The Smart Way to Make Your Opt-In Forms & Email Marketing GDPR Compliant

Shane Melaugh   275

Updated on September 19, 2023

The new European data protection regulations (GDPR) are right around the corner and many website owners are in a panic. There’s been a lot of talk about rules, regulations and hefty fines that await those that don’t comply.

Most “how to GDPR” content seems to suggest that you have to add multiple checkboxes, prompts and extra steps all over your website.

In this post, we’ll take a look at what GDPR actually means for small business entrepreneurs and email marketers. And you’ll discover ways in which you can make your website compliant without sacrificing your visitors’ user experience or your conversion rates.

Disclaimer: I’m not a lawyer and this post does not contain legal advice. Always work with your legal counsel to determine the right decisions to make about regulations.


First, let's start with some good news:

The EU Isn’t Coming For You

Before we get into further details, let’s get some perspective on these regulations in general. As a small business entrepreneur, you should be aware that you are not the GDPR’s main “target”. GDPR is about the processing of people’s private data online. GDPR primarily aims to regulate businesses that do a lot of data processing - and especially businesses that make their money from selling or “exploiting” the data they collect about people.

Think: data harvesting giants like Facebook or Google.

The average entrepreneur and website owner does very little data harvesting or processing. If you have a website with some opt-in forms on it, the EU isn’t coming straight for your jugular.

Icon of a wad of cash

Will You Be Hit With Huge Fines?

Many marketers fear massive fines if they don’t get everything on their website 100% compliant by May 25.

According to Elizabeth Dunham, the UK’s Information Commissioner, that’s just “scaremongering”. She further states that “Issuing fines has always been and will continue to be, a last resort.”

If your site is not compliant, fines are not the first thing that happens. There's no squad of EU goons waiting to kick down your door.

The expected process for non-compliant websites looks like this: the first step would be for your users/visitors to take up the issue with you directly.

For example, a user might ask you (the website owner) to see, change or remove their private data. If you can’t comply with that, the user can escalate this to a complaint, which would lead to a multi-step process by an EU data regulation agency, starting with an “information notice”.

Only if you are still not compliant after having received various notices and warnings will fines come into play.

In short: there’s no reason to believe you’ll face immediate punishment for a missing disclaimer link or a poorly worded checkbox label on your site.

We Still Need to Clear These Obstacles

I hope you now see that these regulations are less threatening than you may have thought. Let's take a second to breathe a sigh of relief.

Of course, that doesn't mean we can just ignore the regulations. Even as small business owners with very little data processing, we still have to make sure we’re compliant.

Strangely, I’ve seen that many writers feel obliged to “reframe” GDPR when they write about it and make a statement like: “why GDPR is actually a good thing for marketers!” Apparently, these regulations will help us get higher quality leads or they’ll weed out the bad marketers or something.

What’s conveniently omitted is that GDPR doesn’t do anything for your lead quality that you couldn’t have done before.

Protecting people’s privacy is a laudable, and in my opinion important goal. But let’s not pretend like these regulations make things better for small businesses. They represent extra hoops you must jump through as well as additional time (and possibly money) you have to spend.

What’s worse: if you follow a lot of common advice about GDPR and email marketing, it can harm your conversion rates and your bottom line, all without adding anything of value to your visitors.

Here at Thrive Themes, we have a strong focus on conversions, so it’s particularly this last problem I want to help you with. We’ll take a look at how you can make your opt-in forms and email marketing GDPR compliant without hurting your conversion rates.

Mailbox with an EU flag

How GDPR Affects Email Marketing

GDPR isn’t primarily about email marketing. It’s about how people’s personal data is handled and email marketing contains such data (e.g. someone’s email address). The main rights given to EU citizens under the regulation are as follows:

  1. The “tell me what’s going to happen” right: the citizen has the right to be told what will happen with personal data before it is submitted and the data shall only be used if explicit consent is given.
  2. The “show me my data” right: the citizen has the right to know what data is being collected about them, why it’s being collected and how it’s being used.
  3. The “I want to change that” right: the citizen has the right to have data modified or updated.
  4. The “forget about me” right: the citizen has the right to have their private data removed completely.

For email marketing, this translates to:

  • Tell visitors what you will do with their email address before they sign up.
  • Give visitors a view of the data you’ve collected about them (probably only their name and email address).
  • Give visitors a way to modify their data (e.g. get the emails sent to a different address) and unsubscribe.
  • Remove all data you have about a visitor completely, if they request it.

The Checkbox Myth

How do you make your opt-in forms GDPR compliant?

I get the impression that 9 out of 10 marketers would answer: “by adding checkboxes!”

I don’t know where this idea came from, but GDPR doesn’t mean adding checkboxes. You need the subscriber’s explicit consent to send them emails, but a checkbox is not the only way (and definitely not the best way) to get this consent.

Let’s look at an example of a typical opt-in form, pre-GDPR:

Opt-in form example with an offer for a free PDF

If someone signs up through this form and you then start sending them emails, that’s not GDPR compliant.

Why not?

Because there was no indication in this form that you’d be sending emails (and visitors can’t consent to something you haven’t told them about). The entire form is about getting a PDF. The visitor who signs up agrees to receiving a PDF, but nothing else.

Here’s how it seems most “how to GDPR” articles suggest to improve this form:

Opt-in form with too many checkboxes. GDPR compliant, but not user friendly.

Okay, I’m exaggerating. But I’m exaggerating to make a point: adding checkboxes to this form makes it worse.

No one wants to read fine print. Just like we all “read and agree to” the terms and conditions of every software and app we use, people may or may not check these boxes, but they won’t actually read your terms or even pay close attention to what the label of each checkbox implies.

Adding checkboxes makes the opt-in form worse for the user (makes a poor user experience) and it will likely lower your conversion rates. This is still true if we take a more conservative approach like this:

Opt-in form with an added checkbox that reads "I agree to receiving the weekly newsletter"

Even the one checkbox is not a positive addition to the form, in terms of user experience.

Plus, there's an extra twist: under GDPR, you are not allowed to disadvantage anyone because they don’t provide consent. That means in a form like this one, you can’t make the checkbox required.

If someone signs up but doesn’t check the box, you have to still give them access to your PDF, but you can’t send them any emails.

For the business owner, there are 2 main problems with this:

  1. The checkbox label might as well read “please also spam my inbox with annoying promotional messages”. Nobody wants another “newsletter” and even if your newsletter is neither spammy nor annoying, visitors won’t know that before they sign up.
  2. You have to set up a potentially complicated system that ensures that people who sign up but don’t check the box receive your free PDF, but aren’t added to your mailing list. Those who do check the box need to get the PDF and be added to the mailing list.

Note: you can set up a 2-track system to separate consenting from non-consenting signups using the Thrive Leads plugin and the Asset Delivery feature. You can learn exactly how it's done in this tutorial.

How to Fix Your Opt-In Forms & Ditch the Checkbox

There are two approaches you can use to make your opt-in forms GDPR compliant without adding checkboxes or extra hoops for your visitors to jump through:

  1. Change the copy in your opt-in forms.
  2. Change the nature of your opt-in offer.

Fix 1: Change the Copy

Here’s what the form could look like, with modified copy:

Opt-in form with "Subscribe to get..." in the title

Here’s exactly what we changed, to make this form GDPR compliant:

  • We add “Subscribe to get…” to the title and mention the newsletter in the text. This way, it’s clear that the user is consenting to a newsletter by signing up.
  • We are still providing an opt-in offer (or lead magnet) in the form of our free report. However, instead of the free report and the newsletter being totally separate, the “main action” on the form is signing up for the newsletter and getting the PDF is a bonus provided to newsletter subscribers.
  • We’ve added a link to our terms in the disclaimer part of the form.

That’s it. This form now acts as explicit consent to receive a newsletter and we’re good to go. No checkboxes needed.

What if you have a form or landing page with a killer headline that you’ve tested and optimized to perfection and you don’t want to mess it up? Here’s another version of the form, with nothing changed in the title:

Opt-in form example with newsletter mentioned in the copy

The key point here is that the offer is framed in such a way that there is no separation between the free PDF and the newsletter. The form clearly states what is to be expected.

Fix 2: Change the Offer

One way in which the GDPR might actually do some good for consumers is that it makes old-school, high pressure sales style email marketing much more difficult.

What I advocate is a way to make your entire email marketing process not only GDPR compliant, but better and more effective in general. I call this approach "Newsletter-as-a-Service".

Newsletter as a Service (NaaS)

To explain how NaaS works, let's do a quick thought experiment. Think of the difference between TV ads and product placement.

TV ads: you’re watching a movie for entertainment (which is what you want) and you get interrupted by ads (which is what you put up with, if you have to). You see ads for a fancy looking watch and maybe, if you see them often enough, you’ll buy the advertised watch at some point. But you probably won’t and you’d rather cut the ads out of the movie.

Product placement: you’re watching a James Bond movie for entertainment and James Bond happens to be wearing a really stylish watch.

Daniel Craig looking dapper (and wearing a stylish watch)

The watch comes with a bunch of gadgets, so it’s shown in close-ups several times and it becomes part of the plot. You end up buying the watch because James Bond is cool as a cucumber and you want to be like him. What’s more, it never feels like an ad and it wouldn’t even occur to you to cut the watch out of the movie.

