Marketing Strategies to Thrive in a GDPR World

Level 9 - Champion Alumni
Level 9 - Champion Alumni

This post is part 2 of a 5-part series on GDPR readiness. In this previous post, I compared GDPR preparedness to a football game and the importance of both a solid offense and defense to win the game. To tackle the processing requirements of GDPR compliance, your defensive strategy involves operational adjustments and a well-documented game plan. Now, it’s time to turn our focus to the offense and strategies to help your marketing practices thrive in a GDPR world.

Many Marketo clients are asking questions about using marketing automation and lead scoring features given GDPR’s strict permission-based requirements to collect and store personal data. My answer is marketing operations and GDPR can coexist, with adjustments to our current methods. I believe GDPR will force us to improve our core marketing skills, and our GDPR playbook should include leveraging the benefits of our offering and easing customer anxiety associated with data collection.

Consent for Data Collection

Scenario: You are offering a free white paper or informational guide and you are collecting the customer’s name, email address, and phone number as a prerequisite to downloading. Behind the scenes, you are appending additional data to the record, including income and location as well as tracking online browsing behavior to score the lead.

Challenge: Under GDPR, brands must now have an individual’s consent before you may track and store personal data. Opt-out or implied consent forms do not comply with GDPR; further, you must also declare how you will use the data and for how long, including if you are appending information or scoring based on it. Therefore, the challenge is being GDPR compliant without introducing too much friction or anxiety with your form.

GDPR adjustment: Strengthen your landing page value proposition and incentive to increase customer motivation. Also add an unchecked opt-in checkbox to the bottom of your data collection form, including a link to your privacy policy. (Note: privacy policies must now be much more robust in detailing data usage.)

To implement: On a recent internet search, I found one suggestion to use this copy in your data collection form:

We’re collecting your name, phone number and email address so that we may follow-up with you further on this topic and provide additional assistance. We may also match profiling data from a third party with your registration information, to learn more about you and measure your product interests. Please check our privacy policy (insert link here) for details on how your information will be protected and managed.” (followed by a checkbox providing consent to collect this information)

This solution appears to be GDPR compliant and covers your bases…but it is lengthy and may “weigh down” your form and we may have also unnecessarily opened the door on customer anxiety. According to The Chartered Institute of Marketing, (September 2016), 57% of Europeans do not trust brands to use their data responsibly. Highlighting their concern will only increase apprehension. Thus, adding this verbiage to your form could reduce your conversion rate.

A common misconception, GDPR doesn’t mandate declaring everything on your form. You can state how you will use data, (including information to be appended and lead scoring practices) in your privacy policy—just don’t forget (or it will cost you big!)

A sample of a GDPR-compliant privacy policy regarding the opt-in checkbox on a form reads like this:

“The information set out in this form is registered in an electronic database for the purpose of [commercial prospection, HR…]. This information is intended to be communicated to [internal service of the company, commercial partners…] and retained for [the relationship, xxx months…]. In accordance with the applicable regulation, your rights to access and update your data, withdraw your consent or lodge complaint where applicable can be exercised by following this link [contact of the service, person or authority in charge…]

Just keep in mind a couple of things with your opt-in checkbox:

  • The opt-in checkbox cannot be a required field. Consent is an independent action from the marketing form action. In other words, if the form in question promotes a white paper, the user can download the white paper without opting in to further communication.

  • Consent language should make it clear that the checkbox is not needed to submit the form. (IE “Want MORE on this topic?) and should definitely link to your privacy policy. To step up your game, add a little note at the bottom of the form reminding them they can download your white paper without it.

Moving legal language to your privacy policy would enable you to use shorter, simpler, GDPR compliant copy on your form:

<Unchecked checkbox> “I’d like to receive more information on this topic, and understand and agree to the privacy policy. <insert link here>”

Short, sweet, to the point…on with the conversion. And the next example.

Cookie Tracking

Scenario: You are using reverse IP lookup and cookies (AKA Munchkin Code) on your site to identify repeat visitors and customize the user’s experience.

GDPR challenge: You must have consent to track visitor behavior. “By using this site, you agree to cookies” messages implying approval upon closure do not meet GDPR compliance. This is a departure from Do Not Track legislation.

GDPR adjustment: Use a banner across the top of your website notifying first-time users of cookie usage, capturing user consent. Then work with your developer to load Munchkin code with the proper settings.

To implement:

Read the full post and view examples of these solutions on the Perkuto Blog.

