One Year In: Three Lessons Marketers Have Learned About the GDPR

The General Data Protection Regulation (GDPR) went into effect one year ago on May 25, 2018, much to the distress of marketers everywhere. For so long, a core business activity of digital marketing was to collect information about users, their interests, and their habits, to extract insight from that data, and then to use that insight to craft messaging back to current and potential customers. But then the GDPR arrived on the scene and seemingly obstructed our most basic work of collecting useful data about our customers. To address the most pressing regulatory obligations, lawyers and IT managers and privacy officers snapped into action to lock everything down. No more customer data harvesting. No more opt-outs or soft-ops. No more historic customer data warehousing. No more shareable user data. Restricted access to customer data. Restricted access to analytics data. Restricted user tracking. And the marketing teams just had to deal with the fallout of this lockdown.

Now, one year later, some marketing teams have started to figure out what digital marketing looks like in this new post-GDPR world. Some marketers have even figured out how to flourish in this new environment. In my work with dozens of legal, technology, and marketing departments before and after GDPR enforcement, I’ve started to see patterns in how the most effective marketing teams are not only surviving the GDPR, but are actually using it to market even more effectively and successfully than they ever had before.

In addition to being a full-time developer at Advomatic I’m also a lawyer who is fascinated by GDPR and has advised dozens of organizations as they’ve tried to navigate it. Of all the changes I’ve seen, there are three practices that seem to be common among all the most effective post-GDPR marketing teams. Here are those three ideas:

Embracing privacy rights improves brand loyalty and ROI.

One of the first GDPR implications many of us experienced was the requirement for our users to opt-in to all future communication. Just because we have their email addresses doesn’t mean that we could use them however we wanted. We all knew instinctively that by adding an opt-in box with all forms going forward, the effectiveness of those forms to produce usable, marketable user data would be diminished. Who among us wouldn’t skip that box more often than not – even with brands that we like

Successful marketers realized, and embraced, that even if the raw number of, for example, email addresses collected were decreasing, the value of those collected emails were far greater. Those customers who opted in were people who specifically wanted to hear from you. The days of “spray and pray” marketing are dwindling. In its place you have customers who are self-identifying to be your audience.

But more importantly, not only are these email lists of a better quality, these customers are already more invested in your brand than had these same customers’ data been collected under previous opt-out or non-opt methods.

Studies regularly show that a customer’s loyalty to a website is significantly influenced by the trust that a customer has in the website. This “loyalty” not only includes decisions to follow calls to action (e.g. to purchase, to contact, to fill out a form, etc.) but also includes stronger attachments to brand preferences, increased cost tolerance, and frequency of revisits to a site. Other studies have shown that merely exposing users to the existence of privacy policies and practices results in a significant increase of trust. The fact that there’s now an opt-in checkbox on a form and a link to your privacy policy strengthens your brand in the minds of the user.

So by embracing privacy rights, you will likely get less customer data. But that data will be more valuable data, and from what I’ve seen, ROI often more than makes up for the difference.

Your privacy officer is your secret weapon.

Early on, many marketers got into the bad habit of asking for permission to collect or use particular user data. It’s the job of the privacy officer (or, in most nonprofits, the lawyer or the IT manager in charge of data privacy) to protect data, and the easiest way to do that is to just not collect the data, so often the default answer was no. This created an unhelpful and unnecessary dynamic where marketers and fundraisers were always asking for more data and privacy officers were always giving less data.

Successful marketing, fundraising, and communications teams figured out early on that everyone is on the same side. Everyone is working towards the same organizational goals. Marketing teams support those goals through their marketing efforts. Privacy teams support those goals through their data privacy efforts. But they’re all supporting the same goals.

Some months ago, I had a client call me with a pretty typical problem. A member of the fundraising team had just come back from an event with a stack of business cards of contacts he had made at the event. He wanted the new contacts added to a mailing list. The IT manager said they couldn’t do it because handing over a business card didn’t establish sufficient consent and there wasn’t any disclosure about what the information would be used for. Everyone was mad.

I asked the fundraising team member to explain why he wanted these names. Was there anything special about this group? Was this just about beefing up the mailing list, or was there anything special about these people in this room? It turned out, these contacts were very special leads and throwing them away would have been an unfortunate lost opportunity. Giving the IT Manager that information, I asked her if she could imagine any way to convert these “unconsented” contacts into “consented” contacts? We brainstormed and came up with a few ideas which we then brought back to the fundraising team. Everyone settled on a strategy of the fundraising team member following up with personal thank-you cards which included an invitation to talk further about opportunities. The two teams collaborated on language that satisfied both fundraising and privacy interests. And nobody was mad anymore.