Newsletter-as-a-Service is taking this concept to the next level.

Here’s a video with an example of what I mean:

“Newsletter-as-a-Service” is the new, more effective way to do email marketing. And it happens to be GDPR friendly as well...

Click to Tweet

Old vs. New Email Marketing

Let's contrast NaaS against the old way of email marketing, which is not only unpleasant for your subscribers, but also much more at odds with GDPR.

Here’s the kind of thing I mean:

The Old and Spammy Way

  1. You have a lead gen offer or you sell something.
  2. When people sign up or purchase, you send them affiliate offers non-stop until they unsubscribe.

If you’ve bought some rubbish products on Internet marketing forums, you’ve been on the receiving end of this marketing style.

Few marketers stoop so low as to follow this old, "hard sell" approach. But if we look at the more common approach these days it's not great, either:

The Slightly Less Spammy Way

  1. You have a lead magnet (opt-in offer) to get people onto your mailing list.
  2. When people sign up, they get your lead magnet and they also start getting emails from you (these may or may not be related to the thing they signed up for).
  3. Some emails are educational and useful, some are purely promotional.

This approach stems from an attitude that sees subscribers only as potential profit sources. You send useful, informative content to your subscribers only to “keep them warm” for the promotional stuff.

There is a better way to do email marketing and it also happens to be GDPR compliant:

The New Way

  1. Your emails are never purely promotional or unrelated to the original offer that got people onto your mailing list.
  2. Your emails, which are educational and useful, link to interesting content and contain secondary promotions or soft promotions (more about this below).
  3. All of the content you send to subscribers is your “newsletter service”.

Your subscribers sign up for and subsequently receive this useful and valuable Newsletter-as-a-Service mix of content.

NaaS Example: Thrive Themes

For an example of a Newsletter-as-a-Service, look no further than Thrive Themes. Most commonly, when you get an email from us, it’s to announce a new blog post or a new Thrive University course.

Right off the bat, that means the email itself is not promotional in nature.

Our blog posts are almost always based around helping entrepreneurs and website owners solve a problem or improve their conversions. Promotions of our products and features are incidental to this educational service provided in our content.

For example:

You get the idea. None of these posts are straight-up “buy this product” promotions. Even if you don’t use any of our tools, you can learn a lot and seriously upgrade your marketing by following the Thrive Themes blog.

And because this is our approach, there is no clear separation between “content” and “promotion”. When you are subscribed to the Thrive Themes mailing list, you get a constant stream of emails that all have one and the same purpose: to help you build a better website.

This is what it means to offer a Newsletter-as-a-Service.

The GDPR Grey Areas

Maybe you're wondering: is the Newsletter-as-a-Service concept 100% compliant with GDPR? Am I 100% on the safe side, following this advice instead of adding many checkboxes to every form?

The answer is: no one knows for sure. Depending on which lawyer you ask, you'll get different answers about anything that still constitutes a gray area. And right now, there's a lot of gray area.

One source I am going by is this consent guidance document by the ICO, which gives the following example:

"If joining the retailer’s loyalty scheme comes with access to money-off vouchers, there is clearly some incentive to consent to marketing. The fact that this benefit is unavailable to those who don’t sign up does not amount to a detriment for refusal."

The example isn't perfect for the use described in this post, but it shows that incentives for subscriptions is still a viable option for marketers.

When is a Checkbox the Right Choice?

As we've seen, you have 2 options for making your opt-in forms GDPR compliant. You can:

  1. Add a checkbox to get consent for anything not mentioned in the form’s copy.
  2. Change the copy of your form.

None of these is “the right” choice to make. You have these options at your disposal and you can choose whichever one suits your needs best.

My Newsletter-as-a-Service approach is more than just a quick fix for some opt-in forms. It’s an entire marketing approach. I believe it is a superior approach for most businesses and I recommend it, but it’s not something you can just implement overnight.

Newsletter-as-a-Service makes your email marketing as a whole more GDPR friendly, but you still need to clearly communicate your offer. So, implementing NaaS doesn't save you from changing your form copy or adding checkboxes.

When it comes to choosing between changing your form’s copy or adding a checkbox, I believe changing the copy is generally the better choice. However, we have added a feature for adding a checkbox to opt-in forms in Thrive Leads, so the choice remains yours.

What Else Do You Need, to Make Your Email Marketing GDPR Compliant?

There are several more regulations that are relevant for email marketing, but you are almost certainly already compliant with those.

Unsubscribe & Modify Links

First, you need to make sure that every email you send contains an unsubscribe link and you should also have a “modify my subscription” type link, where your subscribers can update their data.

This kind of thing:

This is hardly a new practice for email marketers.

Privacy Policy or Terms

Second, your privacy policy and/or terms should be easy to find for anyone looking at an opt-in form. On landing pages, it’s already common practice to add a link to such pages in the footer. As an additional step, you can add a link inside your opt-in forms (although it’s debatable whether the link needs to be in the form itself, if it’s already on the page that the form shows on).

Proof of Opt-In

You also need to be able to provide a proof of opt-in or a proof of consent. Basically, if a subscriber claims you started sending them emails out of the blue, you need to be able to prove otherwise.

Your email marketing service may provide such a proof log or, if you use Thrive Leads, you'll find email addresses associated with specific opt-in forms in your reporting dashboard.

Your Action Steps

Now that you know what tools you have at your disposal to make your email marketing GDPR compliant, here’s what to do next:

  1. Take an index of all the opt-in forms and lead generation landing pages on your website.
  2. For each opt-in offer you have, decide which of the 2 approaches is best. Will you add a checkbox to the forms or change the copy? And to what extent will you change the offer itself?
  3. Update your opt-in forms and lead generation landing pages to reframe your offer and make sure visitors can clearly anticipate what’s going to happen after they sign up.
  4. Make sure that your terms & conditions or privacy policy are easy to find from any page that contains an opt-in form.
  5. Make sure your emails all contain an unsubscribe link and a “modify my subscription” link.
  6. Get all this over with, so you can go back to focusing on more important parts of your business.

Finally, consider to what degree you can and want to implement a Newsletter-as-a-Service approach in your email marketing.

If this is something you’d like to get more guidance from us about, let us know in the comments below!


by Shane Melaugh  May 18, 2018


Enjoyed this article ?

You might also like:

Leave a Comment

  • Hi Shane! Great article, thanks a lot for bringing some sanity to this crazy GDPR rush. I’m just reframing all my opt-ins offers.

  • Shane, thank you for all the work you’ve put into the article. As always –very helpful content.

  • All of those that send decent emails will continue to do so. And those that just send sales pitches disguised as value will whine how GDPR killed their business. I’ve always said that every email sent by a business is a marketing email. Some are better than others. The better ones you don’t think of as marketing and the worst? They’re seen as spam. It’s time that business owners stopped acting like spammers and take back their business relationships.

    • That’s really well said, Sarah!

      And you’re exactly right: every email is a marketing email. Every interaction is a marketing interaction. Everything the business does is for the business – and if it’s a good business, that means it serves the customer, the audience, the fans. A “marketing” email doesn’t mean “we’ll spam you and try to squeeze every cent from your pockets”. It means “we’re fulfilling the busienss’ mission of making a positive difference in the world”.

      That may sound idealistic, but for me, unless there is such an idealistic purpose to what a business does, I can’t be bothered.

      • I agree with you whole heartedly. Bringing integrity and heart to your business is a sound philosophy.

      • That’s why I like buying your stuff, Shane. I feel you care about your customers, there’s a vision behind all of this.

  • Great overview Shane, thanks! One question: a lot of businesses are sending emails to their entire list asking to either confirm your subscription or to unsubscribe. I don’t find this in the list of to-do’s, so I assume this not mandatory? Or are they only sending these emails because they have never asked your consent to email you (and thus fail to comply with GDPR)? Thanks!

    • Hi Bert,
      I’m from Germany, in the middle of the GDPR, yeah! We need to have the so called double opt-in for our newsletter subscribers. When the people on your list already have opted in via double opt-in then you don’t need to ask the entire list. When you don’t have the double opt-in then you need to collect a “new and GDPR-compliant confirmation”, e.g. via asking for explicit confirmation in an email broadcast. This is the status quo here in Germany.

      • @Birgit

        I believe it’s not the double opt-in that is mandatory but the consent and you need to be able to proof it. The double opt-in just happens to be the easiest way to have proof of their consent.

      • In heather burns’ webinar, she actually said double opt-in is not proof of consent, it’s just a way to avoid me from using your email address and signing you up for 20 newsletters.

        But it’s not enough to make your list gdpr approved.
        *head still spinning* ugh.

      • Here in the Netherlands everyone’s going on and on about ‘them cursed checkboxes’ as the only way to go for getting GDPR-compliant confirmation.

        In information I’ve received from ActiveCampaign and WPBeginner (amongst others), double-optin is named as one of the TWO options you can use.

        Talking about different interpretations …

        To stop my head spinning, I’ve chosen the more pratical interpretation: double-optin (which I have been using from day one).

        I’m also reframing my freebee as ‘an information package’: where my follow up emails and the subscription to my newsletter used to be a bonus, they are now an integral part of the package that people can sign up for.

        The future will tell if I was right or … a bit less right. 😉

      • Thanks for your comment!

