The Smart Way to Make Your Opt-In Forms & Email Marketing GDPR Compliant

The new European data protection regulations (GDPR) are right around the corner and many website owners are in a panic. There’s been a lot of talk about rules, regulations and hefty fines that await those that don’t comply.

Most “how to GDPR” content seems to suggest that you have to add multiple checkboxes, prompts and extra steps all over your website.

In this post, we’ll take a look at what GDPR actually means for small business entrepreneurs and email marketers. And you’ll discover ways in which you can make your website compliant without sacrificing your visitors’ user experience or your conversion rates.

Disclaimer: I’m not a lawyer and this post does not contain legal advice. Always work with your legal counsel to determine the right decisions to make about regulations.


First, let's start with some good news:

The EU Isn’t Coming For You

Before we get into further details, let’s get some perspective on these regulations in general. As a small business entrepreneur, you should be aware that you are not the GDPR’s main “target”. GDPR is about the processing of people’s private data online. GDPR primarily aims to regulate businesses that do a lot of data processing - and especially businesses that make their money from selling or “exploiting” the data they collect about people.

Think: data harvesting giants like Facebook or Google.

The average entrepreneur and website owner does very little data harvesting or processing. If you have a website with some opt-in forms on it, the EU isn’t coming straight for your jugular.

Icon of a wad of cash

Will You Be Hit With Huge Fines?

Many marketers fear massive fines if they don’t get everything on their website 100% compliant by May 25.

According to Elizabeth Dunham, the UK’s Information Commissioner, that’s just “scaremongering”. She further states that “Issuing fines has always been and will continue to be, a last resort.”

If your site is not compliant, fines are not the first thing that happens. There's no squad of EU goons waiting to kick down your door.

The expected process for non-compliant websites looks like this: the first step would be for your users/visitors to take up the issue with you directly.

For example, a user might ask you (the website owner) to see, change or remove their private data. If you can’t comply with that, the user can escalate this to a complaint, which would lead to a multi-step process by an EU data regulation agency, starting with an “information notice”.

Only if you are still not compliant after having received various notices and warnings will fines come into play.

In short: there’s no reason to believe you’ll face immediate punishment for a missing disclaimer link or a poorly worded checkbox label on your site.

We Still Need to Clear These Obstacles

I hope you now see that these regulations are less threatening than you may have thought. Let's take a second to breathe a sigh of relief.

Of course, that doesn't mean we can just ignore the regulations. Even as small business owners with very little data processing, we still have to make sure we’re compliant.

Strangely, I’ve seen that many writers feel obliged to “reframe” GDPR when they write about it and make a statement like: “why GDPR is actually a good thing for marketers!” Apparently, these regulations will help us get higher quality leads or they’ll weed out the bad marketers or something.

What’s conveniently omitted is that GDPR doesn’t do anything for your lead quality that you couldn’t have done before.

Protecting people’s privacy is a laudable, and in my opinion important goal. But let’s not pretend like these regulations make things better for small businesses. They represent extra hoops you must jump through as well as additional time (and possibly money) you have to spend.

What’s worse: if you follow a lot of common advice about GDPR and email marketing, it can harm your conversion rates and your bottom line, all without adding anything of value to your visitors.

Here at Thrive Themes, we have a strong focus on conversions, so it’s particularly this last problem I want to help you with. We’ll take a look at how you can make your opt-in forms and email marketing GDPR compliant without hurting your conversion rates.

Mailbox with an EU flag

How GDPR Affects Email Marketing

GDPR isn’t primarily about email marketing. It’s about how people’s personal data is handled and email marketing contains such data (e.g. someone’s email address). The main rights given to EU citizens under the regulation are as follows:

  1. The “tell me what’s going to happen” right: the citizen has the right to be told what will happen with personal data before it is submitted and the data shall only be used if explicit consent is given.
  2. The “show me my data” right: the citizen has the right to know what data is being collected about them, why it’s being collected and how it’s being used.
  3. The “I want to change that” right: the citizen has the right to have data modified or updated.
  4. The “forget about me” right: the citizen has the right to have their private data removed completely.

For email marketing, this translates to:

  • Tell visitors what you will do with their email address before they sign up.
  • Give visitors a view of the data you’ve collected about them (probably only their name and email address).
  • Give visitors a way to modify their data (e.g. get the emails sent to a different address) and unsubscribe.
  • Remove all data you have about a visitor completely, if they request it.

The Checkbox Myth

How do you make your opt-in forms GDPR compliant?

I get the impression that 9 out of 10 marketers would answer: “by adding checkboxes!”

I don’t know where this idea came from, but GDPR doesn’t mean adding checkboxes. You need the subscriber’s explicit consent to send them emails, but a checkbox is not the only way (and definitely not the best way) to get this consent.

Let’s look at an example of a typical opt-in form, pre-GDPR:

Opt-in form example with an offer for a free PDF

If someone signs up through this form and you then start sending them emails, that’s not GDPR compliant.

Why not?

Because there was no indication in this form that you’d be sending emails (and visitors can’t consent to something you haven’t told them about). The entire form is about getting a PDF. The visitor who signs up agrees to receiving a PDF, but nothing else.

Here’s how it seems most “how to GDPR” articles suggest to improve this form:

Opt-in form with too many checkboxes. GDPR compliant, but not user friendly.

Okay, I’m exaggerating. But I’m exaggerating to make a point: adding checkboxes to this form makes it worse.

