Growth Hacking Your Way to Heavy Fines? Adjust Your Outbound Strategy for GDPR.

Dennis van der Heijden
February 1, 2018 ·
Growth Hacking Your Way to Heavy Fines? Adjust Your Outbound Strategy for GDPR.

During our GDPR inventory, it quickly became clear that our marketing stack had to change. We’re dedicated to complying with the full GDPR—which means the way we generated leads for our products, how we used tools, and our attempts to growth hack—had become problems.

Here I’ll share how we used “web snitchers” at Convert, and why we are stepping away from that practice.

Anyone in CRO will be familiar with the concept; “You lose 98% of your website visitors…so convert more”. It’s a line we’ve noted many times, in articles and sales pitches. And honestly—it’s true. For most of our customers, Convert Experiences is just one of the many tools they use to lower that loss and increase conversion rates.

We rely on similar software. And to comply with GDPR, we’ll likely cut out 20% of the tools of our marketing stack.

We are cutting around 20% of our marketing software to comply to GDPR and ePrivacy Regulations

Dennis van der Heijden, CEO of

“Growth Hacking”— Or Sneaky Lead Capture?

In the past, we used reverse IP lookup services, data enrichment, and cold email outreach. All of these were ways we captured non-converting leads, and convinced them to convert anyway.

Around 3% of our new revenue depended on using tools like Snitcher and WhoIsVisiting— apps let us reverse IP lookups on visitors on our websites. When people visited more than 3 pages, or hung out on our pricing pages—we tagged them for further processing.

We relied on multiple reverse IP tools in order to limit the error margin. From there, we used an API (like Snitcher). Or, in the case of WhoIsVisiting, we a hacked a scraper together.

With these two tools we sent the company domains to Google Sheet, and visitors went through a second qualifying process.

Growth Hacking

Next, we enriched these domains with company information. We use (and love) Clearbit and Mattermark (now FullContact) for this part of the process.

With those tools we’d be able to add things like company size, funding, industry, traffic and more… lots more. The wonders of these enrichment tools is that most public company information (and key employee data is available) allowing us to get a clear profile on the company that visited our website. All this is then collected in a Google Sheet that filters the fitting companies and sends them off to the outbound team.

get a clear profile on the company that visited our website

Process aside, here’s what you need to know:

All it took us to isolate a company that may be interested in our tool, learn about their size, their key decision-making employees, and their site traffic—was a single visit to our website.

Outbound Marketing & GDPR: Tense Relationship

Once key company details pop-up in the outbound team’s pipeline, we start to rely on old school manual labor. We dive into the company info we have, and find out who the key contacts are to reach out to.

Independently of that: Jeff and Isaac—our outbound email team—explore LinkedIn and company websites that seem a good fit for our A/B testing and experience tools. I can’t call it any other then “hunting down” the head of analytics, a VP of marketing, or if we’re lucky, the appointed conversion rate optimizer of the company.

These contacts are again loaded into Google Sheets.

From there, we use tools like—which helps us find the emails of these key contacts. They’re added to our new Google Sheet and then loaded in for email flows. Relevant emails in hand, we then send cold emails to our leads.

All our replies are followed up personally, and interested parties are moved to appointments with the account executives.

Yes, all this DOES affect you.

Pre-GDPR we might flatter ourselves in considering our tactics to be “clever.” They were a growth hack. They were innovative.

But GDPR changes everything.

And, if you’re in the US—you might be wondering why.

But in Europe things are shifting with GDPR, and the bar is rising to give end-users (or, as they call them, data-subjects) more power over their personal data.

One solid sign that the times are changing: Google and Facebook have started altering their product roadmaps. Their plan moving forward is to keep things simple, and just make one, GDPR compliant version of their product, to be implemented worldwide.

Google admitted that it will be impossible to maintain multiple product privacy policies alive when data protection terms are changing across the globe.

The EU has GDPR. Asia Pacific and India has APEC. The US is looking to following the EU’s footsteps soon.

At the CPD2018 conference in January, Keith Enright, Google’s privacy lawyer, declared that GDPR will restart standards globally. They strive to offer the most uniform products possible—which means making GDPR compliance a part of their policy across the globe.

Here’s what Enright had to say about it on a panel at the IAPP conference in December:

The GDPR is a very ambitious law, but it’s just a starting point. One of the greatest dangers large organizations face is tacking toward 2018 and thinking you’re done. We are seeing nearly daily guidance from national authorities, society, academia, the Article 29 Working Party – it’s a conversation we’re just beginning. It won’t begin and end in Europe – this will eventually affect the policy discussion in the US and globally. Don’t hard code your program to just GDPR compliance – you’re setting yourself up for a lot of pain when the next challenge comes.

A Growth Hacking Tool Breakdown: Here’s Where they Stand in the Wake of GDPR


Uses IP for company lookup

GDPR Point of View
Snitcher founder shares it only uses publicly available information and sits on top of Google Analytics API. Servers are hosted in Europe and they say to be compliant.

They use the dataset from your Google Analytics account, and grab the company names from the GA API. So they don’t store the actual IPs. They just enrich the existing GA dataset and offer an API on top of that.