        If I can offer my take on this: double opt-in is a form of explicit consent, but consent for what? If neither your opt-in form nor the confirmation email say anything about receiving emails from you, then you can still be in a situation where the subscriber has given consent to receiving your freebie, but not to receiving any further emails.

        So, in my opinion (as a non-lawyer, from whom you should not take any legal advice), it’s still a matter of choosing the right words – in your opt-in form and/or in your confirmation email.

    • It’s because you will not be allowed tokeep on your list people who have not given consent. So, after GDPR, you’d need to delete all people whose consent you don’t have.

    • Thanks for your question, Bert!

      This depends on whether you have proof of consent for your current email contacts or not. This article explains it well.

    • Hi Bert!

      I agree with Birgit and Mary.

      On one my websites I didnt use a double optin in and I couldnt be able to proof the users did subscribe to the list.

      So Ive started sending emails re this, telling them what this means and trying to keep them on the list by asking for their consent.

      Thing is, not everybody will open the email or clicking the link so Im sending 3 emails targeting the ones that didnt open or click.

      The probem is, by the 25th Ill have to have everybodys consent.

      Whoever is not opening the emails or cliked the link Ill have to delete them.

      I know Ill lose some of them, but I rather comply with this GDPR thing than get in troble in the future.

      Just my 2 cents…

  • Thank you for this clear and broad explanation!

    One note: I followed a webinar from a UK legal lady, who said it’s not allowed to only offer the freebie/lead/opt-in to those that enter your list.

    In other words, if you offer something for free, people need to be able to get that without subscribing. Imo, with the non-checkbox approach above, that is not possible?

    • “Avoid making consent a precondition of a service.” > GDPR

      You can’t force people to signup for the newsletter in order to get the lead magnet.>

      I’m sorry but this blog post is a disservice to your readers in which they think they can just reword the copy to avoid adding checkboxes.

      • You are making a huge assumption there that sending someone a free PDF is what the legislators meant by a “service” when they wrote those rules. I highly doubt that’s the case. Like much of GDPR I think it’s highly likely that this was written for the case when someone makes a purchase and the vendor tries to get them to take unrelated marketing emails as part of the purchase, either with pre-filled checkboxes, confusing language, or simply not giving them the option.

        The chances of this sentence being meant to be applied to lead magnets is pretty small. Lead magnets are more likely to come under bundling/granularity and the use of incentives. Shane’s solution covers this fine.

      • Ian – The GDPR says that “utmost account” shall be taken of whether you require someone to consent as a condition of entering into a contract or getting a service. And elsewhere, the GDPR makes clear that contracts include FREE contracts.

      • And in that case you’re making the assumption that sending someone a free report is a contract. A contract is a legally binding agreement between two parties that involves rights and duties on both sides. There is no legally binding agreement and no duties implied by sending someone a free report. Ergo, it’s not a contract (or a service) so this rule doesn’t apply.

        Look, here’s a more important point that I think is where some people are being absolutely crazy…

        When any new legislation is created it will not cover every eventuality, some of the wording will be open to interpretation, and some of it will be contradictory. That’s only natural as the people writing the legislation are human. The quirks will get clarified and ironed out as the legislation is implemented.

        So right now, there are areas like this where the legislation is open to interpretation. We cannot know for sure what they exactly meant or whether they really considered the details at all.

        So as business owners we have a choice. We can choose to take the most extreme interpretation that’s the most detrimental to our businesses and implement that. Or we can choose to take other reasonable interpretations that aren’t so detrimental and implement those, knowing that if we’re wrong the worst that can happen is that we will be asked to make a correction (fines are almost never levied, and when they are it’s in the most extreme cases and after warnings have been ignored).

        For me, I think its absolutely crazy to take the interpretation of GDPR that is the worst possible for you and try to implement that. Why on earth would you want to inflict damage on your business when you don’t know that this is what was actually intended and there are other perfectly reasonable interpretations that are better for you? And if the worst case really is what they intended you can implement it later when it’s made clear with no ramifications.

      • From GDPR art 3: “2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or”

      • You’re right, Ian.

        We have to look at the *intent* of GDPR, rather than blindly make the web even more messy (cookie-disclosure…) in an attempt to follow some regulations targeting much bigger fish, employing tactics we ALL know are dubious and wrong.

        Of course it’s not ok to add new users (who sign up to your app or website) to a list, where you start a long autoresponder-sequence that goes on and on, with 3-4 emails per week. OF COURSE that’s nok ok. Yet, that’s how many businesses operate. I personally loathe signing up for anything nowadays, ’cause I’m 95% sure I’ll be added to their “newsletter” which’ll spam me 3+ emails per week. NOT ok. And THAT is an example of what GDPR is targeting.

        It’s also targeting data harvesters of various kinds, as this post correctly states.

        Furthermore, if WE can’t make sense of the rules: neither can the regulators. We’re talking bureaucracy here! Trust me: I’m a European, so I’m used to EU’s constant rules and regulations. Many of them are well-intended, and some of them actually do make things better for all of us – but common to them all, is that they’re cryptic and hard to follow, because they’ve been created in a bureaucratic vacuum – and with way too much process back and forth.


      • Yeah… I know it says that in the rules, yet someone responded on a post to me “if I’m a restaurant and want to give out a free meal to someone in exchange for an email address, they cannot force me to give the meal free just like that.”

        It’s not totally the same of course; but it got me thinking how weird this rule is!!

        I’m all for better use of data, and being clear that by getting the free lead magnet you will be subscribed to a newsletter (that you can unsubscribe from at any time, and stating what else you will be doing with that data/how you store it), yet if you don’t want to be on the list, you’re free to dismiss the freebie.

        But how can they FORCE you to give it for free to those not subscribing to your list?

      • I have to invest time creating content for my ebook and give it to a designer to create the cover and the interior layout.

        My ebook will be more expensive than a free meal at a restaurant.

        The user should have the right to get your free meal and not sign up for your newsletter, the same way he has the right to my lead magnet without subscribing to my list.

        By the way Bobby (Robert Klinck) is a laywer and he was on Amy Portfield’s podcast discussing GDPR.

      • Love this example. My approach is this.
        Following Shane’s excellent example of the Newsletter is a service.

        I provide a service to my subscribers ONLY (obviously).

        I’d love to provide these services which include free tips, lessons, and practices to new subscribers. So I welcome new subscribers who can receive the same benefits.

        I will continue to send content and opportunities to my subscribers because they have indicated that is what they want as part of my tribe.

        I do NOT feel obligated to give something away to people who do not agree to my terms of service( disclosure about what information I track). People can opt out anytime they want.

        What more do people want? Surely this is covering all the bases.

      • “Avoid making consent a precondition of a service.” –

        This sentence may be directed towards and in connection with the widespread activities of the banks and other financial organisations in the UK that brought about the PPI scam, which in many cases did indeed force consent as a precondition of a service.

        Which in the scheme of things is nowhere near the same as offering a free PDF or Ecourse that is helpful, relevant, has no hidden agenda, isn’t hidden inside small print…… in exchange for an email address.

        “You can’t force people to signup for the newsletter in order to get the lead magnet”.

        Not sure where it says any of that in GDPR documents but nobody is being forced to do anything and most people are quite willing to provide their email address for something that is potentially helpful and relevant to what they want, need or are searching for……particularly if they are on a website of interest in the first place!

        A bigger issue is those that use fake email addresses to get that PDF or Ecourse. Is that not fraud?

    • Unless she can refer to a specific regulation, she’s probably interpreting something incorrectly. Some random lady on a webinar shouldn’t scare you off. That’s just nonsense. In fact, I’d probably question anything said in that webinar if I heard it. How’d you get on the webinar… an email optin form I presume. Unless she’s only sharing the webinar with people who filled out the form, she’s breaking her own stated “rule”. *** Bottom line, when people make claims, it’s up to you to verify.

      • Jason… I’m a lawyer who has looked at the GDPR a ton. There is a provision that says this:

        “When assessing whether consent is freely given, UTMOST ACCOUNT shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of a that contract.”

        Taking that out of legalese… you can’t say “you have to consent to be on my list” to get something from me. Giving someone a lead magnet is a “contract” under the GDPR. In the territorial scope section, it makes clear that a contract includes a free contract.

      • Hi Bobby,

        Thanks for your quote – it’s very hard to find the original text if you’re not a lawyer. 😉

        But now I have a follow up question, based on what I found on the site of the Authoriteit Persoonsgegevens (the organisation that is supposed to uphold/enforce the GDPR (AVG) in the Netherlands).

        There is a section about a provision concerning DM (Direct Marketing). It says that you can – without prior consent – send emails to your customers.
        (Of course only for similar products or services an with the possibility to sign out or edit/adjust the personal data.)

        When I pointed that out in an online discussion, the ‘comeback’ was, that with a free PDF no money changes hands. The receiver is therefore not a customer.

        BUT: if giving a leadmagnet is seen as a contract, then the applicant who has entered into that contract is a customer. So the personal data, collected to be able to send the leadmagnet to your brand new customer, can – without further/additional consent – be used for DM-purposes. At least, that is my conclusion.

        So my question is: what am I missing? Since everyone keeps insisting that we are obliged to send a free leadmagnet without being able to ask for a compensation in the form of an emailadress.

