Have you been wondering what GDPR is, how it affects you, and how to get your website ready for GDPR?
?Bookmark this page as I’ll be updating it as more information becomes available.
?Please help me spread the word and share this blog post!
Yeah, until a few days ago, I was like, “GDPR whaaaat? I’m in the US, why do I need to know about this?”
So I’ve done a ton of research and in this blog post, I’m going to share with you:
- Resources to help you understand & implement the new European privacy law GDPR, or General Data Protection Regulation
- How GDPR will affect your website and email list
- What I’m doing to get my website and email list ready for GDPR so that you have a path you can follow
- A checklist you can download to start implementing the steps on your own website & email list
Before I share this information with you – although I worked in the marketing department at a law firm for four years – I am not a lawyer.
Nothing in this article should be taken as legal advice. I make no guarantees or warranties that by following the steps I outline in here to get your website and email list ready for GDPR that you will be GDPR compliant, and I advise that you consult with your own attorney to ensure you are GDPR compliant.
Are we good? Okay, continue reading.
Three key pieces of GDPR compliance
As I started to research GDPR, here are three key things I discovered that honestly started to freak me out a little bit:
- One – if I have any customers or subscribers in the EU, I’m required to follow GDPR rules.
- Two – the fines for non-compliance are ginormous – 20,000,000 Euros or 4% of global annual revenue – whichever is LARGER!
- Three – if I didn’t get the proper consent from the EU people on my email list under the GDPR rules, I have to ask them to resubscribe before May 25.
So I started to panic a little bit, and then thankfully one our BFFs, Helen, shared the most simple, comprehensive resource I’ve come across on the subject. Thank you, Helen!
Suzanne Dibble is an EU-based lawyer who is providing down-to-earth, clear guidance on GDPR for online entrepreneurs like us.
Thank. Goodness.
I spent about 5 hours on Saturday watching Suzanne’s free GDPR webinars and researching her Facebook group to get a solid understand of what GDPR is and the specific steps I need to take to become compliant.
Fortunately, Suzanne’s take on GDPR is nothing like the doom and gloom of the headlines I found in my research.
In fact, she’s seeing it as an opportunity to build trust and a more engaged audience! Yes!! She’s totally speaking my language – and I’ll share those strategies with you a bit later.
I highly recommend that you watch Suzanne’s interview with Chris Ducker to get a better understanding of GDPR and how it can affect your business!
GDPR Resources
- Suzanne Dibble's GDPR Mythbuster Webinar
- Suzanne Dibble's Interview with Chris Ducker
- GDPR Pack*
- GDPR Facebook Group
- Karen Skidmore's List Love Re-engagement Campaign Templates
- Amy Porterfield GDPR for Entrepreneurs – What You Need to Know Podcast Episode
- How to Get Your Website Ready for GDPR Checklist – Shannon Mattern
- GDPR Privacy Policy Generator (use at your own risk)
GDPR – The Big Picture
Here’s what I learned from Suzanne about GDPR:
It’s true that if I have any customers or subscribers in the EU, I’m required to follow GDPR rules.
According to Suzanne, yes, even though I’m outside of the EU, I’m still subject to the laws and penalties if I market to people based in the EU.
However, there is no “GDPR Police” that are going to come knocking on my door on May 26th if I’m not fully GDPR-compliant.
The way I can get in trouble for not being GDPR compliant is if someone complains to the EU’s Information Commission Office (ICO) about me.
It’s also true that the fines for non-compliance are ginormous, but that doesn’t mean I’ll be fined a bajillion dollars if I’m not in compliance by May 26th.
If someone did file a complaint about me, Suzanne says the law is all about proportionality.
As a solopreneur, I’m likely not going to get hammered the way say, Facebook might for non-compliance, and if I’m taking steps to become compliant – which I am – then I’m probably good.
And it’s also true that if I didn’t get the proper consent from the EU people on my email list under the GDPR rules, I have to ask them to resubscribe before May 25.
First, I have to be able to tell who is from the EU on my list and who isn’t. For those who are in the EU or whose location can’t be determined, I have to ask them to resubscribe before May 25.
And if I don’t get consent, I will either remove them from my email list or, if my risk tolerance is high, I can keep doing business as usual, hope I don’t get reported and if I do, hope to use a grey area of the law to not get fined.
This GDPR rule made me really nervous because my list is the lifeblood of my business… but let’s be totally honest:
I may have 5,000 subscribers on my email list, but only 15-20% are opening my emails.