This struggle could have been avoided at so many points. If team members are going to be out in the field collecting data, the people who regulate privacy can draft the right documentation and language so that you’re not stuck with unusable contact info. If data is going to regularly arrive as unconsented data, there could be systems in place to scrub the data. But more fundamentally, if both the fundraising/marketing team and the privacy team approached all their discussions from a place of collaboration toward common goals, they could have designed a great solution from the start.

When marketers or fundraisers see themselves as victims of unreasonable restrictions, and privacy officers see themselves as gatekeepers of all data, it’s hard to get to the necessary place of collaboration towards the larger organizational goals. You’re on the same team. And you, as a communicator, can be in the driver’s seat in establishing that collaborative dynamic. Privacy officers often work reactively. They wait until someone asks “Can we do this thing?” and they say yes or no. But a good privacy officer can help you get to yes if you invite them to do so.

Upon returning from the event, he could have approached the IT manager saying something like “I got these great contacts. I’m not sure if or how I can use this data, but these are really great leads and I’d love to find a way to take the next step with these contacts. Can you help me figure out a way to do so that comports with our privacy policy?” Every data privacy officer I know would welcome this invitation, and would work hard to meet the mutual goals of everyone involved.

It’s not about the GDPR.

While the GDPR was the impetus for a number of organizations to reevaluate their data privacy practices, the most successful organizations aren’t focusing on GDPR compliance. Instead, they’re focusing on creating a high-quality privacy experience (or “PX” in the developing parlance) for their users. If an organization creates a high-quality PX for their users and customers, they will, as almost a side benefit, be in compliance with the GDPR.

One reason this is important is because the GDPR isn’t the end of data privacy regulations. We’ve already seen a number of significant new pieces of privacy regulation enacted since the GDPR. One is the California Consumer Privacy Act of 2018 (or CCPA) which goes into effect January 1, 2020. And like the GDPR, you don’t need to be a California business to be under CCPA jurisdiction. Another new regulation is the Strong Customer Authentication (SCA) which goes into effect later this year. And there’s an “ePrivacy Regulation” pending in the EU, which some are calling “GDPRv2”.

Chasing these regulations to always be at the minimum level of compliance is guaranteed to be a maddening experience for everyone involved. Instead, if you take the broader view that data privacy, itself, is important, and you focus on the fundamentals of creating a high-quality privacy experience, all that will be needed is an occasional tune-up or tweak based on whatever new regulations come out.

So how does one create a high-quality PX for users? Well, that’s a topic for another article, but here are a few  things that a marketing team can keep in mind to stay “future-focused” for privacy concerns:

  • Respect your donors, clients, activists, and other users above everything else. If you wouldn’t be proud to show each of them exactly what information you have collected about  them, how you use that information, who sees that information, and how you share that information, there’s room for improvement.
  • Be transparent about what you’re doing. The practices you put in place to respect your users and protect their privacy should be shouted from the rooftop. Your users want to know what you’re doing, and they will reward you for your transparency.
  • Give users agency over their data. That means allowing them to choose whether they give you their info or not, but it also means allowing users to change, delete, and access their data once you have it. Users don’t suddenly lose interest in their privacy once you have their data, so if you want to continue to show respect for them, you need to respect their continuing data privacy interests.
  • And finally, take personal responsibility for your users’ privacy. Your organization may have privacy officers and lawyers and IT managers who all are paid to think about data privacy, but you might be the most consistent direct contact with your users and customers in the organization. In some cases, your messages might be the only contact a customer ever has with your organization. That might mean that you have to be the face of data privacy, you have to be the voice of an organization that can be trusted.

We’re only one year into the GDPR, and at the beginning of what might be a sustained wave of data privacy initiatives and regulations. But one year is enough to see some early trends of what’s working and what’s not. There are many many factors that go into building a successful data privacy practice, and every organization has its own peculiarities that require individualized attention. But over and over again, I’ve seen these three ideas at the core of the most successful marketing teams working in the post-GDPR works:

  1. Embrace privacy rights;
  2. Build strong relationships with your privacy officers; and
  3. Take the long view by focusing on good PX.

  1. Carlos Flavián, Miguel Guinalíu, (2006) “Consumer trust, perceived security and privacy policy: Three basic elements of loyalty to a web site”, Industrial Management & Data Systems, Vol. 106 Issue: 5, pp.601-620,
  2. Kuang-WenWua, Shaio YanHuang, et al. (2012) “The effect of online privacy policy on consumer privacy concern and trust”, Computers in Human Behavior, Vol. 28, Issue 3, pp.889-897,