        I really would like to read your stand on this. 🙂

      • You’re making the assumption that all lead magnets are a one time thing.

        What if that ‘lead magnet’ happens to be an ongoing series of tips? Or weekly motivational posts? Or weekly recipe guides? How does the law suggest we deliver such a ‘lead magnet’ without getting the subscribers consent to be added to our list?

        This isn’t a one size fits all scenario.

      • Excellent, since you’re a lawyer that has read the entire GDPR document I’m sure you came across Recital 23 and Recital 47.
        “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. And according to the GDPR you may not need explicit consent if it falls under legitimate interest. So even the official GDPR documents contradict each other. I think the purpose of this post is to set a baseline to work forward from, not a be-all-end-all solution. However… to each their own.

      • The “legitimate interest” thing muddies the waters quite a bit. I keep repeating this, but I think this is mostly a case of waiting for court rulings. The legitimate interest could cover a lot of what non-scammy email marketers have always been doing, but a court could also rule against that. We’ll have to see.

      • Bobby, I am located in the UK and have worked with lawyers for years covering many topics including business contracts.

        Under the Laws Of England And Wales I understand a contract requires consideration to pass both ways. If I understand your comment correctly I imagine in a FREE contract the consideration only passes one way; I give a potential client a free subscription to a NaaS that has a value both to me and presumably to him but he provides nothing in return. I do not receive any consideration.

        How can it be a valid contract within the law of contract? Surely it simply remains a free gift and I must never expect any response that I might consider to have a value.

        I accept the laws in various countries can often be different from one place to another but, as a non-lawyer, I wonder how the Laws Of England And Wales fit into the GDPR situation. Do the Laws Of England And Wales have no validity in situations where GDPR operates? If so then how will the courts in England determine contractual disputes but where consideration has not been provided?

      • Thank you Jason.
        She’s not a random lady, she’s a lawyer and she actually made the most sense to me so far in clarity and what to and not to do.
        There was no sale or upsell in the webinar and they have a checkbox separate for the newsletter.

      • Lots of scaremongery and misinterpretation of GDPR.

        GDPR does not enforce what some are stating here at all.

        Some are simply projecting an opinion that has no relevance to reality and is completely absurd, even today in Oct 2018 after 5 months of GDPR being active.

        Reminds me very much of the doomsday clocks of 1999. Did your computer explode or suddenly stop working?

        It’s quite simple really. The opt-in process must be clear, unambiguous and relevant to what is being offered and you must control the data you store securely and remove it when required. It’s simple.

        Nobody is entitled to get something even for free as long as the exchange complies with GDPR……and that does not mean that we now need to start giving away free lead magnets without taking email addresses in exchange.

        Context is key.

        If by offering a free lead magnet of related services of legitimate interest (i.e. blogging educational material/Sequential Training Modules/Associated ecourses/supporting PDF/supporting cheats sheets etc) in exchange for an email address and that process forms part of the legitimate interest for a business and the transaction clearly states what the user will receive in exchange, (through double opt-in/confirmation page/click the link in your email if you agree etc) then I have absolutely no obligation to offer that service or product without requiring an email address.

        That will not change.

        I have done everything I am supposed to be doing as a genuine marketer ………….regardless of what GDPR states I should be doing, I do it anyway.…..and some.

        We can prove a clear intent by the user because they are on my website. Nobody forced them onto my website.

        We can prove a clear intent by the user because they opted in wilfully. Nobody tricked or forced them to opt in.

        We can prove a clear intent because we have a double opt in process to confirm that they are who they say they are, that they are happy that they are about to receive what they asked for and that they are happy to proceed.

        Only a buffoon or bot would still be around at this point!

        We can prove a clear intent because they show further willingness by opening emails and actively consuming the content, clicking links, starting the course and completing modules, which their member account clearly shows.

        Those are not the actions of a hard done by user who has been scammed into blindly opting in.

        To make doubly-doubly-doubly sure – they have an unsubscribe button clearly positioned and visible on every email that they receive and they can opt out at any time whatsoever. Yet here they are 75% through a course that they opted into and using those additional supporting documents (bundled) to help them through.

        In addition, we send regular emails that actively encourage them to unsubscribe if they are inactive.

        If they don’t respond and remain inactive……they are unsubscribed manually.

        We don’t want a list of inactive course collectors on our list that cost us additional fees from our email service provider and will gladly get rid of the tyre kickers and beggars, which is why we use an email service provider that allows for manual unsubscribes because we all get those people who will complain to GDPR once they have forgotten that they actually opted in wilfully 6 months ago and opened 10 days’ worth of emails before moving onto the next shiny object!

        All of this is recorded automatically as per business and as per the technology that is already built in to the ethical software and products that most of us use anyway……….regardless of what GDPR rules want, it’s happening naturally anyway.

        GDPR is not looking for people like me.

        GDPR is not looking at my opt-in forms because they don’t blindly opt people in for the sake of building a huge but none responsive list that i then spam with anything i can make money from.

        GDPR is not looking for me because I’m not scraping data or selling those email addresses on.

        It’s looking for those who do the opposite and it will start with the big boys first. The ones that illegally pass your data to 3rd party data organisations. The ones that have the huge data breaches. The ones that don’t pay their fair share of taxes. You know who I’m talking about.

        Lawyers will be lawyers and if that lawyer just happens to be adept at marketing and quick enough to get a webinar about GDPR up and running before anyone else has the chance to even read through the GDPR and understand it before it took effect then they are also adept at seeing an opportunity to jump on and make some money………..which again takes me way back to those doomsday clocks of new years eve 1999!

      • Thanks. Your comment has clarified for me what is simple but been turned into something unnecessarily complicated and confusing.

    • I probably saw the same webinar :).

      But does it refer more to that “old” way, where the main action is a lead magnet (PDF or something like that), and on top of that you get the newsletter (now with that check box)?

      With this “new” way, the main action is signing up for the newsletter; PDF is a bonus provided to newsletter subscribers.

      So if you have it as a bonus to newsletter subscriber, does it change things to what was said in the webinar….?

      • That is what I wondered. But then you cannot go out and say “I have a PDF with 7 video tips, click here to download” but you can only promote your newsletter list.

        And then say, “and if you sign up for it, you’ll also get my PDF with 7 video tips”.
        That’s a whole different way of bringing it out and about and I don’t think many people go actively for the NL.

    • Yes it is possible. I’ll explain what I do. I very much agree with Shane’s NAAS approach, and I like his suggestion to switch the emphasis – subscribe to the newsletter and I’ll also send you the pdf (although I’m not entirely sure this passes the granularity criterion in GDPR). However, in some situations the freebie is very much the priority and you can’t really switch it round without there being a disconnect between what the visitor wants and what you’re proposing to give her. For example, visitors to my website may come to download a specific pdf. They might be interested to subscribe for updates etc, but first and foremost they need the pdf to solve their immediate problem.

      I approach it like this: they get the full optin form and explanation that they will get the pdf, and be subscribed to my readers’ group, which they can submit. However, at the bottom, under the submit button, I also have a sentence like this in smaller text:

      “If you don’t want to join my reader’s group, or get all my additional resources, that’s fine I understand. I can send you the publication you need if you email me.” and I link to my contact form. Alternatively I could just link to a page from which they download the pdf directly if I thought I would get too many manual requests.

      So visitors get the choice but without resorting to the checkbox.

      I also think people are getting tied up in knots thinking they have to be able to email the freebie even if the visitor doesn’t subscribe – which is complicated to set up unless you use Thrive Leads (or set up a Gravity Form as an optin). But as I hope this shows, there are other ways of making the freebie available to non subscribers.

    • I think this might only apply if you offer only one free thing. But if you offer a series of free things, like a newsletter or video series, then people would necessarily have to give you their email so that you can deliver it.

      • Still, when they sign-up for a video series, I cannot add them to my ‘main’ newsletter list and send them info about another topic/offer/free thing.

      • Yes You Can………simply ensure that the opt-in content copy that they read before subscribing refers to that info about another topic/offer/free thing that you intend on offering.

    • So much great stuff in this blog post as we come to expect from Thrive.

      Sounds like we are in the same group run by that GDPR lawyer, as I also picked up the same issue.

    • You are completely correct! The UK’s Information Commissioner’s Office have confirmed this to me personally on several occasions. The information in this article is not correct and misleading.

      • Not all lawyers will provide the same answers. Everything I’ve written about in this post is the result of multiple meetings with 2 legal advisers. I didn’t just make this stuff up.

      • I had a 1 to1 with a consultant who has many years experience of data privacy and she confirms that many are getting it wrong and that Shane’s take is the correct one. She works closely with the ICO and knows what she is talking about.
        At the end of the day you can ask 3 experts in any field and get 3 varying answers.
        As business owners we have to take a decision one way or the other – I’m with Shane’s way.

    • In the no-checkbox approach what you’re actually offering is the newsletter, not the freebie. You’re only giving the PDF as a gift to those who optin for your newsletter, not the other way around.

      What still bugs me a bit is (if I understand GDPR correctly) there are some informations that need to be disclosed upfront, things we’ll need to explicitly get consent for. One is the sending of emails (content and promotional). But there’s also the use of data for eg. retargeting, and also when the data is going to be stored outside the EU (which will be the case depending on the autoresponder service we use). I believe this all needs to be written near the optin form, and it gives a very ugly result 🙁 But it’s still a thing of the offer’s copy and reframing, which is totally manageable if we keep the NaaS concept.