No one wants to read fine print. Just like we all “read and agree to” the terms and conditions of every software and app we use, people may or may not check these boxes, but they won’t actually read your terms or even pay close attention to what the label of each checkbox implies.

Adding checkboxes makes the opt-in form worse for the user (makes a poor user experience) and it will likely lower your conversion rates. This is still true if we take a more conservative approach like this:

Opt-in form with an added checkbox that reads "I agree to receiving the weekly newsletter"

Even the one checkbox is not a positive addition to the form, in terms of user experience.

Plus, there's an extra twist: under GDPR, you are not allowed to disadvantage anyone because they don’t provide consent. That means in a form like this one, you can’t make the checkbox required.

If someone signs up but doesn’t check the box, you have to still give them access to your PDF, but you can’t send them any emails.

For the business owner, there are 2 main problems with this:

  1. The checkbox label might as well read “please also spam my inbox with annoying promotional messages”. Nobody wants another “newsletter” and even if your newsletter is neither spammy nor annoying, visitors won’t know that before they sign up.
  2. You have to set up a potentially complicated system that ensures that people who sign up but don’t check the box receive your free PDF, but aren’t added to your mailing list. Those who do check the box need to get the PDF and be added to the mailing list.

Note: you can set up a 2-track system to separate consenting from non-consenting signups using the Thrive Leads plugin and the Asset Delivery feature. You can learn exactly how it's done in this tutorial.

How to Fix Your Opt-In Forms & Ditch the Checkbox

There are two approaches you can use to make your opt-in forms GDPR compliant without adding checkboxes or extra hoops for your visitors to jump through:

  1. Change the copy in your opt-in forms.
  2. Change the nature of your opt-in offer.

Fix 1: Change the Copy

Here’s what the form could look like, with modified copy:

Opt-in form with "Subscribe to get..." in the title

Here’s exactly what we changed, to make this form GDPR compliant:

  • We add “Subscribe to get…” to the title and mention the newsletter in the text. This way, it’s clear that the user is consenting to a newsletter by signing up.
  • We are still providing an opt-in offer (or lead magnet) in the form of our free report. However, instead of the free report and the newsletter being totally separate, the “main action” on the form is signing up for the newsletter and getting the PDF is a bonus provided to newsletter subscribers.
  • We’ve added a link to our terms in the disclaimer part of the form.

That’s it. This form now acts as explicit consent to receive a newsletter and we’re good to go. No checkboxes needed.

What if you have a form or landing page with a killer headline that you’ve tested and optimized to perfection and you don’t want to mess it up? Here’s another version of the form, with nothing changed in the title:

Opt-in form example with newsletter mentioned in the copy

The key point here is that the offer is framed in such a way that there is no separation between the free PDF and the newsletter. The form clearly states what is to be expected.

Fix 2: Change the Offer

One way in which the GDPR might actually do some good for consumers is that it makes old-school, high pressure sales style email marketing much more difficult.

What I advocate is a way to make your entire email marketing process not only GDPR compliant, but better and more effective in general. I call this approach "Newsletter-as-a-Service".

Newsletter as a Service (NaaS)

To explain how NaaS works, let's do a quick thought experiment. Think of the difference between TV ads and product placement.

TV ads: you’re watching a movie for entertainment (which is what you want) and you get interrupted by ads (which is what you put up with, if you have to). You see ads for a fancy looking watch and maybe, if you see them often enough, you’ll buy the advertised watch at some point. But you probably won’t and you’d rather cut the ads out of the movie.

Product placement: you’re watching a James Bond movie for entertainment and James Bond happens to be wearing a really stylish watch.

Daniel Craig looking dapper (and wearing a stylish watch)

The watch comes with a bunch of gadgets, so it’s shown in close-ups several times and it becomes part of the plot. You end up buying the watch because James Bond is cool as a cucumber and you want to be like him. What’s more, it never feels like an ad and it wouldn’t even occur to you to cut the watch out of the movie.

Newsletter-as-a-Service is taking this concept to the next level.

Here’s a video with an example of what I mean:

“Newsletter-as-a-Service” is the new, more effective way to do email marketing. And it happens to be GDPR friendly as well...

Click to Tweet

Old vs. New Email Marketing

Let's contrast NaaS against the old way of email marketing, which is not only unpleasant for your subscribers, but also much more at odds with GDPR.

Here’s the kind of thing I mean:

The Old and Spammy Way

  1. You have a lead gen offer or you sell something.
  2. When people sign up or purchase, you send them affiliate offers non-stop until they unsubscribe.

If you’ve bought some rubbish products on Internet marketing forums, you’ve been on the receiving end of this marketing style.

Few marketers stoop so low as to follow this old, "hard sell" approach. But if we look at the more common approach these days it's not great, either:

The Slightly Less Spammy Way

  1. You have a lead magnet (opt-in offer) to get people onto your mailing list.
  2. When people sign up, they get your lead magnet and they also start getting emails from you (these may or may not be related to the thing they signed up for).
  3. Some emails are educational and useful, some are purely promotional.

This approach stems from an attitude that sees subscribers only as potential profit sources. You send useful, informative content to your subscribers only to “keep them warm” for the promotional stuff.

There is a better way to do email marketing and it also happens to be GDPR compliant:

The New Way

  1. Your emails are never purely promotional or unrelated to the original offer that got people onto your mailing list.
  2. Your emails, which are educational and useful, link to interesting content and contain secondary promotions or soft promotions (more about this below).
  3. All of the content you send to subscribers is your “newsletter service”.

