So we’ve more or less done the hard part. We’ve gotten proper consent to contact. Someone is safely, legally in our funnel.
But wait…let’s back up for a second.
Did anything we talked about in Part 1 make you go “oh crap…we super have not been doing that”?
If so…if some of the contacts you have in the pipeline right now, ended up there without “GDPR-proper” consent..
It looks like a re-permissioning might campaign is in order.
Re-permissioning Campaign Basics
This is the only thing about GDPR which genuinely pushes me to a tantrum.
It applies to all your data. Even the data that you collected before, when the rules were different, and you were doing nothing wrong.
So, if you had a pre-checked box in the past. Or lumped in email list subscriptions with webinar access—you’ve got a few options: ask for consent again nicely, or start gutting.
We wrote a full article on how to do the “ask again nicely” part here.
But I’ll go through a few tactics I particularly like:
1. First, evaluate.
Before you panic, make sure you actually need to re-permission these folks. Maybe your form language is all about “get the ebook”—and that’s a problem. But your double-opt in language saves you with a solid “confirm your email list sign up.”
Either way, now’s the time to look at all your email drips. Find their entry points. And if you did get proper consent—make sure you screenshot and note that for your records.
2. Start with what you have.
I know, I know. Having one goal, one CTA, per email is your best bet for conversions.
But if you’re throwing your users a piece of content they might find useful, or a discount they’ll be grateful for—now is the time to remind them of what a good thing they have going.
I’d throw a PS to the end of your best emails now. Something along the lines of:
PS: Want to keep hearing about discounts like this? We’re updating our data processing policies to be more transparent. Opt back in here to keep receiving emails. No opt-in, no more exclusive deals, coupons, and tips.
If they like what you have to offer, they might be more willing to stick around.
So this is where you have to calculate: how many of the people on this drip tend to convert to sales? Sales worth how much?
And how much cheaper would it be to keep someone on your list, than to get someone new on board?
Does your list convert at such a rate that an extra discount for re-opting in might be worthwhile? What about a content piece, specifically tailored to them? A perk, a membership, a closed off group, an audit, a course—but only if they re-opt-in now?
Getting folks who love you now, or loved you once, to say “I love you” again—has to be cheaper, and more time efficient than wooing a digital stranger.
So if your lists usually bring in repeat business, or jump on board to upsells, or convert at a relatively high rate—it might be time to woo ‘em once more.
4. Treat a re-permissioning email like a sales email.
Because every email is a sales email.
This time you’re selling them on confirming, again, that they want to hear from you.
The point here is to follow your copywriting best practices. A/B test your subject lines. Test different email lengths. Lead with a solid hook. Argue the benefits of sticking around. Automate based on their behavior if you have the capacity.
You’re a marketer. You know know what what works.
“Sign back up because GDPR is making us ask you to”—is not compelling.
“We noticed you’ve downloaded ___ and ___ from us. We’d love to keep sending you content like this, that we know you’ll find useful. But we need you to reconfirm, as we’re updating our privacy policies”—is compelling.
If your contacts are valuable to you, put the effort in to make them feel that way.
The Right to Erasure: Unsubscribes + Requests for Data Withdrawal
Now opt-out laws for marketing emails are nothing new. But GDPR makes it universal, official, and enforceable.
Just as easily as someone can give consent under GDPR, they can take it away. You have to make this easy on them—and in all honesty, why wouldn’t you want to?
For reference, here’s what GDPR says on personal data, and the whole “deleting it forever” thing:
“Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data” (GDPR Key Changes).
It has to go.
All of it.
And let’s face it—all this is for the best.
No one wants an email list that gets you reported, time and time again, as spam.
No one wants to work to engage an audience that was never qualified in the first place.
But….all that aside, we’ve worked hard for consent to contact now.
So the challenge posed for marketers now is: you have to make it painless for a user to withdraw that consent—but also, make them not want to.
Dealing with Unsubscribes
(Or, in GDPR-speak, “ceasing further dissemination of data.”)Now there aren’t hard and fast rules here about what is, and what isn’t compliant. But Article 7 still applies: it has to be as easy to withdraw consent as to give it.
The good people over at Econsultancy came up with an awesome quick test to determine whether or not your unsubscribe process is GDPR compliant.
“Step 1. Sign up to your company’s email newsletter via a link on your website. How easy is it?
Step 2. Sign yourself up to receive email marketing using the opt-in at registration or checkout. How easy was that?
Step 3. Wait for the emails to land in your in-box. Find the unsubscribe option and opt-out. Count the clicks involved.
Step 4. Compare with your competitors.
Step 5. Now user test with a real customer (just in case you’re not being objective).”
Now before even running a test, I’m sure you can come up with a few ways most brands might be failing it.
Among my least favorite is this:
The long, cutesy, “break up” inspired copy.
First of all: ugh—come on. This is overdone, and almost never on brand for anyone. You have banks and luxury sunglasses and SaaS companies that all of a sudden want tell jokes. Your audience is about to say goodbye forever—and instead of reminding them of why they should value hearing from you, you do this?
Second of all: I’m sure your opt-in process didn’t involve the selection of email frequency, or types of content. And it likely didn’t require you to scroll through all of that just to get to a “sign me up” button.
Why does your opt-out do that before the ”unsubscribe me?
Now, I’m not saying your opt-out process has to be totally, “one click and you’re done.” Another way you can pass this test is not by weakening your opt-outs, but by strengthening your opt-ins.
While GDPR doesn’t require you to have a double-opt in, it’s been a data-transparency best practice for a while.
And presumably, if your sign up process looks like this:
- Submit form.
- Open email, click link confirm sign up.
Your unsubscribe can also be:
- Click unsubscribe.
- Check email, click to confirm unsubscribe.
That leaves you a bit more copy-space to convince people to stick around.
Data Erasure: Some logistics
But just because someone’s off your list, doesn’t mean their data is “erased.”
A few more thing sto keep in mind:
1. Third Parties. As you should already know—under GDPR, you have to get explicit permission to share contact info with third parties. You’re also expected to take action if your contact wants their data erased.
Now, the expectations of the law aren’t that you get that contact info deleted at all costs. No one wants you to hack into the email client of that one guy who did that one webinar and delete email@example.com’s email address.
Here’s what our level-headed friends at the ICO have to say:
“If you have disclosed the personal data in question to others, you must contact each recipient and inform them of the erasure of the personal data – unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individuals about these recipients.
The GDPR reinforces the right to erasure by clarifying that organisations in the online environment who make personal data public should inform other organisations who process the personal data to erase links to, copies or replication of the personal data in question.”
So to have your bases covered—make sure you have a record of where a subjects data went accessible. Then reach out to any third parties involved (and keep a record of that, too).
2. Delete it everywhere—within 30 days. You’re required to respond to Subject Access Requests (SARs) within a month of them being issued, according to GDPR’s Article 12. So make when you get a “delete me” email—you get on it.
This is a little particular, but know, too: deleting personal data means deleting it anywhere you’re storing it. If an email exists in mailchimp, and in your metrics spreadsheets, and in the google sheet generated from your form fill out, and in your Facebook custom audience—it has to be deleted all of those places.
To sum it up:
- GDPR applies to all your data. Even the data you collected legally, pre-GDPR. If you collected it in such a way that isn’t up to GDPR standards, consider a repermissioning campaign.
- It needs to be as easy for people to opt-out of your marketing campaigns, as to opt-into them. Double check both of your processes here.
- If a data-subject says they want their info deleted, you’ve got 30 days to do it. Have a process in place.
Take me to Part 3: GDPR and Optimizing for Conversions >>>> (COMING SOON)