      Thanks a lot Shane for this. I’m proud and excited to be a TT customer, and I can say that NaaS is very much like what I actually do!

      • Hi, Mary.

        From what I understand, you can have these details and any other disclaimers in your “Privacy” page or “TOS” page and have a link to that page near to the opt-in form.


      • Thanks Barru. I’m sure a lot of stuff needs to be updated and clear in the TOS/Privacy, and the link to it needs to be near the optin form. I read somewhere that some information tho needs to be stated upfront, not in a second layer (behind a link). The receiving a newsletter is part of those, and I’m pretty sure the storing data overseas is too. I need to verify this asap.

    • If I’m understanding both you and Shane correctly, I think he addressed that with the way he worded the sign up… that you’re asking them to sign up to your newsletter and you’re giving them the freebie as a bonus.

      Shane, correct me if I’m wrong about this.

      • That’s the idea, yes. The form is for signing up to the newsletter and the freebie is one of the things they receive as part of this “newsletter service”. If your freebie is a PDF, you can take it further and deliver the content itself via email and offer a downloadable version of it as a convenience, like a print version of your newsletter emails.

      • Thank you, Shane. It seems to me that there’s a whole lot of unnecessary hoop-la about all this when people can simply unsubscribe from your list after they get their freebie or if they decide they don’t like being on your list. It seems like all thus GDPR stuff is more geared toward people who sell or share your email or phone number or your personal info, and if you’re just using your list for direct contact with people who like being on your list (a.k.a. they haven’t unsubscribed), then you’re simply maintaining relationships with your fans or customers.

      • This is my interpretation as well, yes. If you don’t do anything that is against your audience’s interests and you maintain a good relationship with your fans, I doubt you’ll get in trouble.

        It could still happen, but I believe that people who buy and sell contacts, use fake unsubscribe links in emails and have an attitude of “get their money, no matter what” are the intended targets of such regulation first.

    • Hi Elsewine, if I understood Shane correctly, he says that it’s all about framing – if you offer to “Subscribe to our Newsletter and Get a Bonus PDF” then effectively they are encouraged to subscribe to the newsletter, and PDF is just a bonus.

      • Yes. I have been told by our advisers that framing something like a PDF as a bonus to the “real” offer (your newsletter) is likely an example of legitimate use.

      • Thank you Greg!
        I understand this and at the same time think it will be hard to approach people by ‘subscribe to our newsletter’.
        Even when it’s full of value and well written.

        I have ‘salespages’ for my freebies, describing background etc and tweaking that into the subscription takes out a lot of the dynamic imho.

        Yet I think it can be a valid approach, be it a difficult one.

      • I guess you mentally should change your approach here. Skip the concept of newsletter completely. Start thinking of personally talking to your fans. Ban the word ‘newsletter’ fully from your vocabulary.

        Nobody wants to receive newsletters nowadays. We all want valuable information. If you are able to give such to your clients, you will be more than welcome in their inbox.

        To position yourself as a very welcome visitor on someone’s desk, you should forget about sales and start thinking about delivery.

        Shane and Hanne are perfect in that. I would never ever unsubscribe from the emails they send me. Why? Because I get so much value from reading their stuff. In fact, I do open their emails before any other.

        Experts don’t sell. They don’t send newsletters. They keep in contact with their audience. And they are welcome.

        That’s the position you wanna get in the life of your clients.

      • Exactly! People don’t want ‘newsletters’, they want content that helps them.

        We should be looking at this as wanting to build a relationship without our audiences, not just send them newsletters. Send them something they actually want/need.

        The reason I’m still on Shane’s list is because of the value of his content. He
        does it extremely well. I’ve never felt sold to. I recommend not just his products, but his content to my friends.

        This is the standard of marketing I aspire to.

    • right, its simply not legal any more to brige someone in your email list with something can can bi simply downloaded …but putting the free imfos in a short email series would be finde …because for that, you need the email-adress:)

      • Yes, sending a series of emails and advertising that from the start is one way to reframe your offer.

      • Though I think you still cannot send more than that specific series, like your regular newsletter, I presume?

      • I agree with you Elsewine. For an email course/series, I’m planning to include a few subtle invitations to join my newsletter (and probably my Facebook group). But if they’re not interested, the final course email would be the last time they hear from me.

    • The freebie is a bonus you get for signing up for the newsletter service. You only sign up if you want the newsletter service and then as a “bonus” you get the freebie.

      And you can’t get the newsletter service without signing up, obviously.

    • Thank you for your comment!

      This is where framing your offer makes all the difference. You can’t force people to consent to receiving emails by withholding your PDF from them. The problem there is that you have your offer (the PDF) and you’re using it to “trap” people onto your mailing list. But if your offer is “an informative, useful newsletter including online courses and downloadable material” then people either sign up for this newsletter, or they don’t. There’s no deception or baiting, there.

      The purpose of the regulation is to stop misleading visitors or omitting information about what data will be collected and how it will be used.

      • Thanks for the post Shane, it’s actually the clearest and soundest piece I’ve read on this matter.

        I think you are technically right, though this leaves with a problem that it is much more difficult to advertise a newsletter service than a more self-contained freebie. Think of the classic Facebook ad offering a pdf with a specific solution to a specific problem. According to the strict interpretation of the GDPR this commenter suggested, that’s now illegal, unless you really offer it with no-strings attached, which makes it damn near useless.

        One of the first lessons I learned in email marketing is that NOBODY want to “SUBSCRIBE” to another “newsletter”, no matter how you spin it.

        Besides, if the law was really meant to prevent us “baiting” people with a freebie and then send them our emails as we did before, well, the approach you suggest (which I think is sound, based on the information I have) could well be interpreted as going against the spirit of the law. I.e., what you call “reframing”, they can call “illegitimate bypassing”, “avoidance”, “sophistry”, and so on. I mean, if they’re out to get you.

        BUT. I think the commenter is referring to Suzanne Dibble’s videos, and as I recall, the freebie issue was actually discussed in one specific video, and doing it the way you suggest was actually deemed acceptable.

        The problem – as usual with these sorts of regulations – is that the law is complex and full of grey areas. I guess the best we can do is do our best right now, then wait and see how the regulators actually behave.

        The big fish too.

        This is how Digital Marketer is handling it for example: the offer the classic short course with the usual for (no checkbox in sight), then they add a few lines of fine print at the bottom:

        “IMPORTANT: As an added bonus for registering for this class, you will also receive free access to the DigitalMarketer bi-weekly newsletter which contains bonus content, exclusive offers, event information and helpful tips. View DigitalMarketer’s Privacy Policy for more details and info.”

        Which is exactly what you are NOT suppose to do if you interpret the regulation in the strictest way possible, absolute granularity.

        Here’s the form:

        It should be said that satisfying each and every requirement of the law in the strictest sense in technically impossible for a small business, and even if they could, they would mess the user experience to the point that having a freebie and a form would be useless anyway. It’s a joke. I mean, if I live in Europe and use ActiveCampaign as an email service, do I have to specify ON THE FORM that their data will be processed in the US? Come on, that’s ridiculous, your form will look like the stack of papers you have sign before heart surgery.

        It’s a law written by people that don’t understand how the internet works (at least for small businesses) and one that if applied literally, would basically break it (the internet). We’ll just have to wait and see.

      • Yes, if you take the most conservative interpretation of the regulations and try to stick to every aspect of it, it’s wildly impractical. Especially for small businesses.

        And what’s worse, it makes for a poor user experience. I mean, if you really wanted to be on the safe side, you’d have to force visitors to read through your privacy policy before they do anything. Maybe show it as an overlay on your site and only allow them to dismiss it when they’ve scrolled to the bottom.

        And then add potentially dozens of checkboxes to get separate consent for every possible use of their data that can be interpreted as “separate”. And of course, this would go along with a system that can deal with your site tracking, cookies, email marketing and so on, finely differentiated based on which of the checkboxes were ticked by each individual user.

        Now, imagine if every single website implemented this and you’d always have 10,000 words of legalese and a dozen checkboxes between you and the next website you want to visit. Highly compliant, but hardly what anyone wants from the Internet.

        This is why I’m advocating a more “common sense” approach to all of this.

        As always, we’ll have to see for actual legal cases involving GDPR to play out, before some of these gray areas become clearer.

      • Thank you Lorenzo,
        I actually refered to the webinar from Heather Burns which she did with Clare Josa.

        I agree with what you said here:
        “One of the first lessons I learned in email marketing is that NOBODY want to “SUBSCRIBE” to another “newsletter”, no matter how you spin it.

        Besides, if the law was really meant to prevent us “baiting” people with a freebie and then send them our emails as we did before, well, the approach you suggest (which I think is sound, based on the information I have) could well be interpreted as going against the spirit of the law. I.e., what you call “reframing”, they can call “illegitimate bypassing”, “avoidance”, “sophistry”, and so on. I mean, if they’re out to get you.”

        –> and by no means do I think this advice in the article was off, I am just trying to wrap my head around the best way of approaching this and indeed the reframing as you say above might not be accepted.

