Issue #25

GDPR consent examples: How make sure you are compliant

Email Marketing
12 min read
In this Article

When new regulations are passed, entire industries are faced with the challenge of shifting their marketing strategies to comply with new laws.

One regulation that has changed the way content marketers build their email lists is learning how to be GDPR compliant.

The General Data Protection Regulation, or GDPR, was approved and adopted by the European Union (EU) in April 2016, although GDPR didn’t come into full force until May 2018. GDPR was a response to lingering conversations about how to ensure EU residents are able to control their personal data.

With 67% of EU residents expressing concern about not having complete control over the information they provide online, GDPR has become a standard for how to ethically and responsibly build a business in the digital age.

The Vice President of the Digital Single Market said,

The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information. We should not see privacy and data protection as holding back economic activities. They are, in fact, an essential competitive advantage.

Connect with your audience

Share what you love to connect with your followers and grow your business with a free ConvertKit account.

Create a free ConvertKit account

How to be GDPR compliant

You may remember companies going into a bit of a frenzy before GDPR was enforced in May 2018, but most content creators will find the process learning how to be GDPR compliant easy as they get started with email marketing.

Who does GDPR apply to?

While GDPR’s origin is in the EU, it also applies to organizations outside of the EU if they “offer goods or services to EU data subjects.” It also applies to any company that processes and holds personal data subjects who live in the EU.

Unless you run a hyper-localized business outside of the EU, chances are you will have subscribers from the EU on your email list. As the number of online, location-independent businesses continues to climb, it’s important to keep GDPR top-of-mind when you create your email opt-in forms.

When is a GDPR checkbox needed?

If the email signup copy on your form is focused on getting people to explicitly join your email list, you may not need a checkbox because the consent is already implied.

This can also be true if you add language at the bottom of your form that states what new subscribers will receive when signing up. In this case, you could use a double opt-in to gain consent and ensure the subscriber wants to be added to your email list.

It is important to note that GDPR doesn’t require double opt-in, but since GDPR requires proof of consent, double opt-in email address confirmations are one way to prove consent.

If you are using an email opt-in form that has multiple goals, you may want to take it a step further and include a checkbox to gain explicit consent. This way, you can ensure that you gain consent for each call-to-action within one form.

For example, you could create a landing page for a freebie that includes an opt-in form with an additional checkbox that gives your visitor the chance to express if they’d like to sign up for your email list in addition to receiving the freebie. This is because you need to provide a way for subscribers based in the EU to get access to the lead magnet freebie without joining your email list.

When is a GDPR checkbox needed?
It is similar to ecommerce shops asking if you want to receive their marketing emails when you purchase a product. You should be allowed to buy the product without receiving other promotions from the company. Through the GDPR regulation, the same is true for adding subscribers to your email list.

Pro tip:

This can be a great way to cut down on the number of cold subscribers that are only sitting on your email list. You want to attract email subscribers who are active and want to engage with your emails. Otherwise, you could be paying for people who aren’t intending to buy from you.

Email service provider responsibilities with GDPR compliance

If figuring out how to be GDPR compliant feels like an uphill battle, at ConvertKit were here to help you set up an easy-to-maintain system that allows you to collect consent from your EU subscribers.

As your email service provider, it is our responsibility to answer common GDPR questions and prepare you by sharing best practices. Here are a few of the ways we help our customers learn how to be GDPR compliant.

Privacy shield certified

This simply means that ConvertKit complies with the EU-U.S. Privacy Shield Framework, as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union (“EU”), European Economic Area (“EEA”), and Switzerland to the United States. You can learn more about the Privacy Shield Certification here.

Access to data processing agreement

A Data Processing Agreement (DBA) is an expressed agreement between the data controller and data processor. It ensures that the data processor (you as the content creator) is complying with relevant requirements under the GDPR for the data controller (your subscriber).

ConvertKit offers a DBA to content creators who are processing personal data on behalf of EU/EEA and Swiss individuals. You can request our Data Processing Agreement by filling out this form.

Right to be forgotten

If a subscriber from the EU asks you to delete their data from your records, you must do so because email subscribers have a “right to be forgotten” under GDPR. That means as a business owner, you need to be able to delete their data easily and promptly.

When you delete their data from your records, you will need to contact us to request that we do the same on your behalf by filling out this form.

This process needs to be completed by you as the email content creator since we are simply the data processor. We will refer any subscribers back to you who come directly to ConvertKit to remove their data. Through the “right to be forgotten” form, you will include their name as well as their email address.

GDPR audit concierge team

The biggest concern with GDPR is knowing that you have collected proof that EU subscribers have given you consent for your emails.

This proof is something you’ll need to have if you are audited. In the event that you are audited, our Audit Concierge team can assist you in gathering the proof of consent you need to show the auditor you complied with best practices.GDPR best practices

Best practices on how to comply with GDPR

Let’s cover some best practices for when you begin to optimize your email marketing strategy with GDPR in mind. We’ll go beyond the basics with a few strategies for collecting EU subscriber consent that will help you responsibly nurture your email subscribers.

Store proof of consent

If you are ever audited, having your proof of consent at the ready will help you comply with the GDPR commission. By law, you are required to have this proof of consent stored for subscribers from the EU.

One way to prove consent is by creating a double opt-in confirmation for EU subscribers. We like to use Tags through our Link Triggers functionality in order to store this information. When someone confirms they want to join your email list, then it will tag them inside ConvertKit to show they have expressed explicit consent.

