The GDPR and What it Means for Email Marketing

Article detail for Actionable insights for your store:

Disclaimer: We’re not lawyers, and the information in this article is intended to be for educational purposes only. Therefore, it should not be taken as legal advice. We encourage you to seek legal counsel on how you should prepare for the GDPR!


“Google has updated its Terms and Conditions.”

“Facebook has updated its Terms and Conditions.”

“Shopify has updated its Terms and Conditions.”

Seen enough of these lately? Yeah, we can relate.

Don’t be surprised to find similar words flooding your inbox from now until May 25, 2018, the date Europe’s comprehensive data privacy law, the GDPR, goes into effect.

Ecommerce merchants take note: this piece of legislation almost certainly affects you!

The GDPR applies to any business that processes data from people in the European Union (yes, this includes emails).

For e-commerce merchants this is particularly important because it means you’ll need to take action as soon as possible to clean up your email list before the May 25 deadline. It also means you will have to change the way you collect leads from Europe.

Yes… GDPR is a pretty big deal.

Before you start panicking, keep in mind this law will probably start affecting big players first, and there are many grey areas that are yet to be defined. 

Still feeling a bit overwhelmed? Well, the good news is that we’re here to help! 

But first, a little background. What is the GDPR?

The General Data Protection Regulation (or the GDPR as it’s known), forces businesses who interact with data from any person in the European Union to comply with strict new data rules.

The GDPR is quite a hefty document, and has many layers to it. But in short, it refers to the processing of personal data.

But what does that actually mean to you?

Without getting too deep into the legalese here, “processing” means doing anything with data - collecting, storing, deleting or using it... plus everything else in between. The definition of “personal” relates to any kind of information which can identify a person: name, email address, physical address etc.

If a business fails to adhere to these new standards, they’ll be hit with a hefty fine: up to €20,000,000 or 0.4% of annual revenue, whichever is greater.

We encourage you to read through the document yourself (or seek legal counsel) to gain a thorough understanding of what it entails.

How does the GDPR affect email marketing?

Any business who has a mailing list needs to pay close attention to the GDPR’s definition of consent.

The GDPR requires consent to be specific, informed and unambiguous. It also needs to be freely given.

Let’s break this down:

  • Specific: This means you have to explicitly ask visitors if they want to be on your list. You can no longer offer a visitor 10% off, and then add their email to a newsletter list.

  • Informed: You have to specifically explain what they will receive by handing over their data to you. Visitors have to understand what offers they’ll be getting.
  • Unambiguous: There can't be any question of whether a visitor intended to give consent. You can’t include a check box that defaults to being checked as “yes.”

  • Freely given: You cannot refuse someone an offer if they don't subscribe to your list or force them into anything. In other words, if subscribing to a newsletter is required to download an ebook, consent isn’t freely given.

To ensure you’ve got consent before the May 25 deadline, you’ll need to take a few steps.

Step One: Clean Your Current List

Yes, consent applies to your existing list!

This means merchants will need to start taking action now. Since “processing” includes deleting data, you need to receive consent before the May 25 deadline.

Any EU person who doesn’t give consent by May 24 should be deleted from your list.

The biggest challenge marketers face is getting consent from their current subscribers. To keep as many emails on your list as possible, you should separate non-EU emails from the rest, unless you are in the EU yourself (in which case this applies to all emails on your list).

For your list of non-EU subscribers (if you're outside the EU), they don’t fall under the GDPR, so you can continue to market to them as usual. :)

For all others, you’ll need their permission to continue sending them marketing emails after May 24.

Not sure how to do this? Read on, we are about to show you how. Then, we'll outline a strategy to re-engage the emails that do require permission.

Start with Segmentation!

You should segment your current list into two categories:

  1. Subscribers who are in the EU
  2. Subscribers who you can’t identify

The good news is many email providers have rolled out functionality to make this easier.

For example, Klaviyo has made this a very smooth process! All you need to do is login to your account, and then go to this GDPR page. They have a handy link on here that will automatically segment your EU subscribers: 

GDPR Klaviyo segment

However, it’s also very important to segment emails you can't identify. Since you don't know if these emails came from the EU or not, it's best to assume that they did. 

Here’s how you can find and segment emails you can’t identify in Klaviyo:

GDPR Klaviyo

Remember, if everyone on your list has knowingly consented to being added to your newsletter (Ex. “Sign up for my newsletter!”) you should already be complying and you won’t need to re-ask for permission.

How can I get their permission?

To preserve your email list, you should strongly consider sending a re-engagement campaign. The purpose of the campaign is to persuade subscribers to sign up for your general mailing list.

Here are a few tips so this campaign can be successful:

  • Send as much value as you possibly can
    If you already send pretty valuable newsletter emails, step it up a notch and send your most engaging content. If you haven't been sending much, you'll need to think of a reason for subscribers to stay connected with you.

    Think of your audience, what they need, and how to best engage them.
  • Have an enticing subject line
    You want the highest possible open-rate for this email, so crafting an intriguing subject line is vital! You’ll also want clever copy that engages subscribers and keeps them reading.
  • Be specific
    Remind your subscribers about the benefits your emails offer. Be direct, and tell them what they stand to gain by signing up for your general mailing list.
  • Include an easy call-to-action
    You need to include a link that provides an easy route for subscribers to click so they can opt-in. This might be a link that takes them to a "Thank You" landing page so you can tag their profile.