Your subscribers sign up for and subsequently receive this useful and valuable Newsletter-as-a-Service mix of content.

NaaS Example: Thrive Themes

For an example of a Newsletter-as-a-Service, look no further than Thrive Themes. Most commonly, when you get an email from us, it’s to announce a new blog post or a new Thrive University course.

Right off the bat, that means the email itself is not promotional in nature.

Our blog posts are almost always based around helping entrepreneurs and website owners solve a problem or improve their conversions. Promotions of our products and features are incidental to this educational service provided in our content.

For example:

You get the idea. None of these posts are straight-up “buy this product” promotions. Even if you don’t use any of our tools, you can learn a lot and seriously upgrade your marketing by following the Thrive Themes blog.

And because this is our approach, there is no clear separation between “content” and “promotion”. When you are subscribed to the Thrive Themes mailing list, you get a constant stream of emails that all have one and the same purpose: to help you build a better website.

This is what it means to offer a Newsletter-as-a-Service.

The GDPR Grey Areas

Maybe you're wondering: is the Newsletter-as-a-Service concept 100% compliant with GDPR? Am I 100% on the safe side, following this advice instead of adding many checkboxes to every form?

The answer is: no one knows for sure. Depending on which lawyer you ask, you'll get different answers about anything that still constitutes a gray area. And right now, there's a lot of gray area.

One source I am going by is this consent guidance document by the ICO, which gives the following example:

"If joining the retailer’s loyalty scheme comes with access to money-off vouchers, there is clearly some incentive to consent to marketing. The fact that this benefit is unavailable to those who don’t sign up does not amount to a detriment for refusal."

The example isn't perfect for the use described in this post, but it shows that incentives for subscriptions is still a viable option for marketers.

When is a Checkbox the Right Choice?

As we've seen, you have 2 options for making your opt-in forms GDPR compliant. You can:

  1. Add a checkbox to get consent for anything not mentioned in the form’s copy.
  2. Change the copy of your form.

None of these is “the right” choice to make. You have these options at your disposal and you can choose whichever one suits your needs best.

My Newsletter-as-a-Service approach is more than just a quick fix for some opt-in forms. It’s an entire marketing approach. I believe it is a superior approach for most businesses and I recommend it, but it’s not something you can just implement overnight.

Newsletter-as-a-Service makes your email marketing as a whole more GDPR friendly, but you still need to clearly communicate your offer. So, implementing NaaS doesn't save you from changing your form copy or adding checkboxes.

When it comes to choosing between changing your form’s copy or adding a checkbox, I believe changing the copy is generally the better choice. However, we have added a feature for adding a checkbox to opt-in forms in Thrive Leads, so the choice remains yours.

What Else Do You Need, to Make Your Email Marketing GDPR Compliant?

There are several more regulations that are relevant for email marketing, but you are almost certainly already compliant with those.

Unsubscribe & Modify Links

First, you need to make sure that every email you send contains an unsubscribe link and you should also have a “modify my subscription” type link, where your subscribers can update their data.

This kind of thing:

This is hardly a new practice for email marketers.

Privacy Policy or Terms

Second, your privacy policy and/or terms should be easy to find for anyone looking at an opt-in form. On landing pages, it’s already common practice to add a link to such pages in the footer. As an additional step, you can add a link inside your opt-in forms (although it’s debatable whether the link needs to be in the form itself, if it’s already on the page that the form shows on).

Proof of Opt-In

You also need to be able to provide a proof of opt-in or a proof of consent. Basically, if a subscriber claims you started sending them emails out of the blue, you need to be able to prove otherwise.

Your email marketing service may provide such a proof log or, if you use Thrive Leads, you'll find email addresses associated with specific opt-in forms in your reporting dashboard.

Your Action Steps

Now that you know what tools you have at your disposal to make your email marketing GDPR compliant, here’s what to do next:

  1. Take an index of all the opt-in forms and lead generation landing pages on your website.
  2. For each opt-in offer you have, decide which of the 2 approaches is best. Will you add a checkbox to the forms or change the copy? And to what extent will you change the offer itself?
  3. Update your opt-in forms and lead generation landing pages to reframe your offer and make sure visitors can clearly anticipate what’s going to happen after they sign up.
  4. Make sure that your terms & conditions or privacy policy are easy to find from any page that contains an opt-in form.
  5. Make sure your emails all contain an unsubscribe link and a “modify my subscription” link.
  6. Get all this over with, so you can go back to focusing on more important parts of your business.

Finally, consider to what degree you can and want to implement a Newsletter-as-a-Service approach in your email marketing.

If this is something you’d like to get more guidance from us about, let us know in the comments below!


Author: Shane Melaugh

Shane Melaugh is a co-founder of Thrive Themes. When he isn't plotting new ways to create awesome WordPress themes & plugins, he likes to geek out about camera equipment and medieval swords. He also writes about productivity here.

  • Fran Canete says:

    Hi Shane! Great article, thanks a lot for bringing some sanity to this crazy GDPR rush. I’m just reframing all my opt-ins offers.

  • Arne Brockmann says:

    Shane, thank you for all the work you’ve put into the article. As always –very helpful content.

  • Sarah Arrow says:

    All of those that send decent emails will continue to do so. And those that just send sales pitches disguised as value will whine how GDPR killed their business. I’ve always said that every email sent by a business is a marketing email. Some are better than others. The better ones you don’t think of as marketing and the worst? They’re seen as spam. It’s time that business owners stopped acting like spammers and take back their business relationships.

