Being a marketer in the GDPR era means you have to rethink your approaches to marketing and balance your goals at the same time. Marketing is an area where GDPR has shown considerable impact — ad retargeting, opt-in forms, and so on.

Remember that GDPR isn’t designed to impede marketing — rather it gives businesses a push to take a more strategic approach. Many feel it has led to better quality data that is more impactful in driving business. In fact, marketers are using this as an opportunity to explore user-centric and engaged marketing efforts than the usual one-size-fits-all approach.

Before we look at practical steps that digital marketers can take for GDPR compliance, let’s brush up on the basics.

GDPR compliance for ecommerce businesses - are your analytics ready?

The basics of GDPR

GDPR is centered around two key principles:

  • Individuals (users of your website, consumers, anyone whose data will be processed) will have rights on their personal data including the ability to review, amend, delete or challenge any data processing.
  • Businesses need to establish a lawful basis for processing personal data. They should respect users’ right to privacy while handling their data, implement security measures to protect the data from breach or misuse.

Consent and the lawful basis for processing

GDPR establishes six legal bases for processing personal data — consent, contract, legal obligation, vital interests, public task, and legitimate interests.

Digital marketers usually process data on the lawful basis of consent because marketing is not typically done to uphold a contract/legal obligation or falls within your legitimate interests.

GDPR defines consent as any freely given, specific, informed, and unambiguous indication of a user’s wishes through a clear affirmative action that signifies agreement to the processing of personal data.

gdpr compliance

GDPR’s impact on digital marketers

Data collection gets leaner

Because data collection under GDPR requires explicit consent and can't be bundled with other terms & conditions, marketers tend to end up with smaller prospect lists and email contacts. But, is this bad news? No! Many marketers have noted that GDPR has helped them adopt a user-centric approach to email marketing and that outreach emails had better reception and conversion because they have more engaged users.

Regulatory authorities are not taking unsolicited email and SMS marketing lightly, however. For instance, Italian telecom company TIM was issued one of the biggest GDPR fines of €27.8 million for their aggressive marketing which skirted GDPR rules, including unsolicited calls and invalid opt-in forms.

Retargeting gets a new spin

GDPR has had a direct impact on retargeting via third-party cookies and restrictions on automated decision-making. Thus, it forces marketers to rethink their methods when collecting behavioural data through cookies, using Google Analytics or location beacons, monitoring internet user activity, and employing cross-device tracking.

Marketers are increasingly looking at first-party data for marketing and personalization, with some noting higher impact as data comes directly from the consumer. Websites are also adopting user-friendly, non-intrusive cookie consent banners as the best compromise between compliance and marketing.

Tip: Using Facebook Ads to acquire customers? Maintain your high-ROI advertising strategies with the new Facebook Conversions API (FB CAPI)

Users have increased access

GDPR gives users the right to access, amend and erase personal data you collect from them. This means users have the right to be forgotten and the right to withdraw their consent — Think something as straightforward as putting an unsubscribe link in your email.

Whether it’s an erasure request or an access request, marketers should have a clear understanding of where and how data is stored. To this end, websites have adopted consent management platforms (CMPs) and customer relationship management (CRM) tools to simplify and automate the management of user requests.

gdpr checklist

The GDPR Checklist for Digital Marketers

Conduct a data audit

Before anything else, you'll need to identify the kind of personal data you are collecting, storing, and processing. Assess the categories of data you collect throughout your website or for lead capture. This includes:

  • Names
  • Emails
  • Phone numbers
  • Social media IDs and profile URLs
  • IP addresses
  • Device IDs
  • Bank account numbers and credit card information
  • Geolocation data

If you collect sensitive personal data relating to race or ethnicity, political opinions, religion, genetic or biometric data, you need to put additional provisions in place such as acquiring parental consent, a Data Protection Impact Assessment (DPIA) or appointing a Data Protection Officer (DPO).

Identify and map all areas in your marketing systems where personal data could exist. These locations might include a website database, CRM database, marketing automation lists, backup files, and data caches.

Tip: Want an expert audit of your data along with custom benchmarks to target based on others in your industry? Get both when you try Littledata free for 30 days.

Limit data collection

After your data audit, figure out which data are important to your business. Delete data that isn't required for the purposes under which you obtained consent. For instance, you may not need someone’s date of birth to send an email newsletter unless it has age-sensitive content.

Similarly, delete any unresponsive or inactive leads.  Cleaning your email list and removing unengaged subscribers is not just helpful for GDPR compliance, but also improves the health of your marketing campaigns.

If you collect data for a limited-time marketing campaign, be sure to stop any further processing once the purpose has expired. Simply put, take a leaner approach to data collection and collect only the necessary information.

