July 15, 2021
Remember when “Y2K” was quickly approaching and everyone went crazy adapting their code so that the 2-digit year ‘00’ didn’t take us back to 1900?
Well everyone in the tech and marketing community is going crazy again–this time it’s about General Data Protection Regulations (GDPR).
All of the systems we’ve built to hold personal data (i.e. pretty much all of them) will need to be updated to comply with the new European legislation.
It doesn’t matter if your company isn’t based in Europe, if you’re not from Europe, nor that you’ve never been to Europe.
The legislation covers any technology that serves EU citizens, and given that most websites are available globally, that pretty much means all of them–including yours–hence why your inbox is inundated with GDPR emails.
What does this mean for the future of growth hacking?
To be honest, I’m not sure, but I will say that if you’re a “black-hat” growth hacker that scrapes email addresses and other personal information, you should be afraid–very afraid.
Alex Delivet, head growth hacker at Mailjet believes that “with the arrival of GDPR, these kinds of bad practices will be officially illegal and the best growth hackers will realize there are a lot of GDPR-compliant tactics we can try” instead.
Even the growth hacking tools you use may become illegal. For instance, the CEO of Convert.co wrote about the likely possibility of losing 3 percent of new revenue from their acquisition channel by removing 20 percent of the tools in their marketing stack, mainly used for reverse IP lookup services, data enrichment, and cold email outreach.
As a growth marketer, when I initially heard the news about GDPR, I was shocked and uncertain about what the future holds–I’m sure you can relate.
Shock is the first stage of “GDPR grief“, and I quickly cycled through the other six:
Now, we aren’t experts in GDPR or lawyers qualified to give legal advice, but we thought by sharing what we learned we could help our fellow growth hackers get to a good place with their GDPR compliance journey.
In this blog post, I’ll do my best to answer some of your frequently asked questions, like:
Let’s jump right in!
The General Data Protection Regulation (GDPR) is legislation set by the European Union in April 2016 and has to be implemented in all member states. The law differs a little from the resolution itself because it has to work in the given law system. We’re not lawyers at Ladder so we’ll let the lawyers get deeper into that.
On May 25, 2018, all the citizens of the European Economic Area will have the right to have their personal data protected.
And the punishment for not complying is severe: fines up to 20 million Euro or 4 percent of the company’s annual global turnover – whichever is greater.
In the world of digital marketing and advertising, GDPR is revolutionary. Marketers eat data for breakfast, lunch and dinner–some, like me, even dream about it!. But your data-driven marketing strategy is going to have to go through some critical changes if you want to avoid those hefty fines.
To be GDPR compliant:
For marketers and advertisers, “using” personal data can take many forms, which generally includes data gathering, compiling data, sharing data, deleting data, storing data and using data for targeting.
If you’re tracking user’s web and browsing activity, that information “may be used to create profiles of the natural persons and identify them”, which is forbidden by Recital 30 of the GDPR.
The IT Governance Blog does a great job of breaking down how to be compliant with GDPR if you’re a company using cookies. Here are four things to keep in mind:
Moreover, any pixel that gathers behavioral data also falls under these consent terms. The Facebook Pixel, Google Analytics Tag, Live Chat, and more all require consent from the user in order to be used. This means that unless the users agree to it, things like the Facebook Pixel or Google Analytics script cannot be fired.
And even after getting valid consent, sites must give people the option to change their mind. Sites will need to provide an opt-out option.
If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.
The good news is that Google Analytics allows you to turn on data anonymization which should allow you track users on your website without permission, but only if there’s absolutely no personally identifiable information (including IP addresses).
To be GDPR compliant, you need to be cautious and transparent about how you collect personal information. Here’s a short GDPR checklist to help you learn how to acquire personal data the right way.
Also, check out Hubspot’s comprehensive GDPR Checklist to help you determine if you’re GDPR ready.
Moreover, if you have an opt-in form, then you need to have a separate checkbox for each type of processing you do and the wording needs to be clear and transparent. You can’t group anything together.
Examples of bad consent phrasing:
Examples of good consent phrasing:
Note: It is forbidden to implement checkboxes that are ticked by default; users have to make the decision by checking them themselves.
Also note that you’ll need to ask separate consent in order to be allowed to use their personal data for email marketing purposes, Facebook targeting, and to share it with third parties.
This means that if you plan to use your users’ data for Facebook ads and also upload it to a CRM (third-party tool), then you need two separate checkboxes.