    • Shane Melaugh says:

      That’s really well said, Sarah!

      And you’re exactly right: every email is a marketing email. Every interaction is a marketing interaction. Everything the business does is for the business – and if it’s a good business, that means it serves the customer, the audience, the fans. A “marketing” email doesn’t mean “we’ll spam you and try to squeeze every cent from your pockets”. It means “we’re fulfilling the busienss’ mission of making a positive difference in the world”.

      That may sound idealistic, but for me, unless there is such an idealistic purpose to what a business does, I can’t be bothered.

      • Danielle E says:

        I agree with you whole heartedly. Bringing integrity and heart to your business is a sound philosophy.

      • Peter H says:

        That’s why I like buying your stuff, Shane. I feel you care about your customers, there’s a vision behind all of this.

      • Chris says:

        Word! Who said that business and idealism must be two different things?

  • Bert says:

    Great overview Shane, thanks! One question: a lot of businesses are sending emails to their entire list asking to either confirm your subscription or to unsubscribe. I don’t find this in the list of to-do’s, so I assume this not mandatory? Or are they only sending these emails because they have never asked your consent to email you (and thus fail to comply with GDPR)? Thanks!

    • Birgit says:

      Hi Bert,
      I’m from Germany, in the middle of the GDPR, yeah! We need to have the so called double opt-in for our newsletter subscribers. When the people on your list already have opted in via double opt-in then you don’t need to ask the entire list. When you don’t have the double opt-in then you need to collect a “new and GDPR-compliant confirmation”, e.g. via asking for explicit confirmation in an email broadcast. This is the status quo here in Germany.

      • @Birgit

        I believe it’s not the double opt-in that is mandatory but the consent and you need to be able to proof it. The double opt-in just happens to be the easiest way to have proof of their consent.

      • Elsewine R says:

        In heather burns’ webinar, she actually said double opt-in is not proof of consent, it’s just a way to avoid me from using your email address and signing you up for 20 newsletters.

        But it’s not enough to make your list gdpr approved.
        *head still spinning* ugh.

      • Renée D says:

        Here in the Netherlands everyone’s going on and on about ‘them cursed checkboxes’ as the only way to go for getting GDPR-compliant confirmation.

        In information I’ve received from ActiveCampaign and WPBeginner (amongst others), double-optin is named as one of the TWO options you can use.

        Talking about different interpretations …

        To stop my head spinning, I’ve chosen the more pratical interpretation: double-optin (which I have been using from day one).

        I’m also reframing my freebee as ‘an information package’: where my follow up emails and the subscription to my newsletter used to be a bonus, they are now an integral part of the package that people can sign up for.

        The future will tell if I was right or … a bit less right. 😉

      • Shane Melaugh says:

        Thanks for your comment!

        If I can offer my take on this: double opt-in is a form of explicit consent, but consent for what? If neither your opt-in form nor the confirmation email say anything about receiving emails from you, then you can still be in a situation where the subscriber has given consent to receiving your freebie, but not to receiving any further emails.

        So, in my opinion (as a non-lawyer, from whom you should not take any legal advice), it’s still a matter of choosing the right words – in your opt-in form and/or in your confirmation email.

    • Mary says:

      It’s because you will not be allowed tokeep on your list people who have not given consent. So, after GDPR, you’d need to delete all people whose consent you don’t have.

    • Davide says:

      I have the same exact question. I would love to get an answer by you Shane on this. Thank you!

    • Shane Melaugh says:

      Thanks for your question, Bert!

      This depends on whether you have proof of consent for your current email contacts or not. This article explains it well.

    • Ovidiu says:

      Hi Bert!

      I agree with Birgit and Mary.

      On one my websites I didnt use a double optin in and I couldnt be able to proof the users did subscribe to the list.

      So Ive started sending emails re this, telling them what this means and trying to keep them on the list by asking for their consent.

      Thing is, not everybody will open the email or clicking the link so Im sending 3 emails targeting the ones that didnt open or click.

      The probem is, by the 25th Ill have to have everybodys consent.

      Whoever is not opening the emails or cliked the link Ill have to delete them.

      I know Ill lose some of them, but I rather comply with this GDPR thing than get in troble in the future.

      Just my 2 cents…

  • Elsewine R says:

    Thank you for this clear and broad explanation!

    One note: I followed a webinar from a UK legal lady, who said it’s not allowed to only offer the freebie/lead/opt-in to those that enter your list.

    In other words, if you offer something for free, people need to be able to get that without subscribing. Imo, with the non-checkbox approach above, that is not possible?

    • Daniel says:

      “Avoid making consent a precondition of a service.” > GDPR

      You can’t force people to signup for the newsletter in order to get the lead magnet.>

      I’m sorry but this blog post is a disservice to your readers in which they think they can just reword the copy to avoid adding checkboxes.

      • Ian Brodie says:

        You are making a huge assumption there that sending someone a free PDF is what the legislators meant by a “service” when they wrote those rules. I highly doubt that’s the case. Like much of GDPR I think it’s highly likely that this was written for the case when someone makes a purchase and the vendor tries to get them to take unrelated marketing emails as part of the purchase, either with pre-filled checkboxes, confusing language, or simply not giving them the option.

