Marketing Strategies to Thrive in a GDPR World

Level 6 - Champion Alumni
Level 6 - Champion Alumni

This post is part 2 of a 5-part series on GDPR readiness. In this previous post, I compared GDPR preparedness to a football game and the importance of both a solid offense and defense to win the game. To tackle the processing requirements of GDPR compliance, your defensive strategy involves operational adjustments and a well-documented game plan. Now, it’s time to turn our focus to the offense and strategies to help your marketing practices thrive in a GDPR world.

Many Marketo clients are asking questions about using marketing automation and lead scoring features given GDPR’s strict permission-based requirements to collect and store personal data. My answer is marketing operations and GDPR can coexist, with adjustments to our current methods. I believe GDPR will force us to improve our core marketing skills, and our GDPR playbook should include leveraging the benefits of our offering and easing customer anxiety associated with data collection.

Consent for Data Collection

Scenario: You are offering a free white paper or informational guide and you are collecting the customer’s name, email address, and phone number as a prerequisite to downloading. Behind the scenes, you are appending additional data to the record, including income and location as well as tracking online browsing behavior to score the lead.

Challenge: Under GDPR, brands must now have an individual’s consent before you may track and store personal data. Opt-out or implied consent forms do not comply with GDPR; further, you must also declare how you will use the data and for how long, including if you are appending information or scoring based on it. Therefore, the challenge is being GDPR compliant without introducing too much friction or anxiety with your form.

GDPR adjustment: Strengthen your landing page value proposition and incentive to increase customer motivation. Also add an unchecked opt-in checkbox to the bottom of your data collection form, including a link to your privacy policy. (Note: privacy policies must now be much more robust in detailing data usage.)

To implement: On a recent internet search, I found one suggestion to use this copy in your data collection form:

We’re collecting your name, phone number and email address so that we may follow-up with you further on this topic and provide additional assistance. We may also match profiling data from a third party with your registration information, to learn more about you and measure your product interests. Please check our privacy policy (insert link here) for details on how your information will be protected and managed.” (followed by a checkbox providing consent to collect this information)

This solution appears to be GDPR compliant and covers your bases…but it is lengthy and may “weigh down” your form and we may have also unnecessarily opened the door on customer anxiety. According to The Chartered Institute of Marketing, (September 2016), 57% of Europeans do not trust brands to use their data responsibly. Highlighting their concern will only increase apprehension. Thus, adding this verbiage to your form could reduce your conversion rate.

A common misconception, GDPR doesn’t mandate declaring everything on your form. You can state how you will use data, (including information to be appended and lead scoring practices) in your privacy policy—just don’t forget (or it will cost you big!)

A sample of a GDPR-compliant privacy policy regarding the opt-in checkbox on a form reads like this:

“The information set out in this form is registered in an electronic database for the purpose of [commercial prospection, HR…]. This information is intended to be communicated to [internal service of the company, commercial partners…] and retained for [the relationship, xxx months…]. In accordance with the applicable regulation, your rights to access and update your data, withdraw your consent or lodge complaint where applicable can be exercised by following this link [contact of the service, person or authority in charge…]

Just keep in mind a couple of things with your opt-in checkbox:

  • The opt-in checkbox cannot be a required field. Consent is an independent action from the marketing form action. In other words, if the form in question promotes a white paper, the user can download the white paper without opting in to further communication.

  • Consent language should make it clear that the checkbox is not needed to submit the form. (IE “Want MORE on this topic?) and should definitely link to your privacy policy. To step up your game, add a little note at the bottom of the form reminding them they can download your white paper without it.

Moving legal language to your privacy policy would enable you to use shorter, simpler, GDPR compliant copy on your form:

<Unchecked checkbox> “I’d like to receive more information on this topic, and understand and agree to the privacy policy. <insert link here>”

Short, sweet, to the point…on with the conversion. And the next example.

Cookie Tracking

Scenario: You are using reverse IP lookup and cookies (AKA Munchkin Code) on your site to identify repeat visitors and customize the user’s experience.

GDPR challenge: You must have consent to track visitor behavior. “By using this site, you agree to cookies” messages implying approval upon closure do not meet GDPR compliance. This is a departure from Do Not Track legislation.