Level 10 - Champion Alumni

Another great post, Michelle!  Everything you mentioned here is pretty consistent with our findings and advise/guidance provided by our own legal team.  I don't think there's any way to sugarcoat this - GDPR is going to limit our ability to market and track engagement as we have been historically doing.  It's going to take time to grow a GDPR-compliant database - regardless of how you word the consent statements in providing benefits back to the end-user.  And the fact that users are now going to be inundated with so many different variations of notifications/banners asking for consent - it's really going to negatively affect the overall user/visitor experience and there's really no way around that.

You provided a good example for obtaining cookie consent on a website.  What about email tracking consent (to those that have opted-in to email, of course) in tools like Marketo - where they may never come in contact with your website?

Level 9 - Champion Alumni

Thanks Dan Stevens​. I agree with you. There's no way around these compliance requests, so hopefully this helps make it the less onerous. With regard to email tracking consent, this should be outlined as data use in the privacy policy at opt in for users going forward. In the meantime, if marketers don’t have explicit consent from EU names in their database, or if their privacy policy is going to need major updates, now is a great time to launch a whitelisting campaign to update records and get that required permission. (Be sure to update those privacy policies first!) As we all know, no marketing campaign has a 100% response rate, so now is the time to act to be able to send several messages.

Level 10 - Champion Alumni

Just be careful on executing any "opt-in" focused campaigns leading up to May.  Depending on the size of the audience and the nature of the message (highly relevant/segmented is advisable), there's a level of risk in these types of campaigns: ICO fines Flybe, Honda for breaking data rules. They were, um, trying to comply with GDPR • The Regi...

Not applicable

Great post! Thank you so much for posting on this - it's super helpful since so much of this is still unclear.

One question on this - if they click the checkbox giving consent, does there also need to be a secondary email that they have to click on to double-ensure the consent? We've gotten this guidance but wanted to get others' thoughts on it as well!


Level 9 - Champion Alumni

Dan Stevens​ Am I allowed to laugh at that? I suppose I should have clarified that this should be in conjunction with a database audit and clean up effort... Determine which records are viable and engaged, and opt-in requests should be targeted to that contingent.

Level 9 - Champion Alumni

Kayla Miller​ Currently only Germany requires double opt-in. You could do that as a best practice beyond Germany, but you are not required to do so.

Level 3

Thanks for this post Michelle, definitely coming back here to reference this information!   One area we're focusing on is the implementation of a global forms strategy that always requires the country field so we can better attune privacy/data usage policy disclaimers based on Country and applying the greatest standard of compliance to all forms.    We battle with marketing managers who don't want extra fields, but in light of GDPR, this is our new reality.   

A big takeaway from your post is that consent is not a required field yet they can still download the whitepaper.  Question about where that leaves a lead who has not checked the box yet downloaded the form? I gather that the lead is in the database now as they've downloaded the whitepaper upon form fill, but we still can't send them marketing emails until they've implicitly opted in.  Is there a way to get people to opt-in rather than wait and see for this scenario?   Can you send an auto-response with the download and another CTA to opt-in?  Oh boy, this can be a bit maddening when trying to strategize on how to implement new practices!

Level 10 - Champion Alumni
but we still can't send them marketing emails until they've implicitly opted in

I think you mean "explicitly" opted in.  And yes, if they haven't opted in to receive email, all bets are off.  Keep in mind, this is just one type of consent.  Like the focus of this post, you also have "cookie consent" and consent to process/collect the data.

BTW, next to email address, "Country of residence" (we used to just name the field "country", but since GDPR applies to EU residence, we are in the process of modifying this field name across all forms) is the most important field on our forms.  As a global company, this helps determine whether or not we must comply with GDPR for each lead in our DB.  Even that's a tricky one.  For example, what if someone who is tagged with a non-EU country and then moves to an EU country?

Level 9 - Champion Alumni

Hi Trinity Levenson​, thanks for reading. There are two key points related to your question:

1) You cannot "bribe" someone to opt-in by bundling consent with the white paper. So they have to be allowed to opt-in independently of downloading a form.

2) However, GDPR is not limited to email legislation. Opt-in Consent is ALSO required just to retain the individual personal data (including name and business email). Generally when people opt-in to receive emails, they are also opting into this retention of data as spelled out in the privacy policy. However, if they do not opt-in, but download the white paper, you can send them an email with the white paper and an offer to opt in (again must be an affirmative action on their part acknowledging that they have read the privacy policy). If they do not opt-in, you can't "wait and see" you need to remove them from your database. Maddening, indeed! This is another good reason to include county on your forms - if you don't you'll have leads that are missing country and you won't know if you can keep them in your database or not.

I hope this helps!

Level 10 - Champion Alumni

You know what's really maddening?  Our eventual inability to run accurate analytics/reporting on our marketing activities.  Especially when we'll need to disable Munchkin/email tracking for the majority of your EU leads; and when we can no longer store key engagement/user data in Marketo without consent.