        The chances of this sentence being meant to be applied to lead magnets is pretty small. Lead magnets are more likely to come under bundling/granularity and the use of incentives. Shane’s solution covers this fine.

      • Bobby Klinck says:

        Ian – The GDPR says that “utmost account” shall be taken of whether you require someone to consent as a condition of entering into a contract or getting a service. And elsewhere, the GDPR makes clear that contracts include FREE contracts.

      • Ian Brodie says:

        And in that case you’re making the assumption that sending someone a free report is a contract. A contract is a legally binding agreement between two parties that involves rights and duties on both sides. There is no legally binding agreement and no duties implied by sending someone a free report. Ergo, it’s not a contract (or a service) so this rule doesn’t apply.

        Look, here’s a more important point that I think is where some people are being absolutely crazy…

        When any new legislation is created it will not cover every eventuality, some of the wording will be open to interpretation, and some of it will be contradictory. That’s only natural as the people writing the legislation are human. The quirks will get clarified and ironed out as the legislation is implemented.

        So right now, there are areas like this where the legislation is open to interpretation. We cannot know for sure what they exactly meant or whether they really considered the details at all.

        So as business owners we have a choice. We can choose to take the most extreme interpretation that’s the most detrimental to our businesses and implement that. Or we can choose to take other reasonable interpretations that aren’t so detrimental and implement those, knowing that if we’re wrong the worst that can happen is that we will be asked to make a correction (fines are almost never levied, and when they are it’s in the most extreme cases and after warnings have been ignored).

        For me, I think its absolutely crazy to take the interpretation of GDPR that is the worst possible for you and try to implement that. Why on earth would you want to inflict damage on your business when you don’t know that this is what was actually intended and there are other perfectly reasonable interpretations that are better for you? And if the worst case really is what they intended you can implement it later when it’s made clear with no ramifications.

      • Piotr Majewski says:

        From GDPR art 3: “2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or”

      • You’re right, Ian.

        We have to look at the *intent* of GDPR, rather than blindly make the web even more messy (cookie-disclosure…) in an attempt to follow some regulations targeting much bigger fish, employing tactics we ALL know are dubious and wrong.

        Of course it’s not ok to add new users (who sign up to your app or website) to a list, where you start a long autoresponder-sequence that goes on and on, with 3-4 emails per week. OF COURSE that’s nok ok. Yet, that’s how many businesses operate. I personally loathe signing up for anything nowadays, ’cause I’m 95% sure I’ll be added to their “newsletter” which’ll spam me 3+ emails per week. NOT ok. And THAT is an example of what GDPR is targeting.

        It’s also targeting data harvesters of various kinds, as this post correctly states.

        Furthermore, if WE can’t make sense of the rules: neither can the regulators. We’re talking bureaucracy here! Trust me: I’m a European, so I’m used to EU’s constant rules and regulations. Many of them are well-intended, and some of them actually do make things better for all of us – but common to them all, is that they’re cryptic and hard to follow, because they’ve been created in a bureaucratic vacuum – and with way too much process back and forth.


      • Elsewine R says:

        Yeah… I know it says that in the rules, yet someone responded on a post to me “if I’m a restaurant and want to give out a free meal to someone in exchange for an email address, they cannot force me to give the meal free just like that.”

        It’s not totally the same of course; but it got me thinking how weird this rule is!!

        I’m all for better use of data, and being clear that by getting the free lead magnet you will be subscribed to a newsletter (that you can unsubscribe from at any time, and stating what else you will be doing with that data/how you store it), yet if you don’t want to be on the list, you’re free to dismiss the freebie.

        But how can they FORCE you to give it for free to those not subscribing to your list?

      • Daniel says:

        I have to invest time creating content for my ebook and give it to a designer to create the cover and the interior layout.

        My ebook will be more expensive than a free meal at a restaurant.

        The user should have the right to get your free meal and not sign up for your newsletter, the same way he has the right to my lead magnet without subscribing to my list.

        By the way Bobby (Robert Klinck) is a laywer and he was on Amy Portfield’s podcast discussing GDPR.

      • RonaLynn says:

        Love this example. My approach is this.
        Following Shane’s excellent example of the Newsletter is a service.

        I provide a service to my subscribers ONLY (obviously).

        I’d love to provide these services which include free tips, lessons, and practices to new subscribers. So I welcome new subscribers who can receive the same benefits.

        I will continue to send content and opportunities to my subscribers because they have indicated that is what they want as part of my tribe.

        I do NOT feel obligated to give something away to people who do not agree to my terms of service( disclosure about what information I track). People can opt out anytime they want.

        What more do people want? Surely this is covering all the bases.

      • Lisa says:

        This was my thinking entirely…

      • Jonah J says:

        “Avoid making consent a precondition of a service.” –

        This sentence may be directed towards and in connection with the widespread activities of the banks and other financial organisations in the UK that brought about the PPI scam, which in many cases did indeed force consent as a precondition of a service.

        Which in the scheme of things is nowhere near the same as offering a free PDF or Ecourse that is helpful, relevant, has no hidden agenda, isn’t hidden inside small print…… in exchange for an email address.

        “You can’t force people to signup for the newsletter in order to get the lead magnet”.

        Not sure where it says any of that in GDPR documents but nobody is being forced to do anything and most people are quite willing to provide their email address for something that is potentially helpful and relevant to what they want, need or are searching for……particularly if they are on a website of interest in the first place!

        A bigger issue is those that use fake email addresses to get that PDF or Ecourse. Is that not fraud?

