Examining the Impact of GDPR One Year In

Ready For More Act-On?

Complimentary guided product tours, talk to our experts, learn how we can help you.


On May 25, 2018, the highly anticipated European General Data Protection Regulation (GDPR) took effect. Now that digital marketers have had ample time to adjust to this new legislation, we’re going to take a closer look at how GDPR is impacting consumers and businesses alike — as well as how and why to implement several best practices for GDPR compliance.

Is GDPR Working?

What Is GDPR and Why Was It Created?

The European General Data Protection Regulation legislation was passed to create greater, more uniform data privacy protection for all residents of the European Union. The law stipulates harsh penalties for non-compliance for any business marketing to and collecting behavioral data of individuals in the EU. Fines for non-compliance can be as high as 4% of global revenue, so companies are highly incentivized to follow GDPR regulations.

To summarize, the goals of GDPR include:

  • Providing citizens greater insight into how their data is collected and more control over how their data is used.
  • Clarifying and simplifying the legal expectations for businesses of all sizes.
  • Consolidating disjointed regional data privacy regulations into one cohesive and codified set.
  • Improving regulatory compliance of all digital transactions — both visible and hidden from consumers.

To achieve these goals, GDPR requires different protocols for businesses to gain and maintain consent throughout their marketing activities and channels.

Gaining User Consent

GDPR has significantly narrowed the concept of user consent and now requires users to take “clear affirmative action” before a company can begin marketing to them. This consent must be “freely given, specific, informed, and unambiguous.” For instance, pre-checked consent boxes on submission forms are no longer allowed, as they require no real action on the user’s part and don’t necessarily imply they’ve given consent to receive marketing material.

Further, GDPR stipulates that businesses must receive a “double opt-in” from their users before they can market to them, which means providing consent on at least two separate instances. For example, you should create forms with clear, unchecked consent boxes and then also send a confirmation email where the user can confirm their consent by clicking on a link. GDPR also requires all organizations to provide proof of consent for each of their contacts, and failing to do so could lead to severe penalties and fines.

Lastly, consumers can leverage GDPR to submit a “subject access request” that allows them to access the personal data that each organization has on them, why that organization has the information, and how they’re using it. Nearly half of the 18,000 data protection-related complaints that the Information Commissioner’s Office (ICO) received in 2016 were related to mishandled subject access requests (1). This personal information is extremely important to users, and GDPR is attempting to make it easier for them to collect.

Providing Clear and Simple Opportunities to Opt Out

GDPR is also committed to making it easier for users to opt-out of receiving communications from businesses. Like CASL in Canada and CAN-SPAM in the United States, organizations are now required to make it easy for users to update their preferences, withdraw their consent, or be removed from a company’s database.

By “easy,” we mean:

  • Users shouldn’t have to visit more than one page to opt-out
  • Users shouldn’t have to log in to opt-out
  • Users should only be required to provide their email address to opt-out
  • Users should not be charged a fee to opt-out

Again, failing to follow these statutes could lead to severe punishment.

GDPR and Privacy Policies

One of the principal goals of GDPR is to encourage transparency, which means companies are now required to disclose how they’re using their subscribers’ and website visitors’ information — and they must do so in a way that is clear and simple. According to one infamous study, it would take roughly 76 workdays to read all the privacy policies we encounter in a year (2), so the goal is to reduce that number drastically.

Under GDPR, each organization’s privacy policy must be easily accessible, concise, transparent, intelligible, and free of charge to access. It must be written in clear language that is easy to understand, so you should also clearly define any ambiguous or confusing terminology you’ll be using and avoid legalese wherever possible. Further, each online form must also include a clear link to the company’s privacy policy.

Lastly, if the organization will be collecting data from third-party sources, they are required to provide additional information about the data and its source.

Using Act-On to Manage Constent for the GDPR

Is GDPR Working?

Initially, business leaders and experts from different fields were extremely excited about GDPR. Speaking with Verdict of the potential impact of GDPR, Giles Pratt (IP and technology partner at Freshfields) said:

“The EU regulators have introduced a pioneering piece of legislation that looks likely to set the bar for data privacy standards around the world, and offers opportunities for closer working practices among international privacy professionals in business and the regulators they engage with.”

Yet while the road to GDPR compliance is slowly being paved with good intentions, early returns suggest many companies still have a long journey ahead of them on their path to compliance. Since the legislation took effect in May of 2018, there have been more than 200,000 reports of minor and major GDPR breaches in over 30 countries according to a report published by the European Data Protection Board — which consists of numerous regulators from across the region. In all, roughly $56 million in fines have been doled out by various watchdog groups, but $50 million of that came from a single fine for Google (3).