    In Klaviyo, you can send these profiles to a sign up page that would add them to a GDPR list once they re-enter their email to opt-in.
  • Consider adding a re-permission CTA in your regular emails
    Other than creating a re-permission campaign, you should consider adding a prominent CTA to your regular promotional emails. This increases the chances they will open the email and see the opt-in request.

Step Two: Edit your Lead Captures and/or Welcome Flow

Yes, you’ll need to change how you capture leads!

As we’ve outlined above, the days of capturing emails with a juicy offer and adding those emails to your general mailing list are over (for EU visitors at least!).

You’ll need consent, but keep this rule in mind:

Consent requires a positive opt-in, so don’t use pre-checked boxes.

The GDPR states that consent has to be their choice. This means that if you’ve got a juicy lead magnet, you’re not allowed to inform visitors they’ll be placed on your general mailing list. They need to actively choose to be on that list.

You need to add a second opt-in box somewhere in the funnel. But keep in mind that you can’t default a choice to yes - so pre-checked boxes are not allowed.

Another note: you have to give them the freebie even if they don’t want to be on your mailing list.

This doesn’t mean you have to resort to the “Sign up for my Newsletter!” strategy. You can still use lead magnets, but you’ll need to get creative. You have a few options in relation to this: you can either edit your lead capture, edit your Welcome Flow, or do both! 

Edit your Lead Capture (if you're offering a juicy lead magnet)

For non-EU stores, we recommend editing your lead capture if you have the option of showing the new version to only EU residents. Otherwise you risk decreasing the opt-in rates for all traffic:

  • When you ask for an email, also ask if they want to be added to your newsletter list
    Require visitors to choose between “Yes” or “No” (you can do this as a compulsory opt-in radio button or dropdown menu). You can’t pre-check, but you can require an answer.

  • Add a page after they've subscribed, asking if they want to be added to a newsletter.
    This page should fit between the opt-in page and the Thank You page. It's the ideal option, as it doesn’t interfere with the visitor giving you their email the first time around. Visitors are still feeling warm and fuzzy about your offer, so it’s a good time to ask permission.

    The upsell page also gives you a chance to sell them on the benefits of your list.

Edit your Welcome Flow

At a minimum, you should edit your Welcome Sequence (for EU and unknown profiles!). Here are some ways you can edit their experience:

  • Ask for their permission in the delivery email 
    Once you send over your lead magnet, include a CTA within the email itself that prompts EU profiles to sign up to a general mailing list (in Klaviyo you can build this section to only show to EU or unknown location profiles).

    The CTA can link to a new opt-in page so readers can re-enter their email. Or, the CTA can be a button that sends re-subscribers to a Thank You page with custom code which tags their profile as GDPR compliant.

  • After delivering your offer email, send another one only to EU citizens 
    Be crafty with this second email! You’ll need to sell the benefits of your list. Let them know what you’ve sent them in the past, and what type of juicy offers and valuable content they’ll get in the future - if they let you!

  • Communicate in the lead magnet itself
    Consider adding a small paragraph to the end of your lead magnet that sells your general mailing list. Be sure to include a clickable link here that directs them to an opt-in page.

Alright, so now that we’ve gone over the most time-sensitive components of the GDPR, there are a few other things you should keep in mind:

  • You must tell your customers how to withdraw consent
    If you operate in the US or Canada, this one is already a requirement through the CAN-SPAM and CASL laws. Businesses need to provide an opt-out option in every promotional email they send.

    One way to do this is to add an unsubscribe link to the footer of each email (which you should already be doing).

    Unsubscribe link in email

  • Keep all evidence of consent
    GDPR also requires companies to keep a thorough record of all consent - who, how and when. This is important. Keep records of your signup forms, how you collect data and any processing activities.

    One way to do this is to take screenshots, save underlying code, and create descriptions on how you collect data. All of this will ensure you’ve got evidence to prove that you have consent from your subscribers.

  • Consent needs to be separate from Terms and Conditions
    Email consent needs to be separate. This means you can’t bundle consent with Terms and Conditions, a Privacy Policy or any other service.

  • Ensure you have a compliant and up-to-date Privacy Policy
    You need to communicate your Privacy Policy at every point you collect data (a link to a stand alone policy page is fine). 

    The policy should include: your contact information, the visitor’s rights under the GDPR, the type of information you are collecting, and the basis for why you are collecting it (Ex. Google Analytics is used to improve performance of the website).

    You also need to explain what you are going to do with that data, and who has access to it.

    Shopify has a free Privacy Policy tool that can create a template for your business, which claims to be GDPR compliant.

What have Shopify and Klaviyo done to remain compliant?

Businesses who identify as "Data Processorslike Shopify and Klaviyo have already taken the necessary steps to ensure they are GDPR compliant. This includes:

  • Appointing a Data Protection Officer

  • Adding a Data Processing Addendum to their Terms of Service (which is why you’re receiving all those emails from companies updating their Terms of Service!)

  • Implement a detailed procedure to deal with subject access requests, deletion requests, and government access requests.

  • Provide GDPR-focused training to key teams and personnel.

… and a whole bunch of other changes too!

Phew! Feeling exhausted yet? Maybe we can help!

We know it can be a bit of a headache to ensure you are GDPR compliant, but it really needs to be taken seriously. If you’ve still got questions, feel free to reach out to see if we can help you.

The key takeaway here is that the customer is in control. As a business, it’s your responsibility to ensure your customer’s data is protected. You need to communicate to your customers in ways that are both relevant and valuable.

They need to want to hear from you, and it’s your job to let them know why!