GDPR and Your Marketing Funnel Part 1: Attract

Mac Hasley
March 14, 2018 ·
GDPR and Your Marketing Funnel Part 1: Attract

(Jump to Part 2 – GDPR & Lead Nurturing)

I know there are a million and one ways you work to attract a potential lead. Your tripwires, your exit popups, your fancy fancy dance moves.

And some of them you might want to reconsider, come the GDPR-instate date.

(But not the dance moves…

….never reconsider the dance moves).

Here’s a breakdown…

Your cold emails:

So we’ll be blunt: it’s not pretty. Cold emails are pretty dangerous territory under GDPR. In fact, there are already mountains of legislation concerning these throughout Europe.

We tackled the subject pretty comprehensively here. But to break down to the basics…

1. Generic, bought lists are a big no. They’re already illegal most places, and GDPR puts a definite nail in this coffin.

2. Contacts from third parties are probably a no. Now, in order to pass on personal data to a third party, you need active, affirmative consent. Plus, you need to name which third parties, specifically, will be receiving the data.

So if in the past, a partner has had a consent form that looks like this….

  • “I would like to receive updates from Company A and trusted third parties.”

…and you were one of those “third parties”—those emails are no longer good. They’re now in violation of GDPR. And even if those standards were fine then, GDPR says to ditch those contacts now.

If, by chance, though, your partners had a consent form that looks like this…

  • I would like to receive email updates from COMPANY A
  • I would like to receive email updates from YOUR COMPANY NAME.

Anyone who checked the second box, you can still contact.

But let’s be honest. They probably didn’t set up their consent-ask like that. And if they did, they probably didn’t get too many folks willing to part with their email addresses.

3. Personal, direct, highly-targeted outreach.

Still—likely a problem.

At this point, what GDPR says, actually comes second to what the ePrivacy Directive says.

(And the ePrivacy Directive is looking to be replaced by a new law, the ePrivacy Regulations, within the year—by earliest projections).

As it stands now legally, some EU countries are “opt-in” countries. Some are “opt-out.”

Being an opt-in countries means: you need to get a clear opt-in to email folks from that country whom you don’t know.

Being an opt-out country means, in some cases, you may just need to allow them to easily unsubscribe.

But every opt-out country has its own crazy set of hyper-specific rules to follow. Some, for example, require your first email contain your company’s physical address. Some want a link to your privacy policy. Some have vastly different rules for B2C and B2B.

Pretty much all them still give a “no,” to reaching out to anyone you don’t have a pretty good explanation for reaching out to.

In short: if you’re going to contact people from EU countries, even with a good reason, you’ve got a few more jumps to hop through.

Even if they commented on a post of yours on Linkedin, and accepted your connection request, and posted a status update screaming “I WANT TO BUY A PROJECT JUST LIKE YOURS”—you’ll have to find out which country they’re from. And you’ll have to know what specific rules that country has, before you send out that first introduction message.

4. Generic Business Addresses are mostly fine. You can reach out to….or sales@, or marketing@ without worry. As long as you can’t tie that address to a specific human person with other data, you should be okay.

Now I know this isn’t a thrilling idea. We all know our odds are better if we head straight to the human person. But maybe, if your offer is good enough, and your pitch is persuasive—you just might get the go ahead to be passed from a generic info@, to the team.

In summary: Cold emails are pretty complicated. And, they’re frowned upon at best. If you haven’t already, diversifying your lead-gen strategy is probably a good idea.

Your paid ads:

So if you’re like most marketers—trying desperately to elbow your way into your audience’s goldfish-like internet attention spans—you’re probably throwing some paid traffic their way.

In the attract, cold traffic, phase—these ads probably don’t have to change.

But before we go any further…

~*~*VOCAB TIME*~*~

Data controller: The entity that asks for, collects, and uses personal data. When you process, store, or decide the usage of personal data—you’re the controller.

Data processor: If a data controller uses a tool to collect or sort that data for them—that’s a data processor.

So here’s the deal.

Pretty much all the data you’re going to rely on for paid advertising, is going to use personal data.

That means it’s going to require consent.

Begging the question: whose job is it going to be to get that consent?

Answer: the data controller.

And who on earth is that?

It depends.

Your general social media ads, or your Google Search and Display network ads—they rely on Google or Facebook data to function. Data that you didn’t collect. Data that it depends on Google or Facebook or LinkedIn or whomever—to solicit consent for.

So for example, creating audiences on Facebook that are targeted based on…

  • Audience engagement with your page or video.
  • Facebook data on user interests, or behaviors.
  • Regional and demographic data.

…should be okay. Facebook should only allow you to access their collected data on this front, if a user has consented to receive ads.

(You can read more on their efforts to comply with GDPR here).

Similarly I wouldn’t worry about Google Search and Display ads, which aren’t personalized, but are instead based on keywords or direct placement selection.

Google’s well aware of the changes to come, and is approaching GDPR head on.