Luckily, just because you don’t have the record of opt-in doesn’t mean you don’t have a lawful basis to process a contact record. To address this, the GDPR legislation outlines what they call “lawful basis of processing”, which states that you’ll need to have a legal reason for using someone’s personal data. Let’s see the different ways this can apply to your imaginary user named Laura:
Hubspot’s product roadmap for GDPR does an excellent job of clarifying this information above.
However, for those outside lawful basis, you must get consent in order to send them marketing emails.
We recommend launching a one-time email campaign that requests any contacts that haven’t opted into your marketing emails yet. Only the contacts that confirm their subscription status are then kept on your list. Those who don’t confirm it will have to be opted out from your marketing emails.
As a result, you will be left with a highly engaged list of contacts that have proven they want to continue receiving emails from you.
Pro Tip: You should incentivize them to opt-in by offering something special in return. We have recently seen companies offering a number of industry reports if a user opts in, but you should figure out what resonates most with your users.
GDPR rules now give EU citizens the right for his/her data to be deleted and no longer processed, if the data is no longer necessary to perform actions for which reason the data was gathered.
‘The Right to Be Forgotten’ means that EU citizens can access the data you have gathered about them AND that they can also demand it deleted – which you must respect and fulfill within a reasonably short amount of time (about 5-10 business days).
However, you only need to delete (“forget”) the data if it’s no longer necessary to fulfill the contract it was gathered for. For instance, an eCommerce shop needs an address in order to send the purchased goods, the subject cannot have their data forgotten until the contract stating that “the goods purchased are to be delivered” has been completed.
For businesses – well, this strongly depends on the size of the company.
If your company is storing and/or planning to store any kind of personal data of even one EU citizen, you must take action to comply with GDPR.
If your business is US-based, you may still receive website visitors from the EU. Which means if you are using website analytics or a newsletter subscriber or a lead capture, you must take steps to comply with GDPR for your EU website traffic.
All it takes is one EU citizen who is conscious of his rights and notices that you are not compliant.
The UK is implementing a new Data Protection Bill which largely includes the provisions of the GDPR. This Bill is designed to bring the UK’s data protection laws in line with the GDPR. Stay tuned!
Companies around the globe must be compliant if they store, process or use any EU citizen data.
The GDPR requires you to report the breach to authorities within 72 hours of the discovery of the breach and admit that it happened. You should also be able to determine how many records were leaked, how are you going to make sure such breach is not going to happen again, and inform any users whose data may have been leaked about the incident.
What is considered a security breach under GDPR?
A Data Controller is the entity that determines the purposes, conditions and means of the processing of personal data. For example, those who’ve signed up to the Ladder newsletter are under the control of Ladder and we are the Data Controller.
A Data Processor is the entity which processes personal data on behalf of the controller. For example, when working with a client’s newsletter list, Ladder is then processing the data that this client is controlling. In this scenario Ladder is the Data Processor and the client is the Data Controller.
Whenever you are holding users’ personal data (like an email list) and upload it to Facebook to create a custom audience – then you are the Data Controller and Facebook is the Data Processor. You actually need to get your users’ permission in order to use their data in this way.
On the other hand, when you create a Facebook lookalike audience – then Facebook is the Data Controller and you are the Data Processor simply because the personal data that is used to create the lookalike audience is inside Facebook’s servers and it was not obtained by you.
At Ladder, we take GDPR compliance and business growth very seriously. As such, we’ve attended training sessions, had our lawyers review our terms of service and privacy documents, and we’ve read a LOT about the issue to try and figure out our obligations.
We’re also conducting a company-wide team training on the matter.
Here are our own action items for GDPR compliance as a growth marketing agency:
And for the companies we’re working with to grow and scale their businesses, we’ve sent updates to each with details on the steps we’re taking, how GDPR will affect their marketing experiments, and the options at hand to ensure compliance while maintaining optimal performance.
Sign up to our newsletter to stay up to date with all the latest movements in the field.
More from Ladder Blog
Get Facebook ad support & answers via our ultimate Facebook FAQ guide – covering ad sizes, approvals, spending, strategy, settings, culture, polit...Read More →
See the marketing plan template that drives our success. This marketing plan example covers strategy, testing, analytics, performance, budgeting, and ...Read More →
Promote a social post to get cheap visits to a website and capture emails. High quality social posts can be targeted to reach specific audiences based on interests, shopping habits, browsing habits, and more. Publish a post on a social network and use their native advertising too...
Place your call to action form or button on the right side of your landing page to increase activation. Focusing on the right side of your landing page rather than the center, especially when the form remains visible while scrolling down the page, keeps registration forms and CTA...