        Then again, when you state they will receive a newsletter and you have an unsubscribe link at every mail at the bottom, I cannot see why they would make such a big deal out of it.

        Trying to avoid setting up a whole new workflow which I’ll have to re-do in a few weeks when it turns out that’s not acceptable.
        That’s all.

      • Yes, I agree. I think GDPR is about weeding out smarmy marketers, not stopping honest businesses from growing their customer and fan base.

      • Hey Shane, great post. Quick question… I was informed that you do not need your terms or privacy on the optin form that it just needs to be on the same page as the optin (i.e. footer of a website as an example). What is your understanding?

      • I don’t know for sure. It’s one of those things where I’ve gotten a lot of question dodging on this. It’s a safer bet to put it in the form itself.

      • Your privacy notice is required by law to be clear and conspicuous. The footer of your website is not clear and conspicuous and is a poor place to link to it. Shane is right, put it in the form itself.

    • Somebody in one of the other comments suggested this article. It seems to me that the 1st paragraph alone talks about legitimate situations where someone is joining the mailing list of a legitimate business and the plan is that you are using your list simply to communicate with them about your business and not sharing or selling their personal data.

      For example, I purchased a product online once and I had to give my phone number “in case it was needed by the delivery company.” If I didn’t give my phone number I couldn’t get the product. After that purchase I started getting a million and one robo calls from telemarketers.

      Stuff like this is what GDPR is targeting, legitimately connecting with people who are free to unsubscribe at any time.

      Here’s the link to the GDPR page.

    • If you go with the “fix your offer” approach, this takes care of that. With this approach, what you are offering is not a PDF download but the whole series of content that comes as emails that also includes the PDF download. But you would have to be careful not to offer that same PDF as a free standalone download elsewhere.

    • The enforcement officials probably don’t know themselves what to do at this point. This issue is still new and they will take the time to figure out how strict they want to be. I think they are targeting businesses such as Google and FB.

      Law is often up to interpretation. If it was so cut and dry, we wouldn’t need lawyers, judges, and jury.

      In the end, we all need to do what makes sense to us. We need to be comfortable with how much gray area we walk on.

  • Once again, I can always count on Thrive Themes to provide me with useful, actionable content. I have learned so much from being a Thrive Themes member over the last year. You are right about everyone giving check-box advice. I’ll be interested to see just how prevalent the use of check-boxes becomes. I will be interesting. Something else to test I suppose.

  • Thank you. This is probably THE MOST HELPFUL (yes, yelling) thing I’ve read on GDPR. Gah! If I never hear those words again, I’ll be happy.

    • Thank you, Lisa.

      I’m very much with you. If I never hear about GDPR again, it’s too soon…

  • Oh yes, I’d love to hear more about the Newsletter-as-a-Service approach! 🙂 You could maybe compare it to the Seinfeld emails approach, they’re probably not so different.

  • Yes please Shane, I would definitely be most grateful to learn more about the Newsletter-as-a-Service idea with guidelines and tips to make this effective for both my clients and for GDPR reasons.

    • Thanks for your comment, Alice!

      It’s difficult for me to write about this because I’m not a lawyer and as you can see from the comments here, everything’s one big, muddy gray zone. But if I can do so in a good way, I’ll create some more content about this approach.

  • Thanks so much Shane, I love the NAAS ‘Newsletter as a Service’ piece. I’m not very consistent sending newsletter emails anyway, but this advice have totally changed my perspective.

  • I don’t think your advice regarding changing the copy on sign up forms is GDPR compliant. You cannot bundle offers. The message on the first example “Subscribe to Get the Awesome Guide!” is bundling the getting of the Awesome Guide with signing up for a subscription. It is clearly not free because it depends on signing up for the newsletter. It is exactly the same with the second example. THe Headline is “Free PDF for You: Get the Awesome Guide!” That would be fair enough if that was all the page visitor was getting but the text below the headline is conditional: “Subscribe to our newsletter to receive regular updates…… and get instant access the free PDF”. Again, that is bundling because getting access to the “free” PDF is conditional on signing up for the newsletter. There actually DOES have to be separation between the PDF and the newsletter. The form does state what is to be expected but there is no opportunity to take the PDF without signing up for the newsletter. It also denies the claim that the PDF is free if it can only be had by signing up for the newsletter.

    • Then just offer the newsletter as the freebie, but frame it in a way that will entice your audience to want it. I.e. Don’t call it a newsletter…. Weekly tips on blah, blah.

      NaaS your list. Simples. Unless you’re not providing valuable content to your list in the first place. Might be a bit tricky then.

    • So what if we stop saying it is “FREE” then?

      For example, the alternative link to get the PDF separately from newsletter will lead to a shopping cart page with price tag 9.99 or something.

      Then if you subscribe to newsletter – that is just an alternative method of payment for the said PDF.

      What do you think?

      • I think that every attempt to bundle the giving away of a “free” item with the consent required for the use of the recipient’s email address in order to send the recipient a newsletter is really an attempt to get around the rules.

        It is an exploitative mindset that is not in the spirit of the legislation which is about protecting people from their own naivety or even stupidity. It is all very well to rely on the old saying “Buyer beware” but most people have no idea what is really going on in the deeply analytic, data-fuelled, psycho-tactical world of online tracking, segmentation and profiling. This is the underbelly of online advertising, marketing and selling. Some of it crashes through any reasonable ethical barrier.

        We console ourselves with the idea that we are helping people. I think its time to get over such conceit and ask people first. This what this legislation is about.

        I stop unwanted mail coming into the mailbox on my gate with a sign saying NO. This legislation goes a step further because the sender has to get an explicit and active YES. That makes sense because the cost of sending emails is so low that the incentive to abuse privacy is very high.

        Change is always hard to accept but privacy is being invaded on a gargantuan scale, identities are being stolen and kids are being served up stuff that no one in their wildest nightmare would have dreamed up 50 years ago. It will settle down in time and some aspects of the legislation will no doubt alter to business and social realities.

        The legislation may seem draconian. In some ways it is but the point of is surely to change our mindsets to thinking hard about the consequences of invading personal privacy or losing someones personal data to a hacker or, more likely, to careless procedure.

        There has been a lot of emphasis on the financial consequences to business – the costs of becoming compliant and the size of the fines. Not much is being said about the consequences to people of when their privacy is invaded.

        There is also the extraordinary degree of complacency that many younger people have in regard to their own privacy on social media. As though such a thing could not matter in this brave new world and that the concept of privacy no longer exists or has any real meaning for human beings.

    • I fail to see why most can’t see the GDPR for what it is, an EU catastrophe in the making. THis could very well kill off a large portion of EU based businesses of all sizes depending on how the final rulings come down.

      Another thing of not; the EU cannot penalize any company or person outside their borders for anything. When the rubber hits the road they do not have the power to write andor enforce binding global regulations.

      Even the United Nations, although they seem to think otherwise, does not wield such power.

      I intend to carry on business as usual and simply state any citizen of any EU country can choose to do or not do business with me as they see fit.

      If the US government passes a law requiring me to conform to this regulation then I will worry about it.

      • I doubt this will kill off a large portion of business in the EU because it will be a level playing field for all businesses in the EU but not, perhaps, a level playing field against businesses outside the EU if they choose not to co-operate. The largest businesses around the world which are outside the EU are co-operating for now.

        You are right in thinking that the power to enforce has yet to be tested. However, since the end of the Second World War, Nation States have on the whole moved towards co-operation and agreeing to abide by rules covering trade and human rights. These agreements have surely had a role in expanding human endeavour and preventing outright aggression.

        Just because technology has enabled business to track, profile and use every kind of psychological tactic to get a customer through the funnel to a sale, does not mean that it is right or ethical to do so. A line has been drawn in the sand. No doubt it will be modified over time and with testing.

        I think it really boils down to asking whether the economy should be for the benefit of people or whether people are there merely to serve the economy.

  • Hey Shane! 🙂
    Thanks for all the effort you put into that article! Love the “fries with that” 😉

    Will there be mandatory checkboxes in thrive leads anyway?

    Because my laywer strongly advised me to start with these.
    Not only for accepting the newsletter but also for having agreed to the privacy policy.

    Thanks and greetings!

  • Hi Shane – very good common sense and similar to the approach I’ve adopted. The “you need a checkbox” is a major misreading of GDPR. As is saying that double optin solves it.

    The point that people are picking up on is the requirement for granularity. Consent for different processing purposes shouldn’t be bundled together. You can mess this up if you consider your lead magnet to be “a free report I send them” and your emails to be “marketing I email them”. Those sound like two different purposes. but done right, a lead magnet is “valuable information and a small promotion of my services I send them via email” and your regular emails are “valuable information and the occasional promotion of my services I send them via email”, ie they’re really the same purpose and so no need for separate consent.

    There’s also a case to be made that legitimate interest applies to people signing up for a lead magnet to send them related emails. And also that a lead magnet is similar to the “discount coupon” example of an allowable incentive cited in the GDPR guidance.

    Just a minor point, in the small print below the optin form you really should say who they’re giving their data to (the name of your business) and that they can unsubscribe at any time. Also mention any 3rd parties you give the data to (most likely no one so that bit not needed for most of us).