But here’s where the trouble comes along.

If you’re targeting an audience based on traffic you’ve collected—then you become the data controller. And you need to make sure that your data subjects have consented.

If you think back to our list of “what counts as personal data,” you might remember these little buggers popping up:

  • Unique identifiers like Device IDs, UserID, TransactionID, CookieID

Cookies, which track users across sites, or across sessions, are considered personal data under GDPR.

It (tragically) says so right here.

What this means for you:

If your ad-targeting strategy relies on pixel data, it’s likely going to requires explicit user consent.

Which is more of a hassle now, because….

The cookie wall is dead.


santander cookies message

No longer counts.

If you want to use a cookie, you have to explain which ones, specifically, you want to use. You should give your audience an idea of what you’ll use them for. And then you need to get them to click “yes”—before you start tracking.

Like so:

One trust privacy preference center

As you can imagine, when pixels require consent—you’ll have fewer users to target. PageFair has some great original research on the topic, saying that, as it stands: only about 21% of your current page visitors would actively opt-into tracking.

So here are the ad types you need to get consent to run:

  • Any Facebook Custom Audience. If it comes from your custom pixel (aka if it’s sourcing your web traffic, or is a Lookalike Audience), or if its generated based on your uploaded list (manually, or from a third party).
  • Any personalized Google Audience. So, remarketing, affinity audiences, custom affinity audiences, in-market audiences, Floodlight cross-device tracking, Customer Match data, and demographic targeting.

Now in the attract phase, if you’re shooting for a totally cold audience—this should leave your processes pretty untouched.

But if you’re planning to retarget a web visitor, or create a profile based on your current audience’s data—then you have to get consent.

Your lead magnet:



You got someone to your page. Legally!


Now let’s get consent to contact ‘em.

The big thing to pay attention to here is how you ask for consent.

We’ll start by breaking down what not to do:

oli gardner´s framework get ebook

So this is a pretty standard looking opt-in from the crazy smart marketers over at Unbounce.

…and it breaks almost alllllll of the new rules.

  1. Soft opt-ins no longer work. “By doing ____ you agree to ____” is a bad news formula under GDPR. Folks need to actively agree to give their data up, with a “clear, affirmative action” (Article 4).
  2. And if you’re going to use someone’s data for separate purposes—you need to ask them permission separately. Lumping these two asks together is called bundling, which is restricted under GDPR. So: if you’re going to take someone’s data to send them a PDF—that’s different than using it to send updates on “information about your services.” You need two different consent agreements for that (Article 7)Here’s an example done right:
superOffice CRM free collect data
  1. GDPR requires something called “privacy by design.” A big part of this is data minimization—which basically means “If you don’t need to collect data, don’t.” This opt-in is collecting a lot of information that isn’t necessary for a user’s goal (aka: to get a PDF). The best practice here is: if you’re collecting data from someone, and it isn’t obvious as to why, tell them (Article 5). Or don’t collect it. Facebook does this particularly well with this popup…
facebook permission collect data

A few other things to watch out for on your consent forms:

  • If you’re going to reach out over phone, or mail, as well as email, users need to be able to consent to these different types of communications separately.
  • If your “I consent” box is pre-checked on your forms, that doesn’t count as “active, affirmative” consent.
  • If you make users check a box to refrain from subscribing, that’s also against the rules. Don’t put checkbox next to a statement like: “Don’t email me about products and offers.” That’s opt-out, not opt-in, language you’ve got there.

So now if you’re asking, “BUT HOW DO I GET THEM ON MY EMAIL LIST THEN?”—you are preaching to the choir.

My copywriting brain short-circuits when I think about what asking for email list sign ups, separately from my lead magnet, will do for my email list conversion rate.

Because it’s face it. They’re here for the download. If you can’t properly email-gate it anymore, why on earth would they sign up to be on your list?

Here are the solutions I’ve come up with so far.

Set expectations:

“How separate to separate purposes to be?”

“How granular do we have to design our opt-ins?”


The long answer isn’t quite outlined in GDPR, so experts are defaulting to info from Article 29 of the old Data Protection Directive.

And to save you from the absolute horror of reading even more legislation: the absolute angels at PageFair summarize the rules with this basic test

If a purpose is sufficiently specific and clear, individuals will know what to expect: the way data are processed will be predictable.’ The objective is to prevent ‘unanticipated use of personal data by the controller or by third parties and in loss of data subject control [of these personal data]

So basically it has to be specific, transparent, and predictable. You have to know what you’re signing up for—and sign up anyway.

Meaning, if you sign up to receive a PDF, you might not expect to receive weekly emails.

But what if you consent to something like this…

[I agree to receive emails with promotions and content, like LEAD MAGNET NAME, from COMPANY NAME]

Is that bundling then?

Well…it’s predictable. It’s transparent. It sure sounds pretty specific.

It could work.

But I’ll admit, it’s some thin ice. Whether or not to walk it…I’ll leave that up to you.


