GDPR – the last minute fix

GDPR - the last minute fix

Tweak your email marketing without the drama, scare tactics & hoops you've been avoiding.

Just in case you've been living in a cave, a new set of privacy laws have put global knickers in a knot.

Instead of following the standard commandments of 'thou shalt not spam' and 'thou shall build thine own list (and not buy dirty ones on ebay)''re on board with those, right?...

Businesses around the world are having to step up and shout their love of privacy from the rooftops.

We respect your data!

Inboxes are a safe space!

And so on.

All of it true already, especially if you're marketing The Funnelry way and creating subscriber experiences.

GDPR stands for General Data Protection Regulation and it's a set of regulations (duh) affecting any business who has web visitors, clients/customers or subscribers in the EU or UK.  

(Technically Brexit means the UK is covered by an almost identical new legislation, but that's a boring distinction - so they can wear their GDPR hat and like it.)

So if you have zero chance of attracting a single web visitor or subscriber located in the EU/UK, you can go now.  Yes, you'll be slinking out the back all alone, stopping at the door, looking guilty and uncertain... annnnnd sitting back down. Good choice, because all the other countries around the world are scaling up their own data protection laws at this very moment. May as well get it sorted now.


1. Rename it to Privacy Notice.
It's not just semantics, it's required.

2. Scrub most of it.
Your privacy notice needs to be understandable by a child (reading age 10 or so). so legalese is out. So is all the blah blah blah that means nothing. The free generators are hanging back until they get paid a chunk, so you'll have to write it yourself. If you don't want to pay for a template - which is really just section headings with examples - go take a look at someone's you think is pretty good and use it as a guide. 

3. Get honest
Don't get hung up on this bit. Nobody is going to drag you into court because your privacy notice sounds too fancy/too simple, they just want you to lead with honesty and clarity.  Your privacy notice will be an evolving communication, so use use a version note at the top <-more about this soon.

According to itGovernance (and expanded by my no-fuss self), you'll need to cover off:

  • Who is collecting the data?
  • What data is being collected & what will you do with it?
  • What is the legal basis for processing the data? (either they consented during opt-in or they're an existing client/customer)
  • Will the data be shared with any third parties?
  • How long will the data be stored for? Where (eg, your secure office, email provider etc)?
  • What rights does the data subject have and how can they enforce them? (opt out = unsubscribe, be forgotten = deleted, see data= be weird)
  • How can the subscriber raise a complaint?

So yep, just answer those questions honestly and you'll be good.


You have 2 options here. Pick one.
If you're with mailchimp, you've probably noticed their compliant form is the most unappealing thing since home-made toilet paper. This is unfortunate, but if you're a WordPress site you can install lots of 3rd party form creators that are super pretty and let you do this. I use Thrive Leads (aff link).

First option

See that snazzy tickbox on the form? 

See that privacy notice under the button and how it includes the link?

This is best practice. In the online marketing niche, it's expected that you'll send newsletters AND sales emails, so yes you can bundle them. If you've heard that 'bundling is bad', this isn't what they mean.

Did you know you can get consent without sounding super boring? True story! Add some flavour, zing and appeal to your tickbox text and you'll get more people ticking it.
But you can't pre-tick it for them.

Keep your privacy statement pretty dull though. Blah.

Second option

See that expanded statement underneath the button?

It's clear, it's at the point of sign up, and it clearly says heads up, stop here if you don't agree.

This one is getting close to the whole bundling is bad scenario, since I'm declining to share my products for free.  Shock! The price is consent. We're businesses using this to grow our reach and build up leads, we do not have to donate our opt-in goodies with no right to follow up.

Since we're being up front with that price, it passes the GDPR test. You could even make that statement bigger, or put it above the button to really bring attention to it.


Some email providers make you use a thing we call 'double opt-in' or 'double confirmation'. It's that fun-blocking email they send to new subscribers that says "are you sure you meant to sign up for this list? She's pretty dodgy you know..."

Okay, it doesn't say that last bit. It just feels that way sometimes.

If you are set up to send double confirmations, or you want that extra piece of consent, customize your email so people WANT to click it. Take a look at the language on the example below. No legalese or long-winded text nobody reads. 
Just a simple yes/no option.
(And for those playing along with the persuasion game, offering that extra NO option forces a choice. If you only offer a yes choice, you're more likely to get ignored.)


You know how when people sign up to your list they go into certain segments, get tags added, duplicate to another list, trigger another email, etc... 

Whatever your preferred method of tracking and maintaining your subscribers (I'm a tag girl), mark all new additions with your Privacy Notice version.