Let’s think about this logically for a minute: if you don’t care about what I’m sending you and if you’re not opening, reading, or engaging, how likely is it that you’ll ever become a customer?
Not likely, right? So why am I so worried about keeping you on my email list? Is it because I like to tell people I have 5,000 subscribers? Who cares? I want to serve people that want to be served, it’s not about the size of my email list.
In fact, Michael Stelzner said this exact same thing at Social Media Marketing World – it’s no longer about the size of an audience, it’s about how engaged they are. Small but mighty.
So here you have a choice. You can isolate just your EU subscribers and get fresh consent from them – and if you’re you’re using MailChimp or ConvertKit like I recommend, it is pretty easy to find your EU subscribers (and those whose location is unknown).
You may also want to consider just cleaning up your entire email list, and, personally, before May 25th, I am going to do a re-engagement campaign to get fresh consent from my entire list, with the expectation that I’ll retain only about 20-25% of my subscribers.
I want this business to grow. I want a highly engaged community no matter the size. And I want to comply with the law and not find myself in a situation that could have easily been avoided had I given it the proper attention.
When it comes to getting fresh consent, Suzanne does NOT suggest emailing your list and saying “Hey, because of GDPR I need you to re-subscribe.”
I’m going to share with you later in this blog post some exact steps you can take to get fresh, GDPR-compliant consent in a way that helps you retain your email subscribers.
But first, I want to share with you the big picture of how GDPR will impact your website and email marketing so that you understand why we’re making these changes.
GDPR: Getting Your Website Ready
GDPR is definitely going to change how we set up our websites and email lists so that we can follow GDPR’s rules. Here’s how:
At the center of GDPR is the Privacy Notice.
If you’ve taken my Free 5-Day Website Challenge, in Day 5 I show you how to generate a privacy policy for your website using a free tool. However, as of May 25, 2018, that privacy policy will no longer be sufficient under GDPR.
I did find a free tool that will walk you through generating a GDPR policy, however, I cannot vouch for it's accuracy. I paid for a policy template created by a lawyer in the EU and didn't take the chance of generating a free policy.
Under GDPR, you’re required to disclose what personal information (or “sensitive information” – there is a difference under GDPR – check out Suzanne’s webinar here) you’re collecting and exactly how you’re using it to your visitors before you collect it.
You’re required to disclose cookies, which is any tracking you’re doing, like the Facebook Pixel and Google Analytics.
Those disclosures need to be made in clear, normal words that anyone would understand, not legalese.
Everyone’s privacy notice will be different based on many factors: your business, how you collect email addresses, how you use your email list, if you’re having people log into your website, etc.
If you simply copied my Privacy Policy or generated your own free one, that won’t be GDPR compliant on May 26th. And if you try to copy mine after I have a GDPR compliant one, it won’t be accurate because mine will be unique to my specific business.
Fortunately, Suzanne created a set of tools and templates called the “GDPR Pack” which I purchased and am working through to create my GDPR-compliant privacy notice as the first step in GDPR compliance.
You can get Suzanne’s GDPR Pack here.
I’m going to mention it a few more times in this article because there are other resources in there we need to help us with GDPR compliance.
And, like I teach my students, when I find a resource THIS GOOD, I immediately research it to see if has an affiliate program – so yes, I am a proud affiliate of the GDPR pack and I do earn a small commission when you purchase that helps me continue to create free content to help you navigate GDPR on your website! So if you make a purchase, thanks in advance for using my link!
The next step is making your Privacy Notice super obvious to subscribers.
Once you have your unique Privacy Notice in place, you must give your subscribers the chance to read it before they opt in to your email list.
According to Suzanne, they don’t have to agree to your privacy notice, you just need to make it available.
It’s not sufficient anymore to have it simply available in the footer of the website.
You gotta put a link to the Privacy Notice in front of their face and ask them to read it before opting in to your email list.
Then, you have to get consent to email people.
We can't just put everyone on our newsletter list anymore if they've opted in for something else – like your freebie.
So, here’s the deal with the consent checkboxes:
My email opt-in form gets you signed up for the Free 5-Day Website Challenge.
On that form, I don’t ask you if you want to also get my weekly newsletter, which I send to you whether you want it or not every Wednesday, and I also don’t ask you if you want to receive information about other special offers, like when I’m launching my signature program, Websites That Make Money.
I just send you whatever I want to send you, whether you want it or not, and I never disclosed to you that I was going to do that when you signed up for the Challenge.