    • Great points, Ian. It’s all in whether the lead magnet and newsletter are perceived (or pitched) as a “bundle”. Those who argue that no matter how we spin it, it’s a bundle and requires seperate consent will then surely have to add a check box to consent to receive every single “regular email” since that alone is one giant bundle.

      And what if down the track, I have a “newsletter” with an additional PDF attached? (Eg a cheat sheet) Is this now another seperate item, requiring reconsent? The lawyers are overruling commence sense.

      Of course, if email addresses have been purchased elsewhere, no consent granted etc, then GDPR ‘may’ help reduce some inbox clutter, but somehow I think most of those spammers will ignore it, as they have CAN-SPAM and the rest. Just take a look at any Gmail spam box.

    • Thanks for your comment, Ian.

      There’s definitely an issue with semantics as it regards to the “bundling” of consent. The main problem I see with this is that bundling or not is in the eye of the beholder.

      If you send out a series of emails that are all the same kind of email (in your eyes) individual subscribers can still interpret them as separate. As in: I consented to the emails I’m interested in, not to the ones I’m less interested in. I consented to the first half of this email because I agree with it, but not the second half because I disagree with it.

      Even with the NaaS approach, any email you send can be interpreted as a marketing/promotional email. If I send an email with a link to a blog post, that blog post is not far removed from some place where you can buy one of our products. So the email can be interpreted as nothing but a stepping stone to get people to buy stuff. The way I see it, any way you want to “unbundle” the kinds of emails I talk about in NaaS is arbitrary. A court might rule one way or another, but in reality it’s going to be arbitrary.

  • Thank you! Unrelated to GDPR – I’ve moved my Newsletter to NAAS recently not knowing what it was. My business had grown as a result more than sending the “snake oily” emails. I just send 3 “picks” each week. And this article will be one of those picks next week!

  • Thank you for taking the time to write this post Shane, I was super worried about GDPR, but now I feel a great relief! Thank you again!!

  • What about comments on our blogs? Subscribers have to type in an email before leaving a comment. What about Privacy Policy and Cookies Policy? Do we need to change something in them or they should be fine as they are?

    • I would be very interested to hear Shane’s take on this question, especially as it pertains to ThriveComments: Does ThriveComments have the ability to extract all of someone’s contributions to a given site? I imagine this might become an issue some day.

  • Excellent article on the topic. Appreciate the no-nonsense approach and actionable advice. I will be sure to share it with my audience, as we have been discussing this exact issue the last few days. Thanks!

  • Fantastic article, Shane! Thanks. I’ve been wondering a lot about GDPR and now I know what to do. I also like your NaaS idea. I think it’s in line with what we all should be doing anyway… be helpful, first and foremost, and then subtly introduce your offers as part of being helpful. Love it!

  • The voice of reason in a sea of fluff and nonsense – thanks Shane for this clear and insightful perspective.

    I particularly like the reframing of the offer or slight rewording of the form copy to easily become compliant.

  • This is the first sane comment I have heard in this GDPR madness. Everyone is threatening gloom and doom with 20 million Euro fines. It reminds me of Y2K. Your approach makes perfect sense. It will help me not suffer from a nervous breakdown on the 25th! 🙂

    • I agree. I think people are making a big fuss about something that’s meant to protect your personal data from being shared or sold to people you didn’t consent to, or being forced to give your info in an unnecessary way.

      For instance, I bought a product online once and I had to give my phone number “in case it was needed by the delivery company.” It was required or I couldn’t purchase the product. After that purchase I started getting a million and one robo calls from telemarketers.

      This is the type of B.S. that GDPR is targeting, not businesses connecting with people who are interested in what that particular business has to offer.

      Besides, they can always unsubscribe at any time.

    • The main intent of the GDPR is to inform people of what data is being captured and how it is being used and give them the opportunity to CONSENT to such use. In other words total transparency, which is not a bad thing.

      I think Shanes approach clearly demonstrates that there is no intent to deceive so complies with the “spirit” of the GDPR. We can all go around in circles arguing various points but to solve this I think the only way would be for a breach to go through the courts in order to set any president.

      I think there is such wide and varied use of personal data that people are going to take some time for this to settle in. The ICO and other European regulators included

      I have seen 2 TV interviews with different representatives of the ICO (The UK’s Information Commissioners Office) and they both stated that the fines will be for repeat offenders, in other words, those businesses who have been advised of wrongdoing but do not take appropriate action to mend their ways.

      The ICO see their main role as advisory, so if they are made aware of any breaches they will first make contact to inform you what you are doing in breach of the rules and NOT hit you with any fines of any size. So let’s all think of our customers, be transparent in our use of their data, seek their permission and relax and see how things pan out.

  • Thank you for this super useful article ! I love that you mention the “spirit of the law” or why it was created in the first place, as an intro to what we can apply as small business owners.
    I believe this is where some of the confusion comes from, because in the US (mainly), they apply the law as it is written black on white…. but GPRD is a european law so the spirit matters in how we comply to it !

    I was already using my Newsletter as a Service (love your video !), with clear accessible T&Cs (already in French law), now I just need to adjust the wording on my optins to make it clear they’ll also receive newsletters. No checkboxes for me ^^
    Thank you so much for the clarification, now I am confident the change I had planned to make are legit (no matter what american interpretation may seem) 🙂

  • Great content. However, I am wondering how to proof the opt-in process. In my Thrive Leads Report I can only see the name of the forms but there is nothing indicating if the lead was generated by using an opt-in process or not. So what do you suggest?

  • Thanks so much! I really like that not only is Thrive Themes awesome and generally easy to use, you guys (and gals) provide so many fantastic and helpful pieces of content to help us on a consistent basis. All your hard work is very much appreciated! 🙂

  • Great article, Shane! I have the same question as Elsewine R: You stated earlier in the article, “under GDPR, you are not allowed to disadvantage anyone because they don’t provide consent.” …. but then later on in the article the language you suggest for the opt-in, “Subscribe to get the Awesome Guide” which seems to directly violate that rule. ????

    • This part of the law is true, but it has been put there so that companies like Facebook can’t withhold access to Facebook because you refused to let them use certain personal information about yourself.

      I am talking in principles, rather than actual precise real world events.

      The law was never designed to punish bloggers who want to encourage readers to sign up to a newsletter in the way that Shane described.

      Therefore it is not in the public interest to fine small guys like us, who are trying to stay on the correct side of moral, whilst trying to make life easy for our readers/customers etc….

      Also, if you were caught in breach of the GDPR laws, you get the chance to put things right first.

      Nothing bad happens until you are given clear instructions by your local law enforcement people on what is wrong and what you need to do to put it right.

      You get a warning first, and a chance to put things right, and plenty of time to put things right. Only after continually ignoring warnings will any action be taken.

      People do need to relax about this.

  • Great article…. Many thanks for the useful suggestions and information.

    I do have one concern regarding Quizzes. If one uses the Explicit Opt-In checkbox within the Quiz Opt-in Gate, will this be good enough to comply with the new GDPR requirements? It seems there are no other alternatives within the Quiz builder framework currently?

  • Excellent post Shane and a real breath of fresh air re GDPR. It’s been fascinating watching people panic about it and speculate about what needs to be done.
    I will be implementing your advice in my opt-in pages immediately and adopting your NaaS system too. I’d love to hear more on this too.
    Many thanks!

  • Unfortunately ‘Fix No.1’ is inaccurate. You absolutely cannot bundle two consents. I’ve spoken at length to the UK’s ICO about this and they were pretty clear that a user MUST be able to access a download or freebie without having to sign up to a newsletter. It’s very tempting to want to re-interpret the law in our favour, but sadly, the very fact there is no separation in this example is exactly why it’s not GDPR-compliant.

    • Taking the logical side of this issue – no marketer would have any reason to give out freebies to anyone unless there is something in it for them.

      So unless we can figure out a way to do this in a way which benefits the customer AND us, we might as well forget about freebies altogether. Our benefit is to get the email of a customer who showed interest in what we have to offer.

      I think that Shane is onto something with his idea. Personally, I get around this single freebie issue by offering a series of free videos which obviously require their email to deliver them.

    • I think the point is that the newsletter IS the freebie. With a bonus attached. It’s not two consents.

      It’s all about framing the offer in a smarter way, as Shane said.

      Example – sign up to receive weekly tips on how to live a more stress free life. We’ll also send you a cool cheatsheet with 7 things you can do right now to bring calm to your day (rough copy).

      The checklist is the bonus. People are signing up for the free weekly tips. You can’t send the weekly freebie unless you have email consent. Do you agree?

      Heck, you could not even mention the bonus if you’re worried about it looking like two consents and this is too grey hat for you.

      Alternatively, offer the bonus as a stand alone free download, then use that as a tool to get people to sign up to your weekly tips (if you liked this cheatsheet, you’ll love our weekly tips… Insert like to sign up form)

      Really, I’m in the UK and what Shane says make total sense to me as business owner.

      With all due respect, this GDPR thing isn’t just a matter of ticking boxes to show you are compliant, it’s about working with the regulations in a way that makes sense to your business and customers. We need to be thinking creativity here.

      The UK ICO doesn’t understand what’s best for your individual business. They don’t understand online marketing, nor do they care whether that shitty opt in form with 3 check boxes is affecting your conversion rate, and therefore affecting your business.

      We, the business owners, have to be the ones that make this work for us, in line with the GDPR.

