Privacy Please: How the GDPR Can Elevate Marketing

Privacy Please: How the GDPR Can Elevate Marketing

by Nabilah Irshad

11 minute read

While data may not be the new oil, it certainly wields power in virtually every facet of society, from business and technology to government and infrastructure. In the age of cyberattacks and data breaches, personal information is under the microscope more than ever.

The past few years have brought us the breach of 110 million Target customers’ data; the hacking of 3 billion Yahoo accounts; the exposure of 53 million Home Depot customers; the leaking of 5 million debit cards used at Lord & Taylor and Saks Fifth Avenue; Equifax’s massive cyberattack that compromised 145 million people‘s sensitive information; Uber’s data breach and subsequent cover-up; and, most recently, Cambridge Analytica allegedly harvesting user data from Facebook – just to name a few.

The 2017 State of Consumer Privacy and Trust report from Gigya found that 68 percent of consumers are concerned about how brands handle their data. Given the above examples, it’s no wonder. According to Jason Rose, Senior VP of Marketing at Gigya, “[t]here is looming disconnect for brands if they don’t respond more aggressively to consumer demand for privacy and protection of their data. Brands that put consumers in control of their privacy and deploy platforms that strengthen consumer data security will ultimately gain consumer trust. These brands will overcome the personalization-privacy disconnect and deliver on the full promise of their online strategies.” Therefore, marketers walk a fine line of capturing relevant data from their consumers while also ensuring they’re not alienating or eroding customer trust in the process.

The European Union has traditionally been more conservative with privacy and personal data than the United States. And now, the EU is rolling out a set of digital privacy rules, to provide greater protection, that will have far-reaching effects on marketers and consumers, both in the EU, stateside, and worldwide.

What is the GDPR?

The General Data Protection Regulation (“GDPR”) covers the personal data of all residents in EU member states. Under the GDPR, companies must now build default privacy mechanisms into their websites, securely store data, and erase personal information after specified periods of time.

Every company touching personal data of EU residents must comply with the new privacy directives – whether or not a company is physically based in the EU. Penalties for non-compliance are massive: up to 4 percent of a company’s annual global turnover, or 20 million euros, whichever is greater. The deadline for compliance is May 25, 2018. Suffice it to say, the EU is taking personal data very seriously. The U.S. will soon follow with revised legislation.

What do I, as a marketer, need to know about the GDPR?

The GDPR can be daunting, but there are many resources available that help break it down for you – and you should always consult with your internal legal and compliance teams. Here’s our take on this new body of law and what it means for marketers:

The definition of “personal data”

“Personal data,” or “personal information,” are the terms the EU most commonly uses. The GDPR very broadly defines personal data as any information relating to a person, including names, email addresses, social media posts, IP addresses, and cookies because they can be traced to a person and combined with other data to identify a specific person. 

In the U.S., most marketers are familiar with “PII” or “personally identifiable information.” PII in the U.S. is a narrower range of data than personal information in the EU. PII covers information about an individual, including names and email addresses, but excludes IP addresses and cookies since they cannot be used to identify a specific person on their own. 

Essentially, all PII is personal information, but not all personal information is PII.

The “Cookie Law”

You may have seen new pop-ups on websites asking you to consent to cookies. This is a directive of the ePrivacy Regulation, which is an accompanying set of laws that the EU is still finalizing and approving; implementation will likely be at the end of 2018. The ePrivacy Regulation focuses very specifically on electronic communications, and it’s commonly called the “Cookie Law” because it governs the pop-up you often see on websites requiring users to opt in to the use of cookies. 

The Cookie Law will inevitably impact advertisers and marketers that engage in behavioral targeting and re-targeting, including those that drop ads within editorial content hubs. This makes organic content marketing even more important as traditional targeting tactics will be somewhat burdened by the new regulations. 

Data breach notification

Under the GDPR, Uber, Equifax, Yahoo, and other companies won’t be able to get away with silence or cover-ups after discovering a data breach. The GDPR mandates that companies must disclose data breaches within 72 hours of the breach. 

Email consent requirement

The GDPR heavily scrutinizes email marketing. Under the new regulations, user consent must be “freely given, specific, informed, and unambiguous.” Use this as an opportunity to streamline your communications with prospects, customers, and larger audience.


The regulations clarify that consent must be shown with a “statement or by clear affirmative action.” In practice, this means that marketers can no longer get by with opt-outs, assumptions of consent, pre-checked boxes, and the like. Consumers themselves must check the boxes that opt them into email lists. To prove compliance, companies must then document and store all consents received – who consented, when they consented, and how they consented. 

Freely given

Consent must be truly optional so that individuals can explicitly choose whether to receive marketing communications.

As part of your lead generation efforts, you may prompt people to enter their emails addresses in order to receive premium gated content, such as whitepapers or industry reports. This is an opportunity to build your newsletter list, but in order for the consent to be “freely given,” subscribing must be optional

The email marketing company Litmus has considered this; here’s an example of how it does it: 

Litmus GDPR example.png


Consents must be separate for each data collection activity, and cannot be bundled with any terms and conditions. Whenever possible, provide granular options to consent to different items.

Insights GDPR opt-in.pngBy entering their name, company, and email address, people can sign up for the Insights newsletter. However, they have to opt in to a separate consent to receive other NewsCred promo emails.