According to Mathias Moulin, a panel member of the CNIL (the French watchdog group that handed down the fine to Google), the fine was based on a “massive and highly intrusive” breach and was based on several different factors — including the “scale… and the size of the company.” While the fine was merely a drop in the bucket for a company like Google, which boasted $137 billion in revenue in 2018, Moulin suggests that the past year “should be considered a transition year.”

That statement suggests that we can expect there to be stronger monitoring and enforcement of GDPR, which serves as a warning to organizations that have not yet prioritized GDPR compliance in their marketing efforts. It seems fair to give businesses (especially small- to mid-sized businesses) more time to implement better procedures for GDPR compliance before handing out major fines, but that time could be quickly running out as GDPR moves into its second year. Therefore, it’s important that you do your best to become GDPR compliant as soon as possible — for both the health of your business and the confidence and security of your customers.

GDPR Compliance Best Practices

Public perception is that many companies are deliberately making it more difficult for web subscribers to opt-out of their subscriptions, and based on the number of infractions reported above, it’s hard to argue that point. And that’s why GDPR was created in the first place: to increase data privacy and security and allow consumers to browse the internet more freely and with more confidence.

So far, GDPR has yet to achieve that goal, but with the so-called “transition year” behind us, the time for excuses has come to an end. Now, it’s time to learn and follow basic GDPR best practices to enter compliance, improve consumer confidence, and increase your company’s revenue.

Update Legacy Contacts

GDPR allows organizations to communicate with existing users, but only if you have previously received active consent. If, however, your sending lists include users who we automatically opted in, you need to reach out requesting their explicit consent to continue marketing to them.

Review your lists to determine which contacts have actively opted in and which contacts have not. Then, email your list of contacts that still need to actively opt-in asking their permission to continue messaging them. Make sure the language of your email is honest, friendly, and direct with a prominent CTA button inviting them to opt-in. If a subscriber does not respond within 10 days of your email, send a final follow-up email letting them know they’ll be removed from your list if they fail to opt-in. If they still haven’t taken action after five days, you should remove them from your list entirely.

Require Additional Consent Boxes

Previously, when a user would sign up for a trial, download an eBook, or complete any action that gave businesses their contact information, those businesses could continue to follow up with subsequent email campaigns, newsletters, blogs, etc. without receiving additional consent. Today, GDPR disallows companies from doing this without adding an additional opt-in checkbox below the digital form.

For instance, if a user on your site completes a form to view an on-demand webinar but doesn’t complete the checkbox on the form giving you explicit consent to market to them in additional ways, you are prohibited from doing so. Make sure all your forms have clear language requesting explicit consent to provide additional marketing materials, and make sure you’re only sending to users who have checked that box. 

Make It Easy for Users to Opt-Out

Failing to provide clear and simple opt-out options is one of the most common GDPR no-nos. It can also lead to frustrated users, which often results in those individuals filing GDPR complaints.

Your subscribers don’t owe you their loyalty and should reserve “the right to be forgotten” whenever they want. If they don’t want to hear from you anymore (maybe they went with another insurance provider or decided to purchase concert tickets through another vendor), then they should be able to unsubscribe from your list easily.

So you need to make sure all of your communications have a prominent “unsubscribe” link in the footer that recipients can click to be removed from your list permanently or until they decide to re-opt in.

Further, you should offer your users the option to manage their subscription. Create a “Manage Your Subscriptions” link in your footer or offer the option as a link within the copy of your emails, confirmation pages, and other digital marketing communications. This link should lead to a separate page that gives the user multiple options about which types of communications they want to receive — such as newsletters, blogs, special deals, or event invites.

Act-On Software Assists Businesses to Comply with GDPR

At Act-On, our marketing automation software is designed to help marketers from companies of all shapes and sizes improve their email deliverability, protect their customers’ data, and generate more revenue through an all-in-one omnichannel platform. Our world-class Professional Services team is here to assist our clients to take additional compliance measures and align their strategy with our software.

If you’re interested in learning more about how you can solve your GDPR concerns with Act-On’s powerful marketing automation platform, please download our free eBook below or contact us directly to speak with an experienced sales professional.

Using Act-On to Manage Constent for the GDPR

Go Beyond the Lead

Watch this 2-minute video to see Act-On in action

Learn how our growth marketing platform can transform your marketing.