As in, 'GDRP OK V1'

That's the tag I use in ActiveCampaign (aff link). It's automated, so I don't have to pay attention to it. But next time I update my privacy notice, I'll update that tag too, so new people from that point forward get the V2 tag.

Why? This is part of your proof of consent....(more soon)


1. Go retro
GDPR has instructed us to climb into our time machine and make sure we have consent for everyone in the UK/EU who is already on our list.

Er ok...

Working within the confines of reality (dammit) that means you need to send an email (or 10) asking these subscribers - including any you're unsure of country - if they'd like to keep getting newsletters & sales emails from you. 

(Your email provider records this geodata for you, don't panic if you haven't been asking for country at signup!)

Unfortunately, your subscribers are sick to death of hearing about GDPR, so they're ignoring these emails.  You'll have to unsubscribe anyone who doesn't re-up before May 25. EXCEPT...

You have this thing called 'legitimate interest'.

Basically, it's a wibbly-wobbly-timey-wimey legal loophole. Any subscriber who you can say has shown legitimate interest in you, and you've shown legitimate interest in them, gets to stay without reconsent.

And since it's largely undefined, let's define it as 'skin in the game'

  • They've bought something from you (products, downloads, services)
  • You've done a call with them
  • You've coached them in challenges
  • They've opened most of your emails, clicked most of your links and are basically stalking you

You get the idea. There's a (usually reciprocal) legitimate interest.

Legitimate interest is so wobbly that it can be anything you say it is, so long as you can:

a) argue it
b) prove what you're arguing

Remember how you tagged people as GDPR V1 OK? You'll want to run a search for these people and tag them with GDPR_LEG_INT (legitimate interest)

2. Put on a show

For those subscribers you DO need to reconfirm, a simple email won't do diddly. They're not going to click it. But if you put on a show and make it worth their while, you're in!

That means a value-bomb newsletter with no other link than 'to make sure you keep getting <whatever it is you just bombed them with> from me, click here'

The ones who click it get tagged GDPR_RE-CONF.

The ones who don't open get it re-sent with a different subject line - at least once.

The ones who opened it but didn't click? Hop to it and send them another value bomb!

(Or be super smart and sell them something small, real quick. Hello legitimate interest!)

3. Show your privates

At some point you'll need to say hey look at my new privacy notice. They don't have to click it though, so send a normal person email full of normal people words and not GDPR threats or definitions (zzzzzzzzz), with a shout out to your new privacy notice at the bottom. Link it for the nosy. Then get on with business.

4.  Unsub the rejects

On the 26th May, any EU/UK sub who hasn't shown you some clicky love gets unsubscribed. Their loss. They clearly weren't engaging with you, buying your stuff, hiring you or interested in you anyway. Let it go, let it go!


Since consent underlies the entire dealy-o, and we're all about consent these days (remember, nobody wants tea while they're unconscious)...

We need to have a record of consent. Your email provider has most of this covered with the digital trail of 'came in via x form at x time from x IP address' etc, That stuff is standard.

And you've gone in to make sure the privacy notice version they just agreed to is added to that consent trail (eg the tag GDPR OK V1), or that you're relying on legitimate consent etc.

Now you have to record what the heck that all means.

  1. Open up a blank doc
  2. Screenshot your opt-in form & paste it in
  3. Add a note underneath saying what version of the privacy notice this refers to.

    Because you'll likely update your privacy notice more often than the form, you can just come back and add version numbers underneath.
  4. Keep a record of your privacy notices, in all versions. Paste them in this doc or make a new one just for notices.
  5. Write a new heading called Legitimate Interest
  6. Write, as if you were talking, what you're counting as legitimate interest and why.

    eg, "Subscribers who've bought my set of 'essential scripts' are covered under legitimate interest as this was a voluntary paid purchase, making them ongoing customers with an interest in more scripts, funnel help and other offers that help them reach their email marketing goals."

    Rinse & repeat for each argument you're making. Yes, you can re-use your explanation where appropriate & simply swap in each reason.
  7. You could even make an argument that anyone who has downloaded one of your free opt-ins is covered under legitimate interest, but I'll leave that up to your persuasive abilities. 

Save these tracking docs in the cloud, so even if your computer crashes you can still whip them out and go  "Ha! See? Covered!" if the privacy police ever come knocking (99.999999% unlikely).

And there you have it! 
GDPR isn't all that scary and you were already doing all the right things. Running through a few extra tweaks now means you can also tick the compliance box and get back to building and serving your list.