Individuals should be aware of who is collecting their information, the purpose of collection, and exactly what they are consenting to. Build trust with your audience by articulating exactly how you’ll be handling their data in reader-friendly terms, rather than dense legalese.

Right to withdraw consent

You must also provide clear options for people to unsubscribe from marketing communications and make it easy for them to do so. A one-step process to opt out is ideal, versus requiring people to visit multiple pages. An easy and clear opt-out method reduces the likelihood of individuals flagging your brand’s emails as spam. 

Retroactive applicability

Moreover, the GDPR applies to all EU email subscribers – those who sign up after May 25th, as well as existing subscribers. Thus, companies must retroactively ensure that email consents received thus far are in compliance with GDPR requirements. Otherwise, they’ll have to do a refresh/re-permission campaign to gain those consents properly or else remove certain subscribers from their lists, all together. This may be time for spring cleaning and ensuring the hygiene of your existing data.

The right to be forgotten

Data erasure and individuals’ right to revoke consent is key under the GDPR. Individuals have the ability to request that companies permanently delete any of their personal information. This right to be forgotten takes it a step further and prohibits indefinite storage of personal data, so companies must delete such data when the business purpose for collecting it has expired. 

Narrow scope and legitimate business purpose

Collect only what you need and nothing more. The GDPR requires that companies limit data collection to legitimate business purposes. Refine your data collection to ensure that you’re only processing information that’s necessary and relevant. 

Defining your business purpose at the outset becomes key here: How broad is your scope? For example, if one of your customer contracts has terminated and your business purpose for tracking website analytics was to service the customer, you may be required to delete the data. However, if your business purpose for tracking website analytics included assessing overall performance metrics for a particular industry, you may be able to retain the data (unless an individual requests that you delete it).

This is an area that needs further guidance, but the EU advises that the legitimate business purpose must be balanced against individuals’ rights and freedoms. Given that the GDPR is brand new and there’s been limited application or context, we have little precedent to analyze and draw conclusions from. The coming months will be telling and provide more specific parameters for businesses.

Data security

You may need to consider encrypting customer data in your CRM and other tools. A major element of the GDPR is “privacy by design” and “privacy by default,” which mean that companies must incorporate data security from the initial design stages of every product, service, and process, and ensure such security throughout the lifecycle of the data processing. Whether it’s encryption, anonymization, pseudonymization, or other methods, your legal and IT teams will likely determine what types of data security measures are relevant for your business.

How is NewsCred implementing the GDPR?

As the leading content marketing company, NewsCred’s Legal and Privacy team is actively working to train our employees and implement GDPR requirements before the May 25, 2018 compliance deadline. Specifically, we’re taking the following steps for GDPR compliance in 2018:

  • Updating our Privacy Policy
  • Requiring cookie opt-ins for and customer sites hosted by NewsCred
  • Obtaining active consents and email sign-ups for our Insights newsletter and marketing emails, plus providing clear unsubscribe options
  • Disclosing the collection of personal data and associated business purposes to all relevant parties 
  • Storing personal data on secure servers and safeguarding personal data via encryption
  • Ensuring applicable vendors adhere to GDPR via Data Protection Agreements
  • Implementing processes to permanently erase personal data after consents are revoked or relevant business purposes expire
  • Maintaining GDPR compliance with regular risk assessments and ongoing data security measures

Marketing opportunities with the GDPR

The GDPR significantly impacts marketers, especially when it comes to email marketing and marketing automation. Although implementing the new requirements will be a heavy lift, the GDPR is actually a great opportunity for companies to be more thoughtful about their marketing efforts and build trust with their customers.

By ensuring active consent, customers have to actually opt in to receive your emails. This means that what you offer has to be relevant and appealing enough to your audience that it entices them to check that box. Draw your audience into your content hub and drive them to subscribe to receive your newsletters right in their inboxes.

One way to make your offering more transparent is to highlight sample content that they will receive. If you’re going to throw an opt-in lightbox on a viewer’s screen, take the split-second attention opportunity to tease your content alongside the request.

Insights GDPR opt-in.pngThe top of this opt-in form gives people an idea of what newsletter content they’ll receive.

Another audience-building strategy is to ask consumers what specific types of content they’re interested in receiving. This not only allows you to learn more about your different customer bases, but also to create email campaigns tailored to each.

Gradifi newsletter opt-in.png

Gradifi, a student loan repayment solution, asks people to share their interests when signing up for its newsletter.

When you think of the GDPR, think quality over quantity. Such targeted strategies are in line with our mission at NewsCred. We believe that by engaging customers with content, we’re building stronger relationships because we’re providing value. Rather than serving intrusive ads, we’re offering inspiring, informative, and helpful content to influence purchasing decisions.

The goal of the GDPR is to protect individuals’ privacy, but the new rules also offer an interesting challenge to marketers: How can you make your brand so appealing to your audience that they opt in to spend time with you? Then, how do you nurture those customers and provide them the right content so that they continue to engage with your brand?  

To our customers and loyal readers: We’re committed to helping you create healthy marketing practices and build trust with your audience. It’s a new challenge we as content marketers are eager to tackle with you.


Nabilah Irshad is NewsCred’s VP of Legal and Business Affairs.

This article does not constitute legal advice. Please consult your legal and compliance teams for privacy and data advice applicable to your business.