    • Jason A says:

      Unless she can refer to a specific regulation, she’s probably interpreting something incorrectly. Some random lady on a webinar shouldn’t scare you off. That’s just nonsense. In fact, I’d probably question anything said in that webinar if I heard it. How’d you get on the webinar… an email optin form I presume. Unless she’s only sharing the webinar with people who filled out the form, she’s breaking her own stated “rule”. *** Bottom line, when people make claims, it’s up to you to verify.

      • Bobby Klinck says:

        Jason… I’m a lawyer who has looked at the GDPR a ton. There is a provision that says this:

        “When assessing whether consent is freely given, UTMOST ACCOUNT shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of a that contract.”

        Taking that out of legalese… you can’t say “you have to consent to be on my list” to get something from me. Giving someone a lead magnet is a “contract” under the GDPR. In the territorial scope section, it makes clear that a contract includes a free contract.

      • Hi Bobby,

        Thanks for your quote – it’s very hard to find the original text if you’re not a lawyer. 😉

        But now I have a follow up question, based on what I found on the site of the Authoriteit Persoonsgegevens (the organisation that is supposed to uphold/enforce the GDPR (AVG) in the Netherlands).

        There is a section about a provision concerning DM (Direct Marketing). It says that you can – without prior consent – send emails to your customers.
        (Of course only for similar products or services an with the possibility to sign out or edit/adjust the personal data.)

        When I pointed that out in an online discussion, the ‘comeback’ was, that with a free PDF no money changes hands. The receiver is therefore not a customer.

        BUT: if giving a leadmagnet is seen as a contract, then the applicant who has entered into that contract is a customer. So the personal data, collected to be able to send the leadmagnet to your brand new customer, can – without further/additional consent – be used for DM-purposes. At least, that is my conclusion.

        So my question is: what am I missing? Since everyone keeps insisting that we are obliged to send a free leadmagnet without being able to ask for a compensation in the form of an emailadress.

        I really would like to read your stand on this. 🙂

      • MJ says:

        You’re making the assumption that all lead magnets are a one time thing.

        What if that ‘lead magnet’ happens to be an ongoing series of tips? Or weekly motivational posts? Or weekly recipe guides? How does the law suggest we deliver such a ‘lead magnet’ without getting the subscribers consent to be added to our list?

        This isn’t a one size fits all scenario.

      • Adam N says:

        Excellent, since you’re a lawyer that has read the entire GDPR document I’m sure you came across Recital 23 and Recital 47.
        “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. And according to the GDPR you may not need explicit consent if it falls under legitimate interest. So even the official GDPR documents contradict each other. I think the purpose of this post is to set a baseline to work forward from, not a be-all-end-all solution. However… to each their own.

      • Shane Melaugh says:

        The “legitimate interest” thing muddies the waters quite a bit. I keep repeating this, but I think this is mostly a case of waiting for court rulings. The legitimate interest could cover a lot of what non-scammy email marketers have always been doing, but a court could also rule against that. We’ll have to see.

      • Bobby, I am located in the UK and have worked with lawyers for years covering many topics including business contracts.

        Under the Laws Of England And Wales I understand a contract requires consideration to pass both ways. If I understand your comment correctly I imagine in a FREE contract the consideration only passes one way; I give a potential client a free subscription to a NaaS that has a value both to me and presumably to him but he provides nothing in return. I do not receive any consideration.

        How can it be a valid contract within the law of contract? Surely it simply remains a free gift and I must never expect any response that I might consider to have a value.

        I accept the laws in various countries can often be different from one place to another but, as a non-lawyer, I wonder how the Laws Of England And Wales fit into the GDPR situation. Do the Laws Of England And Wales have no validity in situations where GDPR operates? If so then how will the courts in England determine contractual disputes but where consideration has not been provided?

      • Elsewine R says:

        Thank you Jason.
        She’s not a random lady, she’s a lawyer and she actually made the most sense to me so far in clarity and what to and not to do.
        There was no sale or upsell in the webinar and they have a checkbox separate for the newsletter.

      • Jonah J says:

        Lots of scaremongery and misinterpretation of GDPR.

        GDPR does not enforce what some are stating here at all.

        Some are simply projecting an opinion that has no relevance to reality and is completely absurd, even today in Oct 2018 after 5 months of GDPR being active.

        Reminds me very much of the doomsday clocks of 1999. Did your computer explode or suddenly stop working?

        It’s quite simple really. The opt-in process must be clear, unambiguous and relevant to what is being offered and you must control the data you store securely and remove it when required. It’s simple.

        Nobody is entitled to get something even for free as long as the exchange complies with GDPR……and that does not mean that we now need to start giving away free lead magnets without taking email addresses in exchange.

        Context is key.

        If by offering a free lead magnet of related services of legitimate interest (i.e. blogging educational material/Sequential Training Modules/Associated ecourses/supporting PDF/supporting cheats sheets etc) in exchange for an email address and that process forms part of the legitimate interest for a business and the transaction clearly states what the user will receive in exchange, (through double opt-in/confirmation page/click the link in your email if you agree etc) then I have absolutely no obligation to offer that service or product without requiring an email address.

        That will not change.

        I have done everything I am supposed to be doing as a genuine marketer ………….regardless of what GDPR states I should be doing, I do it anyway.…..and some.

        We can prove a clear intent by the user because they are on my website. Nobody forced them onto my website.

        We can prove a clear intent by the user because they opted in wilfully. Nobody tricked or forced them to opt in.

        We can prove a clear intent because we have a double opt in process to confirm that they are who they say they are, that they are happy that they are about to receive what they asked for and that they are happy to proceed.

        Only a buffoon or bot would still be around at this point!

        We can prove a clear intent because they show further willingness by opening emails and actively consuming the content, clicking links, starting the course and completing modules, which their member account clearly shows.

        Those are not the actions of a hard done by user who has been scammed into blindly opting in.

        To make doubly-doubly-doubly sure – they have an unsubscribe button clearly positioned and visible on every email that they receive and they can opt out at any time whatsoever. Yet here they are 75% through a course that they opted into and using those additional supporting documents (bundled) to help them through.

        In addition, we send regular emails that actively encourage them to unsubscribe if they are inactive.

        If they don’t respond and remain inactive……they are unsubscribed manually.

        We don’t want a list of inactive course collectors on our list that cost us additional fees from our email service provider and will gladly get rid of the tyre kickers and beggars, which is why we use an email service provider that allows for manual unsubscribes because we all get those people who will complain to GDPR once they have forgotten that they actually opted in wilfully 6 months ago and opened 10 days’ worth of emails before moving onto the next shiny object!

        All of this is recorded automatically as per business and as per the technology that is already built in to the ethical software and products that most of us use anyway……….regardless of what GDPR rules want, it’s happening naturally anyway.

        GDPR is not looking for people like me.

        GDPR is not looking at my opt-in forms because they don’t blindly opt people in for the sake of building a huge but none responsive list that i then spam with anything i can make money from.

        GDPR is not looking for me because I’m not scraping data or selling those email addresses on.

        It’s looking for those who do the opposite and it will start with the big boys first. The ones that illegally pass your data to 3rd party data organisations. The ones that have the huge data breaches. The ones that don’t pay their fair share of taxes. You know who I’m talking about.

        Lawyers will be lawyers and if that lawyer just happens to be adept at marketing and quick enough to get a webinar about GDPR up and running before anyone else has the chance to even read through the GDPR and understand it before it took effect then they are also adept at seeing an opportunity to jump on and make some money………..which again takes me way back to those doomsday clocks of new years eve 1999!

      • Mike and Linn says:

        Thanks. Your comment has clarified for me what is simple but been turned into something unnecessarily complicated and confusing.

    • Obyard says:

      I probably saw the same webinar :).

      But does it refer more to that “old” way, where the main action is a lead magnet (PDF or something like that), and on top of that you get the newsletter (now with that check box)?

      With this “new” way, the main action is signing up for the newsletter; PDF is a bonus provided to newsletter subscribers.

      So if you have it as a bonus to newsletter subscriber, does it change things to what was said in the webinar….?

      • Elsewine R says:

        That is what I wondered. But then you cannot go out and say “I have a PDF with 7 video tips, click here to download” but you can only promote your newsletter list.

        And then say, “and if you sign up for it, you’ll also get my PDF with 7 video tips”.
        That’s a whole different way of bringing it out and about and I don’t think many people go actively for the NL.

    • Martin says:

      Yes it is possible. I’ll explain what I do. I very much agree with Shane’s NAAS approach, and I like his suggestion to switch the emphasis – subscribe to the newsletter and I’ll also send you the pdf (although I’m not entirely sure this passes the granularity criterion in GDPR). However, in some situations the freebie is very much the priority and you can’t really switch it round without there being a disconnect between what the visitor wants and what you’re proposing to give her. For example, visitors to my website may come to download a specific pdf. They might be interested to subscribe for updates etc, but first and foremost they need the pdf to solve their immediate problem.

      I approach it like this: they get the full optin form and explanation that they will get the pdf, and be subscribed to my readers’ group, which they can submit. However, at the bottom, under the submit button, I also have a sentence like this in smaller text:

      “If you don’t want to join my reader’s group, or get all my additional resources, that’s fine I understand. I can send you the publication you need if you email me.” and I link to my contact form. Alternatively I could just link to a page from which they download the pdf directly if I thought I would get too many manual requests.

      So visitors get the choice but without resorting to the checkbox.

      I also think people are getting tied up in knots thinking they have to be able to email the freebie even if the visitor doesn’t subscribe – which is complicated to set up unless you use Thrive Leads (or set up a Gravity Form as an optin). But as I hope this shows, there are other ways of making the freebie available to non subscribers.

    • George says:

      I think this might only apply if you offer only one free thing. But if you offer a series of free things, like a newsletter or video series, then people would necessarily have to give you their email so that you can deliver it.

      • Elsewine R says:

        Still, when they sign-up for a video series, I cannot add them to my ‘main’ newsletter list and send them info about another topic/offer/free thing.

      • Jonah J says:

        Yes You Can………simply ensure that the opt-in content copy that they read before subscribing refers to that info about another topic/offer/free thing that you intend on offering.

    • Martin R says:

      So much great stuff in this blog post as we come to expect from Thrive.

      Sounds like we are in the same group run by that GDPR lawyer, as I also picked up the same issue.

    • Sam says:

      You are completely correct! The UK’s Information Commissioner’s Office have confirmed this to me personally on several occasions. The information in this article is not correct and misleading.

      • Shane Melaugh says:

        Not all lawyers will provide the same answers. Everything I’ve written about in this post is the result of multiple meetings with 2 legal advisers. I didn’t just make this stuff up.

