Subscribe to the Iterable Blog

Thank You

Share to Facebook Share to Twitter Share to LinkedIn Share to Email

How to Navigate Customer Consent Under the GDPR


With the General Data Protection Regulation (GDPR) applicable date looming ahead, growth marketers are weighing heavier by the day with questions. Am I gaining the right consent? Is an opt-out enough? How will it affect analytics and web tracking?

The GDPR will have its biggest impact on growth marketers. And there is no doubt that the uncertainty surrounding the regulation has caused an array of emotion and confusion.

At Activate, we encouraged growth marketers to “Keep Calm and Comply.” By identifying ways in which marketers obtain Personal Data, an effective GDPR strategy can be built. It’s simpler than you may think!

Personal Data is a necessary means for building a truly relevant, omni-channel experience. To begin, growth marketers should identify what types of identifiable data is obtained from customers and prospects. Personal Data can include name, email, user ID, photo, gender, location, IP address, or an online identifier, such as a cookie.

Secondly, growth marketers will need to establish a legal basis for processing Personal Data through email, SMS, and other messaging channels. The GDPR ensures that the collection of Personal Data is fair, transparent, and not excessive, through a more restrictive basis for processing Personal Data.

Article 6 of the GDPR provides six lawful grounds for the processing of Personal Data. Two of these six legal grounds form the foundation of an effective growth marketing strategy under the GDPR: Legitimate Interests and Consent.  

Legitimate Interests: Protecting Customers’ Fundamental Rights

As stated in Article 6.1 of the GDPR, legitimate interests are conditioned upon the extent that the processing of Personal Data is necessary for the purpose of the organization’s interests. A legitimate interest can exist where an individual is a client or contracted for services.

For example, when an individual makes a fast food purchase online, they are required to provide their delivery address as a client of the fast food merchant. The fast food merchant has an interest in fulfilling the delivery, so the use of their Personal Data is a legitimate interest.

Although the above example may be considered a legitimate interest, it does not, however, allow the merchant to use the individual’s Personal Data for any purpose outside of the food delivery purchase.

For instance, the merchant cannot use the individual’s delivery address in the future to send promotional coupons for fast food purchases—without the explicit consent of the customer.

Important to consider: the fundamental rights and interests of the individual can override the organization’s legitimate interest, such as where an individual does not reasonably expect further processing of their Personal Data. Ultimately, legitimate interests are a balance of the organization’s objectives and the individual’s fundamental rights.

To better understand your organization’s legitimate interests, work with your legal and compliance teams to assess your business objectives.

Consent: Don’t Pass “GO” Without It

Where data processing is based on consent, your organization must be able to demonstrate that informed consent was given by the individual whose Personal Data is processed. As discussed in Article 4 of the GDPR, consent must be freely given, informed, and unambiguous.

For example, an online retailer can offer customers the opportunity to opt-in to specific promotional email subscriptions through an unchecked toggle, during the order process.

It is important, therefore, to ensure that an individual’s consent to the processing of their Personal Data is not buried in standard terms and conditions and that it is instead set out separately from other provisions.

The GDPR makes it clear that withdrawal may occur at any time, and individuals should be made aware of this right before consent is given. Your organization will need to ensure that it is as easy to withdraw, as to give, consent.

The right of withdrawal is considered a necessary aspect of consent, and if the right to withdraw does not meet the GDPR’s requirements, then consent will not have been validly obtained.

At Activate, we identified two central growth strategies that will be most affected by the processing of Personal Data under the GDPR: 1) Web Tracking and Analytics and 2) Message Personalization.

1. Web Tracking and Analytics

Under Recital 30 of the GDPR, online identifiers such as IP address and cookies are considered Personal Data. So what does this mean for the growth marketer?

Any online identifiers being collected or processed through web tracking or analytics can be considered Personal Data and will require consent to do so.

Growth marketers will need to re-evaluate their web tracking and analytics strategy, as notifications of Personal Data processing can no longer be buried in the terms of services or privacy policy. Marketers should focus not on whether they will ask for consent, but how they will ask for consent.

Under the GDPR, simply providing a notification stating that “by using this site, you accept cookies” is insufficient. Instead, growth marketing teams should create an untoggled consent box, where consent can be freely given, freely withdrawn, not a precondition to using the services, and describe the purpose for each type of processing of Personal Data that occurs.

2. Message Personalization

There’s no doubt that personalization is key to building an effective omni-channel marketing campaign, as it drives user engagement and provides consistent value to the customer and prospect. The GDPR changes the way in which growth marketers personalize marketing messages by requiring consent to use an individual’s Personal Data.

At Activate, we discussed two ways to implement standard user options to gain consent, through privacy by design and a subscription center.

Subscription Center

Creating a subscription center provides customers and prospects an ability to unsubscribe, as well as selectively opt-in, to marketing campaigns and choose content they would like to receive.

Execution should involve creating a landing page for subscription options and an operational smart campaign to manage those subscriptions.

Additionally, modify each email and content landing page to include clear unsubscribe or opt-out language to ensure that an individual can remove themselves from receiving email communications within the subscription center.

A subscription center will not only provide clear consent but, as a growth marketing best practice, also increase segmentation and communication accuracy, creating a more personalized experience for the customer or prospect. Iterable’s own subscription center is coming soon, so stay tuned!

Privacy by Design

Implementing privacy by design will not only build customer and prospect trust, but also ensure that privacy and consent are part of your organization’s growth marketing strategy.

To start, dynamic lists, also known as “smart lists,” should be created to run opt-in marketing campaigns and manage user preferences under GDPR governance. Dynamic lists automatically segment customers in your CRM, like Iterable, to exclude individuals from marketing campaigns.

Dynamic lists can be used to filter out contacts who have unsubscribed, requested to be suspended, have an invalid email address, or have requested to be blacklisted.

Additionally, your organization should add a consent field on every information request form, so individuals can opt-in for a singular instance or a set period of time, or opt-out entirely of your organization’s marketing campaigns.

While not required by GDPR, double opt-in consent campaigns provide an added layer of security for organizations looking to ensure compliance.

Double opt-in campaigns are also recommended for some countries like Germany, where double opt-ins are not explicitly required by law but are generally regarded as a marketing best practice.

Keep Calm and Comply With the GDPR

For the growth marketer, complying with the GDPR may seem overwhelming. However, by identifying what and how types of Personal Data are being processed, an effective GDPR-ready growth strategy can be built. We’ve created a customizable worksheet to begin the process.

The GDPR encourages growth marketers to integrate regulation requirements into the fabric of their daily operations, to ensure privacy by design, transparency, and trust, on a continuous basis.

It is important to remember: the GDPR does not prevent organizations from communicating with their customers; rather it improves data quality, by diving deeper into what prospects and customers value.

For questions or concerns regarding the GDPR or to learn about how Iterable is preparing for the GDPR applicable date, please reach out to us at compliance@deviterable.wpengine.com. We’d be happy to help!

Sarah Gounder

Sarah Gounder is Compliance Manager at Iterable, bringing a JD and a strong marketing background to the team. Prior to attending law school in the Bay Area, she spent five years as a marketer for CBS Radio, ending her tenure as Director.

Further Reading