I just assumed that if you don’t want to continue to get stuff from me, that you’ll simply just not read my emails or unsubscribe, which I’m totally fine with.
But under GDPR, the ball is in my court to ask you what you’re willing to agree to receive from me first, and then I need to be a good friend and abide by your wishes.
To do that, I’ll be adding checkboxes to my opt-in forms as well as linking to my privacy notice.
Suzanne shared in her interview with Chris Ducker that using Double Opt-in is not required. Double opt-in is where you get an initial email asking you to confirm your subscription and then you get a second email delivering whatever you signed up for. You may want to consider it as an extra layer of consent if you collect sensitive personal information like race, gender, religious, or political information. I currently don’t use double opt-in.
Also, Suzanne says in her interview with Chris Ducker that you don’t have to get consent to send every single type of email, like if someone buys something from you and you’re sending a confirmation email. There are other scenarios in which you’re allowed to collect data without asking for consent, and I highly recommend you watch Chris Ducker’s interview with Suzanne and watch her GDPR webinar here that dives deep into this topic.
Finally, people have a right to know what data you have on them and the right to be forgotten (ask you to completely delete their data), and you have to comply.
With your email list, that’s pretty easy.
The email service providers I’ve recommended in the Free 5-Day Website Challenge (Mailchimp & ConvertKit), have created tools and guides to help you comply with GDPR, which I’ve linked to in my free “How to Get Your Website Ready for GDPR” Checklist.
If you’re using another provider, you can Google how you’ll be able to comply with GDPR using that tool.
With your website, there are a few more steps to take.
You probably don’t realize how much data your website might actually be collecting on people. These are all the ways people interact with your website:
- Leaving comments on blog posts
- Filling out your contact form
- Registering as a user on your website (to access your online course, for example)
- Tracking from Google Analytics, Facebook Pixels, and other tracking pixels (cookies)
- WordFence or other security plugins which track IP addresses
- Other plugins that collect personal information
So GDPR says you have to not only delete people when they want to be deleted, you also have to be able to give them all the data you have on them that’s being tracked if they request it.
With that, it’s important to know all the ways WordPress and your plugins could be tracking people with cookies, using data, and second, you need a tool that can help you disclose that information to your visitors, let them access a copy of their data and help you remove their data.
There are several GDPR plugins that have been released that claim to do this, and the global WordPress organization is currently working on its own set of GDPR tools to help with this piece of the law.
I’m still in the process of testing the plugins I’ve found to find the best one to meet these requirements, and I’ll be updating this blog post with my recommendation.
GDPR: Getting Fresh Consent From Your Email List with a Re-Engagement Campaign
Like I mentioned above, Suzanne (and I) don’t recommend simply sending an email asking people to resubscribe.
Suzanne suggests running a re-engagement campaign, and she brought in email list expert Karen Skidmore into her Facebook group to explain how to run a re-engagement campaign to your list to get fresh consent.
I highly, highly recommend that you request to join Suzanne’s GDPR Facebook group, watch the interview with Karen Skidmore, and then click here to download Karen’s free report, “List Love – 5 Re-Engagement Campaigns That Will Put The Love Back Into Your List.”
Then pick one of the campaigns she recommends and plan to complete it before May 25th.
At the end of the campaign, send out your final email containing your new privacy policy and asking for fresh consent. You can get an email template for obtaining fresh consent when you buy Suzanne’s GDPR Pack here.
Again, there will be no “GDPR Police” waiting to get you on May 26th if you choose not to do this, but I’m choosing to do this, and here’s why:
Suzanne sees this as an opportunity to build trust and engagement with your list, and I totally agree.
That’s what my online business is all about, and if a re-engagement campaign results in me removing thousands of subscribers from my email list, then I just made room for the next thousand people that I’m going to serve and more.
Final Thoughts
GDPR isn’t scary and there’s no need to panic. I do believe it’s important to invest in a GDPR compliant privacy policy, and Suzanne’s GDPR Pack contains that and more.
Here are screenshots of everything that’s included in the GDPR pack. If you’re serious about building your business the right way, I highly recommend purchasing this GDPR Pack.
I also think it's important to take it seriously and set aside some time to implement these changes on your website in the next 2 weeks.
If you purchase through my link, email me at shannon@wp-bff.com and let me know – I’ll start an exclusive Facebook group just to help my community implement GDPR on their websites!
What's inside the GDPR pack: