{"id":1235,"date":"2018-05-23T11:30:39","date_gmt":"2018-05-23T11:30:39","guid":{"rendered":"http:\/\/wishloop.com\/blog\/?p=1235"},"modified":"2021-09-01T09:48:00","modified_gmt":"2021-09-01T09:48:00","slug":"wishloop-and-gdpr","status":"publish","type":"post","link":"https:\/\/wishloop.com\/blog\/wishloop-and-gdpr\/","title":{"rendered":"Wishloop and the GDPR"},"content":{"rendered":"\n

To those that have been living under a rock for the past year, the GDPR<\/a> is Europe\u2019s new privacy law that regulates the processing of personal data relating to individuals in the European Union.<\/p>\n\n\n\n

It is designed to ensure that people understand what personal data we collect and how we use it \u2013 and gives them greater control over that use.<\/p>\n\n\n\n

While we are currently working to implement specific GDPR requirements before enforcement begins on May 25, 2018, we’d like to remind our users that we already build privacy into everything we do and will continue to do so under GDPR.<\/p>\n\n\n\n

<\/div>\n\n\n\n

What does GDPR entail?<\/h2>\n\n\n\n

Depending on who you speak to, you may get answers ranging from mild annoyance at having to comply with yet more regulations, to various expletives and even to “the end of marketing as we know it”.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n

Whatever the reply, its fair to say that GDPR has many website owners in a state of panic.<\/p>\n\n\n\n

There\u2019s been a lot of talk hefty fines awaiting those who fail to comply with the regulations.<\/p>\n\n\n\n

And over the past few weeks my inbox has been overflowing with privacy policy updates, requests to (re)consent to the use of my data and a fair share of general GDPR doom and gloom.<\/p>\n\n\n\n

In addition to this, our support desk has been inundated with queries about what we’re doing to make Wishloop’s optin forms GDPR compliant.<\/p>\n\n\n\n

Judging by the wording of these requests, most people are either:<\/p>\n\n\n\n

a) confused about what they actually should be doing in the face of GDPR
b) misinformed about what compliance entails<\/p>\n\n\n\n

Having surveyed hundreds of posts on the subject and the regulations themselves, its no wonder why.<\/p>\n\n\n\n

The regulations themselves are characteristically vague, no concrete case history is yet available and businesses are generally doing their best to interpret and respond to the regulations in varying different ways.<\/p>\n\n\n\n

<\/div>\n\n\n\n

Wishloop and the GDPR<\/h2>\n\n\n\n

In this post, we\u2019ll take a closer look at what GDPR actually means for small business entrepreneurs and email marketers.<\/p>\n\n\n\n

And you\u2019ll discover ways in which you can make your website and Wishloop campaigns compliant without sacrificing your conversion rates or your visitors\u2019 user experience<\/strong><\/p>\n\n\n\n

Disclaimer: I\u2019m not a lawyer and this post does not contain legal advice.  Always work with your legal advisors to help you make the right decisions in relation to any regulations.<\/em><\/em><\/p>\n\n\n\n

<\/div>\n\n\n\n

Good News – The EU isn\u2019t After You!<\/h2>\n\n\n\n

Contrary to what some commentators may have you believe, the EU isn’t armed with an army of lawyers, gladly rubbing their hands together at the prospect of inflicting hundreds of thousands of massive fines upon unsuspecting small businesses as soon as the regulations come into effect.<\/p>\n\n\n\n

On this point its a useful reminder to always be mindful of the intentions behind what is written – some of the most incendiary content I’ve reviewed was written by so-called experts who have sprung up overnight to help small businesses through the “nightmare” of EU compliance.<\/em><\/p>\n\n\n\n

Of course, we live in a world where fake news often has more power to provoke reaction (and drive sales) than reality!<\/em><\/p>\n\n\n\n

The GDPR is about the processing of people\u2019s private data online and primarily aims to regulate businesses that do a lot of data processing – and especially businesses that make their money from selling or \u201cexploiting\u201d the data they collect about people.<\/p>\n\n\n\n

Think: data harvesting giants like Google or Facebook (Facebook’s recent scandal with Cambridge Analytica is a good example of the kind of misuse of data that the GDPR seeks to prevent)<\/p>\n\n\n\n

For the average Wishloop customer or small business owner at large, you’re unlikely to do any significant amount of data processing.  If you have a website with some opt-in forms on it, the EU isn\u2019t coming straight for your jugular.<\/p>\n\n\n\n

To summarise, as a small business entrepreneur, you are not the GDPR\u2019s main target.<\/strong><\/p>\n\n\n\n

And on the point of “massive fines for non-compliance”, the UK’s Information Commissioner, Elizabeth Denham, has publicly stated that fines will always be a “last resort<\/a>” action, explaining that “Predictions of massive fines under the GDPR that simply scale up penalties we\u2019ve issued under the Data Protection Act are nonsense”.<\/p>\n\n\n\n

In practice, the expected process for non-compliant websites looks something like this:<\/p>\n\n\n\n

  1. Your users\/visitors take up the issue with you directly.  For example, a user might ask you (the website owner) to see, change or remove their private data.<\/li>
  2. If you can\u2019t comply with that, the user can escalate this to a complaint, which would lead to a multi-step process by an EU data regulation agency, starting with an \u201cinformation notice\u201d.<\/li>
  3. Only if you are still not compliant after having received various notices and warnings will fines come into play.<\/li><\/ol>\n\n\n\n

    In short: there\u2019s no reason to believe you\u2019ll face immediate punishment for a missing link to your privacy policy or a poorly worded optin form.<\/p>\n\n\n\n

    That said, there’s never been a better time to put your house in order, update your privacy policy and, if applicable, amend you terms of service so they’re bang up to date.<\/p>\n\n\n\n