Uses IP for company lookup

GDPR Point of View
Harleen from WhoIsVisiting had an interesting response to my GDPR request: “With regards to the Whoisvisiting tool itself, we maintain our stance: The Data Protection Act regulates the collection and use of Personal Data. An IP address on its own is not personal data. This is because it is focused on a computer and not the individual using that device.”

This response contradicts our findings. Here’s a court case that supports the European legal precedent that IP is personal data (even before GDPR starts).

WhoIsVisiting’s policy is either limited, or incorrect. Which doesn’t inspire a lot of confidence in the notion that they’re fully aware of GDPR.

On top of that, their offices in the UK and US have no entry in Privacy Shield—making transferability on IP between Brexit UK and US data even more risky.

We still have not heard from marketing manager James Pluck on how their exact data collection and storage process works.

But from what’s publically available: WhoIsVisiting isn’t clear on whether personal data or company data can be correlated with stored IP information.

According to GDPR, the moment they store an IP-address, they need to ask consent from each individual that is not a company.

That information will be available in the WhoIsVisiting servers and so having it (even temporary) falls outside of GDPR consent.


Domain Enriching

GDPR Point of View
We used Clearbit to enrich the domains we got from WhoIsVisiting and Snitcher (after deduplication) and Clearbit is pretty well informed on GDPR. They are Privacy Shield certified. Plus, companies and individuals have ongoing access to data since Clearbit’s services allow customers to access and modify personal information collected by Clearbit (via, This helps them address any data subject access requests they may receive for modification and erasure.

Clearbit’s services also allow customers to download data from their account at any time during or at the end of their services agreement. So this is a service we will continue to use as part of our continuous effort to keep data of customers accurate.

Mattermark (FullContact)

Domain Enriching

GDPR Point of View
FullContact, the new owner of Mattermark, is Privacy Shield compliant and emailed us the following details: “FullContact has appointed a Data Protection Officer (Hector Rodriguez, CIPP/E), and we’re staying ahead of upcoming regulations. As you know, GDPR differentiates data ‘Controllers’ from data ‘Processors.’ FullContact’s role is as a data Processor, and we are compliant as such. “

Google Sheets

GDPR Point of View
We signed the latest DPA with Google. And, after we concluded we would not continue using this process as lead generation method, we deleted the Google sheet and removed it from trash.


GDPR Point of View
Zapier has me worried slightly since they only have Swiss Privacy Shield certification.

Micah Bennett from Zapier wrote me and said “We can’t claim GDPR compliance quite yet, but we’re working on making sure we have everything covered. We’ll spread the word on that front so you can make sure you know you’re covered. We don’t have a public facing page to point you to I’m afraid, but we’ve been working on this for a number of months and definitely understand the gravity of needing to ensure compliance.”


Key contact hunting

GDPR Point of View
We outsource to an email team which manually searches information from key contacts in LinkedIn. If they can find the emails—great. Then they add them manually If not the next step is

Another worry, for us specifically, is that our team is located in Vietnam (think cross-border-data-transfers)

Chapter V (Articles 44 through 49) of the GDPR governs cross-border transfers of personal data.


Email verify and collection

GDPR Point of View
This service can be used to validate emails and collect information on key people in companies (when before, we before only had the domain). As of now, there’s a very limited privacy policy and no Privacy Shield registration.


Our outbound team uses this tool to send outbound emails to prospects.

GDPR Point of View has Privacy Shield certification, and only this message on their privacy page: “The Reply team is currently working to make sure that, in spring 2018, Reply will be compliant with the GDPR requirements.” The Reply team gives us little more confidence than It seems they really have just woken up to GDPR (since Privacy Shield could have been done before).

So, our old outbound tricks are out. What now?

So we’ve admitted it. We’re cutting 3% of new revenue out of our acquisition channel.

But this was an easy call to make.

We’re not saints. We’re a corporation that needs to grow and make money. Outbound marketing is part of that.

This is not our only flow in place. These are not the only tools we use. We have to look at every piece of our strategy—outbound, inbound, referral—and follow the same steps as above.

We can’t recommend enough that you do the same. Inventory the tools you’re using. Look at where you scrape user data. Ask your vendors where they stand with GDPR compliance.

And in the meantime, here’s some good news.

If you are A/B testing and are with Convert as your vendor—we’ve got out stuff together on this.

Here is our public roadmap on how we as a company are working towards GDPR compliance.

Plus, even our roadmap has a roadmap. We’’re changing our software to make compliance for our customers easier. You can find all the info on that here: GDPR compliant A/B testing software.

Originally published February 01, 2018 - Updated December 14, 2021
Mobile reading? Scan this QR code and take this blog with you, wherever you go.
Dennis van der Heijden
Dennis van der Heijden Co-founder & CEO of Convert, passionate community builder and out-of-the-box thinker. 

Start Your 15-Day Free Trial Right Now.
No Credit Card Required

You can always change your preferences later.
You're Almost Done.
I manage a marketing team
I manage a tech team
I research and/or hypothesize experiments
I code & QA experiments
Convert is committed to protecting your privacy.

Important. Please Read.

  • Check your inbox for the password to Convert’s trial account.
  • Log in using the link provided in that email.

This sign up flow is built for maximum security. You’re worth it!