Use active opt-in forms

Remember, to collect and store personal data you have to obtain clear and explicit consent. As we’ve seen, consent should be freely given, specific and unambiguous. This means consent should be voluntary i.e. the user must have a real choice.

newsletter signup form

This is an example of a simple, clear opt-in form with a checkbox that asks explicit permission to send marketing emails. In this example, the user must take deliberate and specific action to opt-in or agree to their data to be used for the newsletter list.

Another important aspect of GDPR is to provide users with information on how you collect, use, share, secure and process users’ data, so linking your privacy policy in your forms can achieve that.

Web forms should offer clear details about how the data will be used and give users the choice to opt-in for it, rather than using bundled consent. For instance, if you are using a form to collect emails for providing a service, then you should use a separate opt-in checkbox if you intend to use the email for any other purpose. Also, note that if your web forms are connected to a marketing automation platform it's important that these tools are GDPR compliant.

Use double opt-in for emails

A double opt-in is when a user signs up on a form and they receive an email asking them to confirm their subscription. Once they click on the link in the email and confirm, only then are they added to the email list.

newsletter subscription confirmation

GDPR is all about consent, so it’s critically important that businesses demonstrate proof that users have consented. If you have evidence that a customer has entered details into a signup form and clicked on a link and confirmed their subscription, it’s hard for anyone to dispute that consent was taken. It also makes it easy for users to withdraw consent from subscriptions — something you should clearly show them how to do if desired.

Note that GDPR does not mandate a double opt-in process, but it is considered a best practice and is recommended in countries like Germany and Switzerland. A double opt-in process will also improve the quality of your email list and also reduce unsubscribe rates.

Update privacy policy

Your privacy policies should primarily accomplish the following to be GDPR compliant:

  • Inform users about the personal data you collect, your purpose for collecting, and how you are ensuring that their data is protected
  • Be available in a concise, transparent, and accessible form
  • Be written in clear and plain language
  • Describe the users’ rights and direct users on how to exercise them

Here’s a list of questions that your privacy policy should answer:

  • What data do you collect?
  • How do you use your data?
  • How do you store data?
  • What are users’ rights under GDPR?
  • What type of cookies do you use?
  • How can users manage these cookies?
  • Are there any recent changes to your privacy policy?
  • How to contact you?
  • How to access, modify or delete user data?

You can use a tool like this Free Privacy Policy Generator to generate a privacy policy in minutes.

Revamp cookie consent

GDPR brought cookie consent to the forefront, meaning websites cannot load cookies on users’ devices without first getting their consent. But, cookies are crucial to digital marketers for behavioural targeting and retargeting ads. So, how do we balance both worlds? A simple and effective cookie consent banner is the answer. Multimedia company Axel Springer tested their cookie consent messages noting that users opted in when there was an effective cookie consent notice.

Cookie consent tools like CookieYes can help implement a simple, user-friendly cookie banner. You can customize the banner and tailor it to your website’s design for the best user experience.

Marketers should also ensure they’ve recorded cookie consents in a compliant manner, something a consent database does well. CookieYes is one such tool, as it maintains a consent log with an anonymized IP address, country, consent status, and timestamp of consent.

cookie opt in

You’ll also want to make sure iframes from third-party sites like YouTube don’t place cookies on a user’s device. To avoid this, have your cookie banner auto-block third-party scripts until the user gives consent.

cookieyes dashboard
CookieYes has a single dashboard to manage all your cookie consent requirements.

As users now have the right to be forgotten, cookie consent banners must also support users' right to withdraw cookie consent via a cookie widget on your site.

When you ask for cookie consent, you need to:

  • State the purpose of your cookie use
  • Allow users to accept or decline the use of cookies
  • Provide users with the option to give granular consent
  • Block cookies from loading until users give consent
  • Allow the user to withdraw consent at any time for each purpose
  • Be able to demonstrate that the user has given consent
  • Link cookie policy for detailed information on cookie usage


Since that was a lot of info, here’s a checklist that you can use to implement GDPR compliant marketing.

  • Conduct an audit and review the data you collect and
  • Obtain explicit consent for data collection
  • State the specific purpose for using data
  • Use active opt-in forms on your website
  • Use double opt-in for your mailing list
  • Update your privacy policy
  • Revamp your cookie consent consent

This is a guest post from Kavya, Content Writer at CookieYes. When she’s not typing away at her desk, she loves trawling for Irani cafes and old bookshops.

Subscribe to Littledata news
Stay up to date on Littledata career opportunities and company updates.
We respect your privacy. Your information is safe and will never be shared.