      • This legislation is not intended to be about what is best for business. It is about the rules which will govern the entry to anyone’s Inbox. Your intentions, your reasons for those intentions must be granular or not bundled and they must be explicit, transparent and stated upfront in words that are clear cut and not misleading to non-legally trained people. It is clearly designed to restrain many of the questionable practices that have been employed to build an email list and then for the owner of that email list to use that list in accordance with the explicitly stated purpose.
        Yes, it very definitely is a thrust at business by the regulators who have a very good idea about the difference between what is good for business and what is good for consumers.
        Read Bobby Klinck’s comment. He gets it.

      • I hear what you’re saying. I’m all for weeding out the good marketers from the bad, and protecting consumers.

        The latter part of my comment was not to rant at GDPR/ICO. I’m beyond happy that I, and many others across the EU will be better able to protect our privacy from unscrupulous forces.

        The point of my comment was to address the freebie/multiple checkbox/bundling scenario.

        Shane’s suggestion makes perfect sense to me, and to anyone who understands the importance of creating a good user experience for their audience.

        If you spend time creating a worthwhile weekly resource, that adds value to your subscribers, saves them time, and helps solve their problems, THAT is the actual freebie. The addition of a supplementary PDF is just a bonus.

        But, as you feel this would be ‘bundling’, what if the opt in freebie consisted of just the free weekly resources?

        Can you speak to that?

      • I think that the inclusion of anything “free” will be seen as a lure or a bait to take people’s minds off the fact that they are signing up to a newsletter. The word “free” is so abused in advertising today. It is simply a psycho-tactic in the same way that the word “discount” is.

        People respond like Pavlov’s dog to these words even though it is very rare to find anything that is genuinely free or discounted. If you have a worthwhile resource that is valuable to your audience, why do you have to bribe them to sign up to your newsletter?

        You probably do it because everyone else is doing it. Surely, part of the reason this legislation is so specific about not bundling a sign up with an inducement is to create a level playing field? You may not be able to offer a free something with your newsletter signup form but neither will anyone else – at least not to customers from the EU.

        Unfortunately it gets complicated in countries like the US or Australia where the majority of our customers are not from the EU and you can continue to use these tactics. My view is that this legislation will become the world standard so we might as well treat it as such.

      • Great MJ

        I really don’t get why people are afraid to give away something for free it’s been pretty standard business promotion practice for many years.
        Unless you are concerned about the quality of you freebie offering that is.

        You can put links to your business website in the freebie and like you say, explain that more great useful tips, advice with occasional offerings are available to anyone who signs up to your newsletter (Put a link to a subscribe form in the freebie).

        Even encourage people to pass on the freebie to their friends and contacts the more the better.

        Sort of like a try before you buy offer although the newsletter will, of course, be free. Why does anyone want to entrap people onto their email list, surely we all want to build a quality list of potential customers?

        That initial freebie should be our vehicle to sell ourselves and our business.

      • Please don’t shoot the messenger. I don’t know why people are getting so emotional to someone who is simply stating what they’ve been told by a government body as if I made the rules!

        It’s irrelevant whether the ICO understands or cares about Marketers. The guidelines clearly say you cannot bundle two consents and this has been confirmed to me by the ICO. I was very careful to ask this very question to more than one adviser and, as frustrating it might be to have to grasp this concept, they were very, very clear on the matter.

        The visitor MUST be able to access ANY freebie, however imaginatively presented, without being contacted again by the marketer. In this example, this is impossible. The consent is therefore bundled. It’s a ‘permission wall’. You can dress it up however you like, and this is about what I think or believe, it’s just the way it is, so accusing me of being ‘worried’ or things being ‘too grey hat’ is just silly. Reading far too much into a simple statement.

        As much as we’d love to believe that the ‘newsletter as freebie with PDF as bonus’ is a convenient workaround, sadly it doesn’t stand up in their eyes. ‘We the business owners’ just can’t pick and choose what suits us. I mean you can, but that’s totally your call. It’s a bit like affiliate marketers failing to add disclosures today despite years of this being a requirement. People do, all the time, and get away with it, but you know, you go for it. That’s your call, your business.

        It doesn’t mean this doesn’t suck for us all but it doesn’t mean we can re-interpret the law because it doesn’t work for us. Believe me, I hate the dreaded checkbox as I’d already added it and it was already having an affect on my sign-ups, so I would love to believe Shane’s workaround will fly, but I know it’s just wishful thinking. I ended up ditching my freebies and the checkbox altogether for what it’s worth, so there is just one consent – for my newsletter.

        I’m a huge fan of Shane, Thrive and what they do, but that particular piece of info was just not entirely correct and I felt I had to point it out. I knew how much of an affect this was going to have for bloggers and marketers who rely on their lists.

        As Shane points out, lawyers will interpret things differently, particularly lawyers who are hired by marketers who make a living out of email marketing. I didn’t speak to lawyers, I spoke to the ICO who are the mouthpiece of the regulators.

        I figure I will personally just have to work harder to create a good word-of-mouth reputation that my newsletter is worth signing up for. Old school!

        I’ll continue to be an advocate of Thrive.

    • It’s not two consents, that’s where the misunderstanding is.

      Punishing people who want to do things the way that Shane is suggesting is not in the public interest, and isn’t what the GDPR is designed to stop, prevent or punish.

      If people like us start getting fines because we had the audacity to send a top ten list of cupcake recipes in PDF format, then it will be a public relations catastrophe for GDPR, and that is something that the EU wants to avoid right now.

      You can question everything in the most paranoid way if you want, but neither Shane, or anyone else is suggesting ‘gaming’ or cheating the system in any way.

      What Shane has suggested is a moral interpretation of the law that that removes friction between the website owner and the user/customer/reader.

      Ultimately it comes down to personality, if you are naturally a bit paranoid and a worrier, then put the check boxes in, if you are relaxed about it and apply a bit of common sense, then the check boxes aren’t necessary.

      • Tony, with respect, you’re not understanding yourself my friend. It’s quite sweet that you believe this is about ‘personality’ and that being ‘relaxed’ is a way to circumvent GDPR regulations. Like others, you’re getting a little too emotional, reading way, way too much into the short paragraph I wrote, and shooting the messenger.

        Again. The user is unable to get to the ‘bonus’ PDF without being required to sign up to a newsletter. It’s a permission wall. The user must be able to access the bonus PDF without having to be forced to hand over data to join a newsletter. It’s annoying, and yes, it’s going to affect how people build newsletter lists, but it’s not paranoia. It’s the law, baby! Give the ICO a call. They’re very helpful.

      • Whoa, whoa whoa Sam, no one is attacking you here. You’re really taking this personally and then deflecting your emotions onto random strangers in a comments box. Sitting wondering what’s up with that (… Well the psychotherapist in me is doing the wondering)

        This is a discussion for grown people with differing points of view, is all. No need to turn this into a personal bashing fest.

        Moving forward, have you seen the latest FB live from Suzanne Dribble? She offers her viewpoint on the opt in offer. Around the 30:40 mark she appears to corroborate what Shane and a few of us are saying.

        Have a watch. Would be interesting to get your view on this.

      • *sigh* I didn’t accuse anyone of ‘attacking’ me. I said ‘don’t shoot the messenger” and for people to stop being so emotional over a point I made about one issue that has been confirmed to me.

        I really can’t keep repeating myself and I think Tony is a big boy and can respond for himself – no need to jump in and put words in my mouth (yet again).

        Suzanne has said varying things over the course of her recent media blitz. I’m only saying what I was categorically told by three different people on the GDPR helpline (that was a LOT of wait time I can tell you)- it was a counterpoint to ONE point in Shane’s otherwise informative post.

        Suzanne herself has just emailed her list (today) with a link to OptimizePress’ recent May 17 blog post (not linking directly out of respect as it’s a competitor but please google away):

        “James Dyson, the founder of Optimizepress wrote a great blog on whether you need to get re-consent and how to put together your opt in forms. HE WROTE IT USING MY MATERIALS and it’s a comprehensive yet simple read.”

        I encourage people to read that post – particularly the bit about Selena Soo’s non-GDPR compliant opt-in form, and the clear stance on the bundling of consents.

        Honestly, that’s all I think I can add on these comments. I’m not concerned too much now personally as I’ve already made the changes I feel I need to make to my opt-ins, which is personal to my business. I’m sure we’ll all find our happy place, opt-in wise, and in a few months clear protocols will emerge and any uncertainties will be removed.

      • Preach!

        This has been a very interesting discussion.

        Guess we’ll see how it all pans out after the 25th. It’s adapt or die. I know which camp I’m in.

    • That’s exactly my point in one of my posts above.

      The user has the right to choose to have the freebie without having to signup for your newsletter.

      I think this is a poor attempt at trying to come up with a solution because the checkbox feature in Thrive Leads is poorly implemented.

      Instead of just one checkbox, you could have two checkboxes, either YES or NO, making them required for the user to choose before moving forward.

  • Great article, thanks.
    Today afternoon I was thinking about newsletter in the same terms 😉
    Now, you confirm to me that was a good idea

  • An excellent guide with clear and easy instructions. Not those scare monger articles.

    I will go for the optin without the checkbox. I’m already planing to do my email marketing with soft sell and story telling / giving good advice so I assume this will be correct done also.