To those that have been living under a rock for the past year, the GDPR is Europe’s new privacy law that regulates the processing of personal data relating to individuals in the European Union.

It is designed to ensure that people understand what personal data we collect and how we use it – and gives them greater control over that use.

While we are currently working to implement specific GDPR requirements before enforcement begins on May 25, 2018, we’d like to remind our users that we already build privacy into everything we do and will continue to do so under GDPR.

What does GDPR entail?

Depending on who you speak to, you may get answers ranging from mild annoyance at having to comply with yet more regulations, to various expletives and even to “the end of marketing as we know it”.

Whatever the reply, its fair to say that GDPR has many website owners in a state of panic.

There’s been a lot of talk hefty fines awaiting those who fail to comply with the regulations.

And over the past few weeks my inbox has been overflowing with privacy policy updates, requests to (re)consent to the use of my data and a fair share of general GDPR doom and gloom.

In addition to this, our support desk has been inundated with queries about what we’re doing to make Wishloop’s optin forms GDPR compliant.

Judging by the wording of these requests, most people are either:

a) confused about what they actually should be doing in the face of GDPR
b) misinformed about what compliance entails

Having surveyed hundreds of posts on the subject and the regulations themselves, its no wonder why.

The regulations themselves are characteristically vague, no concrete case history is yet available and businesses are generally doing their best to interpret and respond to the regulations in varying different ways.

Wishloop and the GDPR

In this post, we’ll take a closer look at what GDPR actually means for small business entrepreneurs and email marketers.

And you’ll discover ways in which you can make your website and Wishloop campaigns compliant without sacrificing your conversion rates or your visitors’ user experience

Disclaimer: I’m not a lawyer and this post does not contain legal advice.  Always work with your legal advisors to help you make the right decisions in relation to any regulations.

Good News – The EU isn’t After You!

Contrary to what some commentators may have you believe, the EU isn’t armed with an army of lawyers, gladly rubbing their hands together at the prospect of inflicting hundreds of thousands of massive fines upon unsuspecting small businesses as soon as the regulations come into effect.

On this point its a useful reminder to always be mindful of the intentions behind what is written – some of the most incendiary content I’ve reviewed was written by so-called experts who have sprung up overnight to help small businesses through the “nightmare” of EU compliance.

Of course, we live in a world where fake news often has more power to provoke reaction (and drive sales) than reality!

The GDPR is about the processing of people’s private data online and primarily aims to regulate businesses that do a lot of data processing – and especially businesses that make their money from selling or “exploiting” the data they collect about people.

Think: data harvesting giants like Google or Facebook (Facebook’s recent scandal with Cambridge Analytica is a good example of the kind of misuse of data that the GDPR seeks to prevent)

For the average Wishloop customer or small business owner at large, you’re unlikely to do any significant amount of data processing.  If you have a website with some opt-in forms on it, the EU isn’t coming straight for your jugular.

To summarise, as a small business entrepreneur, you are not the GDPR’s main target.

And on the point of “massive fines for non-compliance”, the UK’s Information Commissioner, Elizabeth Denham, has publicly stated that fines will always be a “last resort” action, explaining that “Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense”.

In practice, the expected process for non-compliant websites looks something like this:

1. Your users/visitors take up the issue with you directly.  For example, a user might ask you (the website owner) to see, change or remove their private data.
2. If you can’t comply with that, the user can escalate this to a complaint, which would lead to a multi-step process by an EU data regulation agency, starting with an “information notice”.
3. Only if you are still not compliant after having received various notices and warnings will fines come into play.

In short: there’s no reason to believe you’ll face immediate punishment for a missing link to your privacy policy or a poorly worded optin form.

That said, there’s never been a better time to put your house in order, update your privacy policy and, if applicable, amend you terms of service so they’re bang up to date.

So what action should you take?

Hopefully you’re now a bit less worried about GDPR compliance than you may have been previously.  Take a moment to smile again and breathe a sigh of relief.

However that doesn’t mean you can simply ignore the regulations.

Even as a small business you’re undoubtedly processing data in some ways.

In their interactions with your business, your prospect and customers are sharing data with you and protecting people’s data and their privacy is important.

GDPR and Email Marketing

GDPR isn’t primarily about email marketing (which actually falls under separate Privacy and Eectronic Communications Regulations or PECR).

However GDPR does change the meaning of the concept of consent and user rights which is then expanded upon by PECR.