We recommend using these two tags as a GDPR consent example:

  • GDPR: Email Consent
  • GDPR: Advertising Consent

Get consent from existing subscribers

Now you are compliant for any incoming new subscribers! But what about subscribers that are already on your email list? If you haven’t been using a double opt-in confirmation and don’t have checkboxes on your current forms, you may want to gain explicit consent from subscribers who are currently on your list.

An easy way to do this is to create a segment in your email list that includes only the email addresses that are connected to IP addresses in the EU, EEA, or Switzerland.

How to set up a segment in ConvertKit

Once you create this segment, you can send a GDPR consent page that allows your subscribers to express their explicit consent to continue receiving emails from you.

You can include a Link Trigger so anyone who clicks on the GDPR consent page will automatically be tagged as having consented to your emails. We recommend taking it a step further by also asking subscribers to express consent by checking boxes inside the GDPR consent page just to be sure.GDPR consent example

Here is a sample GDPR compliance email template you could send existing subscribers:

Hi there,

You may have heard about the new EU data protection law called GDPR which regulates how personal data is processed. Under GDPR, I must have your explicit consent when sending newsletter and marketing emails.

If you’ve been enjoying my content and are excited to see my emails continue to pop up in your inbox, just click the link below and check the two boxes on the next page:

{{ gdpr_consent_url }}

If my emails aren’t the perfect fit, just click unsubscribe below and you won’t receive any additional emails from me.

Thank you so much for reading, and have a great day!

If you still have subscribers who haven’t clicked on the link to your GDPR consent page (which you can find by having the Tag in place with your Link Trigger), you can then send an additional follow up email.

Create a process that is clear and easy for your subscribers

Being GDPR compliant doesn’t mean you need to ask your subscribers to jump through hoops. Instead, you can use unchecked boxes on your email opt-in forms and double opt-in confirmation emails to gain consent.

It’s good to learn more about GDPR so if your subscribers reach out with any questions, you are able to point them in the right direction. Being a trusted resource about GDPR will help you build even more trust with your audience. Try to be as upfront and clear about the process of confirming their email address as possible.

Let your subscriber know what their data is being used for

One of the biggest reasons why GDPR was passed in the EU was because people felt like they didn’t know how businesses would use their personal data.

Would they use it for financial gain? Would it negatively affect their safety and privacy?

People are cautious and careful when sharing their personal data, and rightfully so. To make sure you foster relationships and trust with your subscribers, make sure they wouldn’t be surprised to find how their data is being used. You can do this by being honest about how you use their data in your Privacy Policy, which can be created with your legal team.

Have a privacy policy in place

A Privacy Policy is a legal document that details the different ways a business, website, or other entity collects, uses, discloses, and manages a person’s data. You can look at our Privacy Policy as an example, but we recommend working with your legal team to ensure your document is compliant with current laws.

Once you have your Privacy Policy created, you can include it at the footer of your website so users can easily find your legal document. You could also choose to include it in your email opt-in form like the example below.How to write a GDPR privacy policy

Understand the data you can’t store in ConvertKit

While ConvertKit processes personal data under the GDPR, it doesn’t process sensitive personal data. There’s a large difference between the two categories of data collection.

Personal data refers to contact data, financial information, and IT information such as an IP address.

Sensitive personal data, however, could include:

  • Racial or ethnic origin
  • Political opinions
  • Genetic data
  • Biometric data
  • Religious or philosophical beliefs
  • Data concerning health or a natural person’s sex life and/or sexual orientation
  • Trade union membership

Most content creators don’t have any reason to store this information, so this rule shouldn’t affect your business. Just know that you are not allowed to store this type of information in ConvertKit.

Make sure your checkboxes are not pre-checked

While it may seem like a great way to gain more subscribers, it’s important to not have your checkboxes pre-checked. If they are pre-checked, your subscriber may not see the checkbox or understand what they are agreeing to when they click the submit button on your email opt-in form.

Instead, you can add checkboxes to your forms that give your subscribers the opportunity to express their consent in you sending them marketing emails. Under GDPR, it isn’t consent unless it is explicit and given with intentionality. Keep this in mind as you craft your email signup forms.GDPR compliant homework

Homework: How to be GDPR compliant in your work

Your homework for the next week is to create a new email opt-in form with checkboxes to start collecting consent.

If you already have email signup forms created, you can include a checkbox inside the form that already exists.

Don’t forget to create a Tag inside ConvertKit with a Link Trigger that will allow you to store this consent.

To learn how to be GDRP compliant and get your email signup forms ready, you can watch our GDPR workshop with founder Nathan Barry for more information. There are several sections in the workshop you can choose to skip over, but we recommend starting on steps six and eight to complete this challenge.

Follow this GDPR consent example
Head to our Knowledgebase to learn more about our GDPR practices and principles

Ready to get GDPR compliant in your email marketing?

If you're curious about using ConvertKit for your email marketing, today is your day! Click the button below to try ConvertKit for FREE for the next 14 days. You can set up landing pages, email automations, and everything you need to comply for GDPR regulations.

Connect with your audience

Share what you love to connect with your followers and grow your business with a free ConvertKit account.

Create a free ConvertKit account

Kayla Hollatz

Kayla Hollatz is a copywriter and content creator for creative entrepreneurs who want their words to connect and convert. Few things make her happier than ghostwriting for clients in her studio, aka her four-season porch with a lake view. She can frequently be found fighting Minnesota winters with a mug of hot chocolate in hand.

The future belongs to creators

ConvertKit helps creators like you take their projects from idea to reality. It's never been easier to build an audience and grow a business. And you can do it all for free.

Launch your next project