gdpr for marketing

GDPR For Marketing: What You Need To Know For Compliance

Last updated on September 2, 2021|Published on December 16, 2020

Data sharing has become so prevalent in the digital world. Data is undoubtedly a valuable asset that is now ‘the oil of the 21st century’. That is why the digital economy is booming. However, the implementation of the General Data Protection Regulation (GDPR) has brought a wave in the digital world. The impact of the  GDPR on digital marketing is enormous. 

Read more about what constitutes the GDPR here.

It brought changes to the way data is governed, and the way advertising is carried out. Targeted advertising based on users’ profiles is not allowed without their consent. The concept of contextual advertising has gained ground since the introduction of privacy laws like the GDPR. The contextual advertising is based on the content that the user is looking at in real-time, such as blog posts, social media feeds, YouTube videos, and news websites. 

We will look at some tips for achieving GDPR compliance for marketing.

GDPR guide for digital marketing

Let us look at some crucial points for making your marketing activities GDPR compliant.

Audit your database

Most of the concerns regarding the GDPR compliance of your website can be tackled by auditing the database. 

Checking your website’s database and how you have handled (collection, use, storage, and transfer) their personal data can help determine the areas you need to focus on to make your system GDPR compliant. Marketing requires user data such as name, email address, phone number, mailing address, and payment information. All these constitute personal data since they can identify a living person. 

Assessing the type of personal data (sensitive or of children) can help you determine the appropriate safety measures to take. 

It can also let you know if your processing is on a lawful basis and follows the GDPR principles as given below:

Establish opt-in and opt-out systems

Opt-in and opt-out are two of the most important areas for digital marketing. Consent under GDPR has been widely discussed ever since the implementation of the regulation. You cannot use user data without their consent. Not only that, the consent has to be valid.

 Valid consent must be:

  • Freely given: do not force users into consenting to use their data. It also means you cannot keep non-negotiable terms and conditions for user consent.
  • Specific: do not confuse users with jargon and bundled requests for consent related to different processes. One consent request for one purpose and be specific. 
  • Informed: do not keep your users in the dark. Let them know everything necessary before requesting consent that would help them make an informed choice. They should understand why you need their consent, what happens when they consent, and most importantly, that they can deny consent. 
  • Unambiguous: Do not trick users into consenting. User silence or inactivity does not mean consent. The same is true for pre-ticked checkboxes. Avoid them at all costs. You must obtain consent via affirmative and explicit action. Say no to implied consent and “soft opt-ins.”

Another element of valid consent that you must keep in mind is that the withdrawal of consent must be made as easy as giving it. No confusion there as well. Get an easily accessible system for withdrawing consent at any time.

Also, you must be able to demonstrate proof of consent obtained, if required.

Various ways to actively opt-in are:

  • signing consent statements on a paper form;
  • ticking opt-in boxes;
  • clicking opt-in buttons or links;
  • selecting from yes/no options;
  • choosing technical settings or preference dashboard settings;
  • responding to emails requesting consent.

Your opt-in and opt-out systems, such as forms and cookie notices (more on that later), must incorporate all these elements to be GDPR compliant.

Is it in your legitimate interest?

Just like consent, legitimate interest has been quite a topic of discussion. Under the GDPR, your data processing must meet one of the lawful bases of the processing. And like consent, legitimate interest is one of them. 

Recital 47 of the GDPR says:

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

Directive marketing, if not always, may be considered as a legitimate interest. 

For marketing to be a legitimate purpose, it must comply with all applicable legal and ethical standards. To identify if your processing can be treated as a legitimate interest, ICO suggests conducting a Legitimate Interest Assessment (LIA).

LIA has three parts:

  • The purpose test: you have to determine if the purpose of the data processing can be treated as a legitimate interest.
  • The necessity test: whether the processing is necessary for the purpose. 
  • The balancing test: whether the rights and freedom of users outweigh the identified legitimate interest. 

Under legitimate interest (identified and verified per LIA), digital marketers can “Emails/text messages to individuals – obtained using ‘soft opt-in.’” However, you must provide an appropriate opt-out system as well.

Take cookie compliance seriously

Cookies are a significant part of web technology. Websites commonly use them to remember user preferences or identify users when they visit the next time. These are called first-party cookies.

The issue with cookies under the GDPR is when they track users’ personal data for targeted advertising or analytics purposes. Such cookies are called third-party cookies. Marketers have to use analytics and advertisements for their work. So you have to be aware of cookie compliance.

The use of cookies can be made GDPR compliant by obtaining user consent before loading them. User consent, as mentioned earlier, can be sought by various methods. The commonly used method is by displaying a GDPR-compliant cookie consent banner on the website.

cookie banner - gdpr for marketing

With CookieYes, you can install a fully customizable cookie banner on your website. It will automatically block third-party cookie scripts before getting user consent and logs all the consents received. 

CookieYes dashboard - gdpr for marketing

Assess third-party services

If you use third-party services for your marketing purposes, then you must identify how they collect data through the website and use it. 

You must review and confirm if their policies align with the GDPR standards. You must particularly know where they store the data (or their point of access) and if it has appropriate safety measures to keep the data safe.

Add/update the privacy policies

One of the major GDPR requirements is being transparent. The website’s privacy policies must explain how you (and the third parties) collect, use, handle, and protect the users’ personal data. You must also provide your contact information. All this information must be written in a lucid and concise style. 

You must regularly review and update it and inform the users if there is any change.

Creating a privacy policy is now easy with CookieYes Privacy Policy Generator. Generate the privacy policy quickly and free of cost! 

CookieYes privacy policy generator - gdpr for marketing

Refine email marketing

Email marketing is one of the most affected areas since the GDPR. You can longer send mass marketing emails unless you have user consent (or, as discussed earlier, if you have a legal basis to do so). 

You must provide double opt-in for subscribing to email newsletters. Double opt-in is a method to confirm users’ consent by sending an email with a confirmation link after they sign up to receive email services. It would also help if you include an unsubscription link with every marketing email. 

email subscription - gdpr for marketing

Implement user rights

Your marketing procedures must cover all the user rights under the GDPR. These rights ensure the protection of the users’ rights and freedom and give them more control over their data.

data subjects rights

You must ensure that you have an appropriate channel for users to request and exercise their rights. Response to these rights must be easy to understand and on time. In case you want to refuse to comply with the requests, there must be a legitimate and valid reason for it. 

Conduct risk assessments, secure data, and prepare for data breach

Conducting a risk assessment before processing is an ideal way to ensure security and protection. It will help in identifying the possible risks to data and taking appropriate security measures. 

You can secure the website and its content in several ways, especially by adopting privacy by design approach. Keep privacy in mind while designing the system and implement safety measures at the inception of the processing. You can use techniques like SSL encryption, data backup (with proper permission and compliance), and limited login.

With proper security planning in place, you can prevent data breaches. You must have a system to handle them and notify the authority and affected users on time

Document everything

Document your processing methods and every step you took for scouring your website. It will help you as proof of your compliance with the GDPR. You can also review them if such a need arises in the future. 

Wrapping up

The GDPR is an essential step towards making data sharing and online marketing safer and better. There are many examples of organizations making their framework GDPR compliant to keep their customers’ data safe.

You must strive to be compliant with the regulation and also prepare your team to follow it. It is not worth being on the wrong side of the law, which will attract negative attention. 

Disclaimer:  This article is for information purposes only. It does not intend to be a substitute for legal advice. Therefore, if you require any legal assistance, you should seek the services of an attorney.

Start a 14-day free trial

Trials start with all our features enabled. Cancel anytime. No credit card required.