It’s about how people’s personal data is handled and email marketing contains such data (e.g. someone’s email address).

The main rights given to EU citizens under the regulation are as follows:

1. The “tell me what’s going to happen” right: Tell people what you will do with their email address before they sign up.
2. The “show me my data” right: Give people a view of the data you’ve collected about them (probably only their name and email address).
3. The “I want to change that” right: Give people a way to modify their data (e.g. get the emails sent to a different address) and unsubscribe.
4. The “forget about me” right: Allow people to completely remove all data you have about them, if they request it.

As we’ll see below, for Wishloop customers we’re involved only with item 1 above.  This is principally about making it possible for you to acquire the full consent from your subscribers and informing your visitors what will happen with personal data before it is submitted.  Only by providing full disclosure of what kind of emails someone will receive if they opt into your form, can they give the proper consent for it.

Unfortunately, in terms of its relation to email marketing, most “how to be GDPR compliant” content seems to suggest that you have to add multiple checkboxes, disclaimers and extra steps all over your website.

Thankfully, while this is one way of addressing GDPR, its not the only way, and seldom is it the way that’s likely to impact least on your all important conversion rates.

The Checkbox Myth

So how do you make your opt-in forms GDPR compliant?

Well judging by the support tickets we’ve received and much of the literature online I think 90% of marketers would answer: “by adding checkboxes!”

I don’t know where this idea came from, but GDPR doesn’t mean adding checkboxes.

Yes, you need the subscriber’s explicit consent to send them emails, but a checkbox is not the only way (and definitely not the best way) to get this consent.

Think about it, nobody likes to read small print, and that’s what your typical checkbox amounts to.

As you know, at Wishloop we’ve put a lot of emphasis on conversion optimisation.

We’ve made it easy for you to split test email signup forms so the last thing we (and you) want is to have to throw those high converting signup forms out of the window by covering them in checkboxes and disclaimers.

That’s bad for you, bad for the customer and even bad for the EU (where they take a share of your profits in the form of value added tax).

What other options are there then?

There are two approaches you can use to make your opt-in forms GDPR compliant without adding checkboxes or extra hoops for your visitors to jump through:

1. Change the copy in your opt-in forms
2. Change from single to double optin

Fix 1: Change the Copy

Let’s look at an example of a typical opt-in form, pre-GDPR:

If someone signs up through this form and you then start sending them emails, that’s not GDPR compliant.

Why not?

Because there was no indication in this form that you’d be sending emails (and visitors can’t consent to something you haven’t told them about).

The entire form is about getting a 30% discount for today only.  The visitor who signs up agrees to receiving a discount, but nothing else.

Here’s what the form could look like, with modified copy:

Here’s exactly what we changed, to make this form GDPR compliant:

• We are still providing a 30% discount.  However, instead of the discount and the newsletter being totally separate, the “main action” on the form is signing up for the newsletter and getting the discount is a bonus provided to newsletter subscribers.  This means the user is giving consent to subscribing to a newsletter
• We add “Subscribe to save…” to the button copy.  This way, it’s clear that the user is consenting to a newsletter by signing up.
• We’ve added a link to our privacy policy below the form.

As you’ll see, not a checkbox in sight, yet its still allowing the subscriber to consent to receiving daily emails from you and giving the link to your privacy policy where you should make them aware of how you will treat their data, and how they can view, edit or request to be forgotten.

As you’ll see in a moment we’ve made it really easy to add this extra link to your existing Wishloop forms.

So what does GDPR mean for Wishloop?

We’re reviewing our procedures and investing in our infrastructure to help you take advantage of the changes under GDPR.

Our approach to GDPR breaks into two sections:

1. What we’re doing as a company to make sure that we’re GDPR compliant
2. What we’re doing to ensure that our customers are GDPR compliant when using Wishloop

Lets start with the first point:

What we’re doing as a company to make sure that we’re GDPR compliant

If you’re in the EU you will be able to:

• Ask for a copy of the personal data we’ve collected about you.
• Request that we stop sending you direct marketing messages.
• Ask that we stop using your personal data for certain purposes.
• Ask that we amend or delete your personal data.
• If we ask for consent to process your personal data, you can later withdraw your consent (please note that in some cases this may mean that we are unable to continue providing you with our software service)

To help comply with these new demands we’ve appointed a Data Protection Officer (that’s myself!) to handle any related data and privacy requests.

