers jump through hoops.
I enjoyed the article by the way, look’n forward to future posts…
Hi, Dave!
Thank you so much for stopping by to visit YBM! I’m glad to hear you enjoyed the post!
There are definitely a lot of varying opinions with regard to GDPR enforcement, especially since even GDPR-trained attorneys conflict in their interpretation of the regulation!
My personal opinion is that because the GDPR is so vague and broad in some areas, it’s impossible for anyone to become 100% GDPR compliant (by anyone’s standard) by May 25th.
Therefore, I think what it boils down to is the degree of compliance each individual blogger is willing to shoot for.
For me, I tend to err on the side of caution, especially when €20 million is on the line. 😉
Regarding privacy policies, don’t forget that it’s there not only to inform readers, but also to protect you as a blogger. And with things like the GDPR popping up, why not protect yourself and your business wherever you can?
Thanks again for stopping by! Hope to see you around here again. 🙂
– Katie
YBM Admin
Thank you so much for writing this post, Crystal! I’ve really been struggling to decipher all the GDPR information and figure out how to apply it properly. How does it work with the people we already have on our list? Do we have to get their permission to continue emailing them, since they never clicked the express consent box? Thanks again for providing this info so neatly packaged! It’s extremely helpful.
Hi, Rebecca!
This is a GREAT question! According to Bobby Klinck, who is the attorney mentioned in the post, we are technically not supposed to email anyone on our list that resides in the EU who hasn’t provided explicit consent by May 25th.
But this may also depend on your current CRM system. For example, we use Feedblitz to run our RSS feed at MoneySavingMom.com. They have confirmed that due to the way they currently run subscriptions, all of our current subscribers are compliant. So all we need to do is make sure our incoming subscribers are compliant.
For our main CRM, I used PlusThis to find all of our EU subscribers and we removed them from our system. Of the thousands and thousands of subscribers we have, there were only 36 EU subscribers. So my recommendation would be to first, if possible, find how many EU subscribers are on your list. Then decide if it’s worth it to seek their explicit consent over simply removing them from your list.
Remember, the GDPR only applies to subscribers residing within the EU. So in all likelihood, the vast majority of your list isn’t even affected by the regulation at all if your target reader is based anywhere other than within the EU. 🙂
I hope this helps!
-Katie
YBM Admin
Thank you, Katie! Your response was very helpful indeed!
So for us “small” bloggers who just rely on Google Feedburner’s free email/rss subscription service and don’t have a background in code and knowledge of where all this data would be at…what do we do if someone says they want to see all of “their data” assuming all we’d have is comments they’ve left or their email subscription request?
GREAT question, Tracy!
As a blogger, it’s important to make sure the systems you use for your site are all compliant. I recommend that you contact Feedburner or Google Support regarding their GDPR compliance. If they’re not compliant or do not give subscribers a way to get their information, then it may be good to switch. I do know that a lot of people have moved away from Feedburner because it looks like Google has plans to dissolve it entirely. Here’s an article by WPBeginner.com that addresses this and some other alternative feed providers you can look into if you need other options: http://www.wpbeginner.com/opinion/stop-using-feedburner-move-to-feedburner-alternatives/
In the meantime, you can contact Google Support here: https://www.google.com/contact/
I hope this helps!
-Katie
YBM Admin
What if none of our subscribers are from the EU? I have very few subscribers, all of them
local because I’m a local blogger (in Maryland).
Hi, Jeanine!
The GDPR only applies to site visitors and subscribers based in the EU. So it doesn’t sound like you need to do anything to be compliant with your current email list. However, you do need to make sure that incoming EU subscribers have their rights met by becoming GDPR compliant for anyone who may enter your list from the EU.
– Katie
YBM Admin
Thanks SO much for this, Crystal! I keep referring to your tips here to make sure I’m GDPR complaint. I was overwhelmed but this makes is so much clearer. 🙂
Thanks so much for your kind encouragement! I’m grateful that this was helpful to you!
Looking at the example contact form, does this mean you could send opt-in freebies to people when they provide a name and email without them actually opting in to your main email list, or is the user required to check that box in order to get the freebie?
That’s right. They can opt-in to get the freebie *without* opting into your list.
Crystal is correct. GDPR separates opting in for a freebie from opting in for marketing emails. So when a subscriber signs up for a freebie, they should not be automatically opted into marketing emails.
If they check the box to receive emails from you, you can then send marketing emails to them.
If they do not check the box to receive email marketing from you, you can only send them the freebie. Nothing more.
You cannot require them to check the box in order to give them the freebie under the GDPR.
I hope this clarifies things a bit! 🙂
-Katie
YBM Admin
Thanks for clarifying! That really changes things as far as how bloggers use freebies to gain email subscribers. It sounds like we will have to work even harder to market the email list as being the true value to readers rather than just the freebie.
It really does, Dawn. And depending on your ESP, you may not have to worry about changing things up too much. I personally use ConvertKit for my own sites, and they’ve made it SUPER easy to segment lists as soon as someone comes into your funnel.
They also automatically seek consent from anyone they detect as being in the EU, which eliminates the need for the checkbox on your optin.
This makes it super easy to prevent anyone from getting on your newsletter segment if they live within the EU and haven’t yet given you consent. It also prevents losing valuable leads in the US by making them jump through the GDPR hoops, which don’t apply to them.
If your CRM does NOT allow you to easily segment, another option would be to add a dropdown option to your optin form where people are required to share their country with you. I’ve checked with Bobby Klinck and this is an acceptable substitute for the checkbox. Then, anyone who opts in from a country within the EU can be automatically added to a consent funnel while everyone else can simply get their freebie and be added to the list.
Necessity is the mother of invention, so it’s time to get creative. 🙂
Katie
-YBM Admin
I watched the first two of the three Bobby Klinck webinars you posted, and they have been extremely helpful. Thank you!
Oh yay! I’m SO glad!