I am not a lawyer. I’m offering advice here for the convenience of my clients and readers because this may affect you, but I do not and can not pretend to have a full and in-depth knowledge of this law or exactly how it will pertain to your particular website. Everything below is offered freely and is true to the best of my ability but it is up to you and your lawyer to ensure you are compliant.

Last month your inbox exploded with “we’re updating our privacy policy” and “do you still want to hear from us” emails, right? Maybe the spam in your inbox has abated a bit? You’ve heard the term GDPR thrown around but you’re like “wat?”

I myself was so overwhelmed last month by the amount of work I needed to do to get myself and my clients ready for GDPR that this post is only getting written now in JUNE, weeks after the GDPR compliance deadline.

I’ve only got myself to blame here; this law was passed two years ago, but since I do not stay hip to European privacy law – what a fool – it did catch me by surprise.

So what the heck is it? It’s the General Data Protection Regulation (GDPR) and the point of it is to better protect EU citizen’s information and inboxes from spammers by promoting a higher standard for “consent” (we’ll get more into that soon). And before you close this tab and think “I don’t live in the EU so I don’t need to do anything,” stop and keep reading cause you do, in fact, need to do something.

“Or else.”

What’s going to happen if you do nothing? If you are not in compliance? Well, theoretically a €20 million fine or 4% of your total worldwide annual turnover, whichever is higher. Scary stuff. That said, do I think that the first thing the GDPR police are going to do is come after your small business? I do not. This law is likely to be more targeted to huge companies like Google, Facebook, and Apple. And if you don’t live in the EU, the worst the regulators could probably do would be to forbid EU citizens to do business with you until you are compliant.

But you might want to be compliant anyway.

I think we’re looking at a change that will catch on. It might take a while, but I could see Canada, Australia, and eventually the US passing similar laws. The idea is better user experience on the Internet, and while it’s a pain in the butt right now, ultimately GDPR will probably make us all a little happier browsing.

Consider all the newsletters you delete from your inbox that you never signed up for. Consider those tiny, pre-checked “Signup for our newsletter” boxes you only notice right after you’ve already hit the “submit” button on a form. Consider all the “unsubscribe” links you’ve followed only to get another email from that sender days later.

GDPR and laws similar to it should reduce these annoyances. And because I think we’ll be seeing more of this, I recommend making your whole site and list-building funnel compliant for everyone instead of trying to segment the funnel by location to only target EU people.

So what do you need to do?

Update your Privacy Policy.

As stated in the disclaimer at the top of this post, I am not a lawyer (covering my bases here, just in case you think that, in fact, I might be a secret lawyer), and this is not really my area of expertise. If you already have a privacy policy, reach out to whoever did your policy before and tell them it needs to be GDPR compliant. My excellent and amazing client Sam Vander Wielen is a lawyer specializing in advising bloggers and online entrepreneurs and she has a privacy policy template you can buy here, or you can try this free template.

If you don’t have a privacy policy, you’ll need one! Once you have the wording from the links below or your own lawyer, just create a new page on your site and paste in the text. You’ll then need to get a link to the page into your footer and below your opt-in forms, so if you need help with that, reach out to me or your developer!

Your list-building techniques may need to change.

Let’s talk about consent. According to GDPR, consent means “offering individuals genuine choice and control” which essentially boils down to:

• Use positive consent (no pre-checked boxes or method of consent by default).
• Be really specific and granular about what people are signing up for.
• Only use information in the methods they’ve agreed to as outlined by your privacy policy.
• Avoid making consent a precondition of a service.

The points above were pulled, simplified and re-written from page 3 of this excellent resource on GDPR.

That last point is tricky: “Avoid making consent a precondition of a service.” A lot of people interpreting this law are taking this as a ban on lead magnets or “freebies” (that free download you offer to get people to sign up for your list). I’m not sure that’s what it means but here’s the thing: we don’t really know. The law is new, the wording is vague, and we just don’t know how it will be enforced.

So if you want to be safe, here are a few list strategies you might try. Different list software companies have made this easier (ConvertKit) or harder (Mailchimp) but the specific mechanism would be the same regardless.

The first option is to not have a freebie at all. This makes things easy because they are explicitly just signing up for your newsletter. I recommend making the verbiage on the signup specific like “When you sign up for this list you will receive my latest blogposts along with exclusive deals on my affiliate products and information about my upcoming events” (vary according to what you actually send out in your list). It just needs to be explicit (to people in the EU) what they will be getting in your newsletter whether that is marketing or special offers or blogposts or what have you.

If you want to offer a freebie, your opt-in process needs to be edited for at least anyone in the EU, but more likely, for everyone. Here are some options:

Use a checkbox. Not a pre-checked one, mind you. You can see an example of this in my own opt-in which, as of writing, is accessible along the right side of my site when you click a little tab that says “Like Free Stuff?” The opt-in text is offering my freebie, then below where they put in their email, I added a small box “Check here to subscribe to receive my latest blogposts (monthly) and exclusive updates and offers!” If and only if they check this box, are they added to a segment in my Mailchimp list called “Newsletter” and only that segment receives my latest blogposts in their inbox.

So far, most of the people who signed up for the freebie checked the box for my newsletter!

Put your freebie in the “confirm email” message. Make sure double-confirmation is turned on so that when someone fills out the opt-in form, they receive an email to confirm their address. Edit the text of that message to put the freebie in that email, then some text along the lines of “Like this freebie? Click the button below to be added to my main list and receive my latest blogposts and promotions!”

Don’t change the funnel but do be extremely specific in your wording. I find it difficult to believe that text along the lines of “Sign up for my weekly blogpost newsletter and, as a thank you, receive my free guide to XYZ” is not clear enough to constitute explicit consent, and I also fail to see why your content must be offered for free to people who are giving you nothing in return (their permission to email). So I believe that lead magnets will still be fine as long as you let people know they are also being added to your main list. What you do not want to do is only mention the freebie in your opt-in text and fail to mention they are also being subscribed to your blogposts/promotions/events newsletter.

Clean your list.

You’ve got two options, and technically you were supposed to do this before May 25th but hey, we’re all trying here.

Option A) Figure out who on your list is in the EU and either delete them from your list or send out a targeted email to make sure they WANT to be on your list and then have them reconfirm. How you do this is going to vary platform by platform. Some platforms like Mailchimp make it really hard to target everyone in the EU so you might just try for everyone outside of the US, depending on where you live and where most of your subscribers are from.

Option B) Send out a reconfirmation to your entire list. Delete everyone who doesn’t reconfirm. This is easier and more recommended since every list needs a good cleanse every once in a while anyway and do you really want to be sending out emails to people who don’t read them anyway?

If you need help with reconfiguring your funnel or creating a reconfirmation campaign, feel free to reach out to me here. I hope this has been informative and helpful!