So alright then. Let’s say you aren’t willing to take any gambles on bundling.

You’re going to create separate out-in for email subscription access.

What more can you do to get people to check that box?

At this point, I’d give incentives a try.

For example, if your lead magnet is a ebook, and you want people to opt-in NOT to just download that, but to agree to receiving further content.

[I consent to receive emails with content from *COMPANY* (including, a free bonus chapter!)]

If your landing page does its job, and your audience already trusts you enough to part with that email address—maybe that bonus content might win you over a bit more contact permission.

Your pop-ups, overlays, and blog post CTAs:

So all your consent rules from above still apply for a pop up.

But I wanted to take a second to spotlight here something that makes GDPR happy, and that might boost your conversion rates.

Introducing the binary opt in!

You are probably used to these.

Warning: This is just an example of a binary opt-in. Not all binary opt-ins are created equal. This one is not GDPR compliant.
Warning: This is just an example of a binary opt-in. Not all binary opt-ins are created equal. This one is not GDPR compliant.

Personally, they drive me absolutely mad.

But they’re everywhere, because they work.

(If you’re interested, Copyhackers has a great case study on “why”)

They are also active, and have an opportunity to nail the whole “clarity” thing. All of which is good news for GDPR.

The point here is, maybe you’ll have a better chance of persuading someone when you give them this option:

[I consent to receive emails with content from COMPANY][I won’t need any more information on TOPIC – Don’t email me again]

Or this option…

[Send me an SMS with personalized, soon-to-expire promotions!][Don’t message me; I’m okay with missing deals]

Or this option…

This site provides recommendations customized to suit your style. For that, we use cookies:

[Personalize away! – I accept the use of cookies][My style is generic; I prefer generic recommendations.]

Or this option, from the folks at Sainsbury’s:

Sainsbury’s contact permission

Only time and tests will tell.

But if you’re not already using binary opt-ins: it’s worth the time and tests.

A WARNING THOUGH: if you’re going to rely on a binary choice, each option has to be of equal prominence. No giant “yes” buttons, with teeny tiny “no” buttons.

Your tripwire:

Ahhh tripwires.

Those tiny, irresistible, “too good to be true,” low-ticket offers, that turn prospects into buyers.

When they work, they work.

They also give you some new privileges when it comes to GDPR.

Enter: the legitimate interests condition.

Turns out—soliciting consent is not the only lawful way to process personal data.

Now before you get excited: what counts as a “legitimate interest” is strict. Relying on this condition to process data is very tricky.

But one of the few things that seems to give people the go ahead with LI, has to do with the data for customers.

Here’s the line they’re talking about:

Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. –Recital 47

So if you buy something from me, and we have a relationship—just maybe, I have more of a right to email you, than I do someone who snagged a PDF.

Here, it again comes down to what your audience would “reasonably” expect.

If I bought a 90 days of your $100 a month software, for a stupid low price of of $9—I’d probably expect you’d follow up. I’d assume, come month three, you’d want to see if I’m ready to commit.

As a customer, I might expect a few emails walking me through how the software works. I might expect to get a content piece thrown my way, explaining some best practices. I might even expect to hear from a support person—who’s checking in to help out with onboarding.

So as you walk me, your now customer, through your nurture campaign—and as you go to pitch a bigger purchase my way, you’ve got a pretty good case legitimate interest applies.

Which means, you’ve got a pretty good case for not jumping through so many of those on-fire consent hoops.

(PS. If you’re going to go the legitimate interests route, at any point, we recommend you read the full write-up we have on the process, here).

To sum it up:

  • Cold Emails are “no” at worst, and “danger” at best. Approach with caution, and start diversifying your lead-acquisition streams now.
  • Set yourself up to properly ask for consent, if you’re going to use a Google remarketing campaign, or anything that touches the Facebook pixel.
  • Asking consent the right way means making sure it’s: unambiguous, affirmative, specific, freely given, and informed. Do this the right way, at any stage of your funnel.
  • Binary choices are good for GDPR and conversions. Just make sure to display them at equal prominence.
  • If you can get someone to buy, you can justify some follow emails with legitimate interest. If you’re not already considering a tripwire, now might be the time.

Take me to Part 2: GDPR and Lead Nurturing >>>> 

Originally published March 14, 2018 - Updated January 12, 2022
Mobile reading? Scan this QR code and take this blog with you, wherever you go.
Mac Hasley
Mac Hasley Mac is a content strategist at Convert, a copywriter across the webz, and an advocate for marketing that is humble and kind

Start Your 15-Day Free Trial Right Now.
No Credit Card Required

You can always change your preferences later.
You're Almost Done.
I manage a marketing team
I manage a tech team
I research and/or hypothesize experiments
I code & QA experiments
Convert is committed to protecting your privacy.

Important. Please Read.

  • Check your inbox for the password to Convert’s trial account.
  • Log in using the link provided in that email.

This sign up flow is built for maximum security. You’re worth it!