    <\/div>\n\n\n\n

    So what action should you take?<\/h2>\n\n\n\n

    Hopefully you’re now a bit less worried about GDPR compliance than you may have been previously.  Take a moment to smile again and breathe a sigh of relief.<\/p>\n\n\n\n

    \"\"<\/figure><\/div>\n\n\n\n
    <\/div>\n\n\n\n

    However that doesn’t mean you can simply ignore the regulations.<\/p>\n\n\n\n

    Even as a small business you’re undoubtedly processing data in some ways.<\/p>\n\n\n\n

    In their interactions with your business, your prospect and customers are sharing data with you and protecting people’s data and their privacy is important.<\/p>\n\n\n\n

    <\/div>\n\n\n\n

    GDPR and Email Marketing<\/h2>\n\n\n\n

    GDPR isn\u2019t primarily about email marketing (which actually falls under separate Privacy and Eectronic Communications Regulations or PECR<\/a>).<\/p>\n\n\n\n

    However GDPR does change the meaning of the concept of consent and user rights which is then expanded upon by PECR.<\/p>\n\n\n\n

    It\u2019s about how people\u2019s personal data is handled and email marketing contains such data (e.g. someone\u2019s email address).<\/p>\n\n\n\n

    The main rights given to EU citizens under the regulation are as follows:<\/p>\n\n\n\n

    1. The \u201ctell me what\u2019s going to happen\u201d right:<\/strong> Tell people what you will do with their email address before<\/em> they sign up.<\/li>
    2. The \u201cshow me my data\u201d right:<\/strong> Give people a view of the data you\u2019ve collected about them (probably only their name and email address).<\/li>
    3. The \u201cI want to change that\u201d right:<\/strong> Give people a way to modify their data (e.g. get the emails sent to a different address) and unsubscribe.<\/li>
    4. The \u201cforget about me\u201d right:<\/strong> Allow people to completely remove all data you have about them, if they request it.<\/li><\/ol>\n\n\n\n

      As we’ll see below, for Wishloop customers we’re involved only with item 1 above.  This is principally about making it possible for you to acquire the full consent from your subscribers and informing your visitors what will happen with personal data before it is submitted.  Only by providing full disclosure of what kind of emails someone will receive if they opt into your form, can they give the proper consent for it.<\/p>\n\n\n\n

      Unfortunately, in terms of its relation to email marketing, most \u201chow to be GDPR compliant\u201d content seems to suggest that you have to add multiple checkboxes, disclaimers and extra steps all over your website.<\/p>\n\n\n\n

      \"\"<\/figure><\/div>\n\n\n\n
      <\/div>\n\n\n\n

      Thankfully, while this is one way of addressing GDPR, its not the only way<\/strong>, and seldom is it the way that’s likely to impact least on your all important conversion rates.<\/p>\n\n\n\n

      <\/div>\n\n\n\n

      The Checkbox Myth<\/h2>\n\n\n\n

      So how do you make your opt-in forms GDPR compliant?<\/p>\n\n\n\n

      Well judging by the support tickets we’ve received and much of the literature online I think 90% of marketers would answer: \u201cby adding checkboxes!\u201d<\/em><\/p>\n\n\n\n

      I don\u2019t know where this idea came from, but GDPR doesn\u2019t mean adding checkboxes.<\/strong><\/p>\n\n\n\n

      Yes, you need the subscriber\u2019s explicit consent to send them emails, but a checkbox is not the only way (and definitely not the best way) to get this consent.<\/p>\n\n\n\n

      Think about it, nobody likes to read small print, and that’s what your typical checkbox amounts to.<\/p>\n\n\n\n

      \"\"
      Yuck!<\/figcaption><\/figure>\n\n\n\n
      <\/div>\n\n\n\n

      As you know, at Wishloop we’ve put a lot of emphasis on conversion optimisation.<\/p>\n\n\n\n

      We’ve made it easy for you to split test email signup forms so the last thing we (and you) want is to have to throw those high converting signup forms out of the window by covering them in checkboxes and disclaimers.<\/p>\n\n\n\n

      That’s bad for you, bad for the customer and even bad for the EU (where they take a share of your profits in the form of value added tax).<\/p>\n\n\n\n

      <\/div>\n\n\n\n

      What other options are there then?<\/h2>\n\n\n\n

      There are two approaches you can use to make your opt-in forms GDPR compliant without adding checkboxes or extra hoops for your visitors to jump through:<\/p>\n\n\n\n

      1. Change the copy in your opt-in forms<\/li>
      2. Change from single to double optin<\/li><\/ol>\n\n\n\n
        <\/div>\n\n\n\n

        Fix 1: Change the Copy<\/h3>\n\n\n\n

        Let\u2019s look at an example of a typical opt-in form, pre-GDPR:<\/p>\n\n\n\n

        \"\"<\/figure>\n\n\n\n
        <\/div>\n\n\n\n

        If someone signs up through this form and you then start sending them emails, that\u2019s not GDPR compliant.<\/strong><\/p>\n\n\n\n

        Why not?<\/p>\n\n\n\n

        Because there was no indication in this form that you\u2019d be sending emails<\/strong> (and visitors can\u2019t consent to something you haven\u2019t told them about).<\/p>\n\n\n\n

        The entire form is about getting a 30% discount for today only.  The visitor who signs up agrees to receiving a discount, but nothing else.<\/p>\n\n\n\n

        Here\u2019s what the form could look like, with modified copy:<\/p>\n\n\n\n

        \"\"<\/figure>\n\n\n\n
        <\/div>\n\n\n\n

        Here\u2019s exactly what we changed, to make this form GDPR compliant:<\/p>\n\n\n\n