We’ve also made some small adjustments to our Terms of Service and Privacy Policy and added a new Data Protection Goals document.

Finally we’ve completed an exhaustive review of our data processing practices and policies and prepared a Statement of Data Processing Activities.

This document contains a list of all our data processing activities, the data being processed, a clear explanation of why we process this data, the legal basis for the processing activity and the names and addresses of any third party services we use to process the data.

What we’re doing to ensure that our customers are GDPR compliant when using Wishloop

If you’re reading this post then this is the part you’re most likely interested in.

The first thing to note is that, apart from an important distinction mentioned below, we don’t actually store personally identifying information about your customers.

When you collect personal information e.g. name and email address using a Wishloop optin form we don’t store that information for more than a few seconds.

• Where your webforms use the API method of integration we store the user data only temporarily whilst it is safely passed directly to one of our integration partners (e.g. Mailchimp or Active Campaign) over a secure connection.  This typically happens in the time it takes to redirect the user to your thank you page.  As soon as the integration partner responds that they have received the data, it is deleted from our system.
• And where your webform is using a HTML form integration, that information never actually touches our servers, it is passed straight to the integration partner.

When we do collect information it is only to enable the correct display or functionality of your campaigns.

• For example we use different cookies to help determine if a user is a new or a returning visitor or if they have viewed any specific campaign in the last X days.
• We also use cookies to ensure the correct functioning of our evergreen countdown widget or to enable conversion tracking and to ensure your users don’t keep seeing the same form if they have already opted in to it.

As such, the burden of complying with regulations around allowing a user to view or change the data you’ve collected on them or their right to be forgotten (items 2-4 in the list above) doesn’t lie with us, but instead with your autoresponder or similar integration partner.

In short, this makes compliance for us relatively straightforward as we haven’t needed to build too much extra functionality.  (And fortunately most users are familiar with how to clear cookies from their browsers)

So the main area where we do have a responsibility relates only to the area of telling users what’s going to happen after their data is collected, or more generally around acquiring consent.

There is however one exception to this and its a feature of Wishloop that we’re going to simply discontinue.

Lets move on to discuss each change we’re making in turn:

1. Discontinue our internal lead storage function.

We currently provide a little-used function to store your customer’s personal details within Wishloop’s Internal Database.

As GDPR means that providing this feature entails extra layers of compliance on our part (again, I’m referring to items 2-4 listed above), and based on the fact that this feature is barely used by anyone, we have simply taken the decision to discontinue this function.

If you are using the Internal Database storage then you should export your leads from there before the 25th May using the yellow button on the campaigns table:

2. Adding an option to enable GDPR/privacy consent checkboxes

Remember I said above that a checkbox is almost always not the best corrective action you can make to a non-compliant form.

Well… I still hold that this is true.

Nevertheless there are some use cases where a checkbox can be useful, e.g.:

• to allow additional copy to be added to a form without substantively altering its design,
• or where you may want to be able to collect additional permissions without changing the copy.

You could use it like this for example:

Naturally, there will also always be those people who don’t read this post and think that a checkbox is the only way to stay compliant.

We can only do so much to educate people, but the checkbox will be available for you to make use of as you see fit.

It will be easy to add checkboxes to your existing forms (provided you’re using an up to date template), simply open the campaign in the Wishloop builder and edit the form settings as shown in the right settings panel here:

3. Re-agreeing to our Terms of Service and Privacy Policy

When you next log in to Wishloop you will also be asked to accept our updated terms of service and privacy policy.

This step is mandatory to be able to continue using our service and you won’t be able to edit or create any new campaigns without this consent being recorded.

You’ll see the following splash page when you login and only need to click the consent button to access your dashboard.

What you need to do next?

Every business is unique, and your requirements under GDPR may differ from other businesses – including our own obligations.

Heres what we suggest you do next:

1. Login to your Wishloop account and accept our new terms of service and privacy policy
2. Review existing campaigns and adjust the copy or add checkboxes as required.  Alternatively, something as simple as enabling double optin on your forms may be sufficient
3. If you were using our Internal Database lead storage option then export the leads before we remove the option at midnight on the 25th May

Speaking more broadly, there are many resources available to help you determine how the new changes may affect your business.  This includes the official EU GDPR website, and information published by regulators in the individual EU Member States.

I hope you found this information useful and don’t hesitate to get in touch via our support desk if you have any questions.