GDPR adjustment: Use a banner across the top of your website notifying first-time users of cookie usage, capturing user consent. Then work with your developer to load Munchkin code with the proper settings.

To implement:

Read the full post and view examples of these solutions on the Perkuto Blog.


Yes!  Very helpful indeed!   So the gist is they need to be removed if they don't consent.  Good to know how to handle this scenario.  Wheels are spinning in my head with all the new assets, database fields, and workflows needed to comply.  Let the games begin! 

Thanks for highlighting Dan! Yes I very much so meant explicit.

Level 6 - Champion Alumni


Level 10 - Champion Alumni

I came across this article today (What the GDPR means for Panasonic's B2B marketing - Digiday ) and was very surprised to see this statement:

B2B marketers do not have to ask everyone on their databases for permission to use their data under the regulation in the same way their business-to-consumer counterparts might have to. This is a good example of where consent is not required under the GDPR. An electronics firm like Panasonic sending marketing materials to its corporate customers about related products can reasonably rely on “legitimate interests” as the legal basis for processing corporate customer data. As long as those corporate customers who ask for an opt-out option receive one, Panasonic’s email and telephone promotions will be within the law.

Panasonic is one of Marketo's largest and most well-known global B2B customers.  They - including Stephen Yeo (European Marketing Director for Enterprise Business) - always have a prominent presence at Marketo Summit.  It will be interesting if Stephen addresses GDPR at this year's Summit.


Does the unsub link equate to No consent.  Does no Consent mandate that you must delete data.  Does yes to consent mean you can send communications and save their data.

Scenario: User comes to web site; downloads white paper says no to consent.  Is this user now unsubscribed from all mailings; do we have to delete their data.  I guess I am struggling with how to use the unsub and no consent  - do they serve the same functionality?  Thank you in advance for any insight or guidance.

Level 6 - Champion Alumni

Mark McGourty​ Data consent should be tracked separately from email consent. Someone could unsubscribe from communication, but still have data consent to fulfill a request, subscription, contract, etc. Withdrawal of data consent would dictate erasure, not necessarily an unsubscribe.

In a white paper scenario, let's assume a new user comes to your site. On your form, you should have an unchecked and non-required checkbox inviting them to opt-in to marketing communications and acknowledging the privacy policy, which should be linked right on the form. Let's assume they do not check the checkbox, but submit the form. I think it is reasonable under GDPR to send them the confirmation email with the white paper download link and with an invitation to opt-in also in the email. If the user does not respond within, say, 3 days with an opt-in, you should delete their data. During this time frame, they should not receive any marketing communication other than the white paper download.

I hope this provides clarification!

+1 on this. 2 consents are to be given, at least in theory. But the practicality of having 2 checkboxes on a form and expecting that people filling it out will understand the difference between the 2 is, to say the least and IMHO, questionable

And also, +1 on the fact that the Opt-in does not impact operational emails, that are fully covered by the legitimate interest clause.


Level 6 - Champion Alumni

Our legal team has advised that if we obtain opt-in consent for email with acknowledgement of a privacy policy detailing data use, etc, at the time of opt-in, that the consent would also constitute data consent, and there would not be need for 2 checkboxes. I agree that two check boxes is confusing, and you can't very well save the person's data and send them email they've opted into without some level of data consent.

HI again Michelle,

This is also the conclusion that was given by most of the DPO's from our customers.


Level 10 - Champion Alumni

Totally agree on not having 2 checkboxes.  But think about what this is going to do with our ability to report accurately (and there's really nothing that we can do about it - I don't even think the ePrivacy Regulation is going to save us).  Let's say 20% of the people that opt-in while submitting a form to download content.  If we delete the other 80% (which includes program members), none of our reporting will be meaningful - at least not in the current/traditional sense (e.g., reports like xx% of those that responded, opted-in; or program success resulted in xx%)).  Hopefully marketers recognize this and significantly dial-down their measurable KPIs.  Essentially, this will drive a new era of reporting.  In that the reporting/dashboard numbers will instead represent a very engaged audience with our brands.