      • tim t says:

        I had a 1 to1 with a consultant who has many years experience of data privacy and she confirms that many are getting it wrong and that Shane’s take is the correct one. She works closely with the ICO and knows what she is talking about.
        At the end of the day you can ask 3 experts in any field and get 3 varying answers.
        As business owners we have to take a decision one way or the other – I’m with Shane’s way.

    • Mary says:

      In the no-checkbox approach what you’re actually offering is the newsletter, not the freebie. You’re only giving the PDF as a gift to those who optin for your newsletter, not the other way around.

      What still bugs me a bit is (if I understand GDPR correctly) there are some informations that need to be disclosed upfront, things we’ll need to explicitly get consent for. One is the sending of emails (content and promotional). But there’s also the use of data for eg. retargeting, and also when the data is going to be stored outside the EU (which will be the case depending on the autoresponder service we use). I believe this all needs to be written near the optin form, and it gives a very ugly result 🙁 But it’s still a thing of the offer’s copy and reframing, which is totally manageable if we keep the NaaS concept.

      Thanks a lot Shane for this. I’m proud and excited to be a TT customer, and I can say that NaaS is very much like what I actually do!

      • Hi, Mary.

        From what I understand, you can have these details and any other disclaimers in your “Privacy” page or “TOS” page and have a link to that page near to the opt-in form.


      • Mary says:

        Thanks Barru. I’m sure a lot of stuff needs to be updated and clear in the TOS/Privacy, and the link to it needs to be near the optin form. I read somewhere that some information tho needs to be stated upfront, not in a second layer (behind a link). The receiving a newsletter is part of those, and I’m pretty sure the storing data overseas is too. I need to verify this asap.

    • Chrissy says:

      I am also wondering this! Thanks for asking.

    • Jennifer Schindler says:

      Want to know more about this too!

    • Danielle E says:

      If I’m understanding both you and Shane correctly, I think he addressed that with the way he worded the sign up… that you’re asking them to sign up to your newsletter and you’re giving them the freebie as a bonus.

      Shane, correct me if I’m wrong about this.

      • Shane Melaugh says:

        That’s the idea, yes. The form is for signing up to the newsletter and the freebie is one of the things they receive as part of this “newsletter service”. If your freebie is a PDF, you can take it further and deliver the content itself via email and offer a downloadable version of it as a convenience, like a print version of your newsletter emails.

      • Danielle E says:

        Thank you, Shane. It seems to me that there’s a whole lot of unnecessary hoop-la about all this when people can simply unsubscribe from your list after they get their freebie or if they decide they don’t like being on your list. It seems like all thus GDPR stuff is more geared toward people who sell or share your email or phone number or your personal info, and if you’re just using your list for direct contact with people who like being on your list (a.k.a. they haven’t unsubscribed), then you’re simply maintaining relationships with your fans or customers.

      • Shane Melaugh says:

        This is my interpretation as well, yes. If you don’t do anything that is against your audience’s interests and you maintain a good relationship with your fans, I doubt you’ll get in trouble.

        It could still happen, but I believe that people who buy and sell contacts, use fake unsubscribe links in emails and have an attitude of “get their money, no matter what” are the intended targets of such regulation first.

    • Hi Elsewine, if I understood Shane correctly, he says that it’s all about framing – if you offer to “Subscribe to our Newsletter and Get a Bonus PDF” then effectively they are encouraged to subscribe to the newsletter, and PDF is just a bonus.

      • Shane Melaugh says:

        Yes. I have been told by our advisers that framing something like a PDF as a bonus to the “real” offer (your newsletter) is likely an example of legitimate use.

      • Elsewine R says:

        Thank you Greg!
        I understand this and at the same time think it will be hard to approach people by ‘subscribe to our newsletter’.
        Even when it’s full of value and well written.

        I have ‘salespages’ for my freebies, describing background etc and tweaking that into the subscription takes out a lot of the dynamic imho.

        Yet I think it can be a valid approach, be it a difficult one.

      • Chris says:

        I guess you mentally should change your approach here. Skip the concept of newsletter completely. Start thinking of personally talking to your fans. Ban the word ‘newsletter’ fully from your vocabulary.

        Nobody wants to receive newsletters nowadays. We all want valuable information. If you are able to give such to your clients, you will be more than welcome in their inbox.

        To position yourself as a very welcome visitor on someone’s desk, you should forget about sales and start thinking about delivery.

        Shane and Hanne are perfect in that. I would never ever unsubscribe from the emails they send me. Why? Because I get so much value from reading their stuff. In fact, I do open their emails before any other.

        Experts don’t sell. They don’t send newsletters. They keep in contact with their audience. And they are welcome.

        That’s the position you wanna get in the life of your clients.

      • MJ says:

        Exactly! People don’t want ‘newsletters’, they want content that helps them.

        We should be looking at this as wanting to build a relationship without our audiences, not just send them newsletters. Send them something they actually want/need.

        The reason I’m still on Shane’s list is because of the value of his content. He
        does it extremely well. I’ve never felt sold to. I recommend not just his products, but his content to my friends.

        This is the standard of marketing I aspire to.

      • Lisa says:


    • Stefan says:

      right, its simply not legal any more to brige someone in your email list with something can can bi simply downloaded …but putting the free imfos in a short email series would be finde …because for that, you need the email-adress:)

      • Shane Melaugh says:

        Yes, sending a series of emails and advertising that from the start is one way to reframe your offer.

      • Elsewine R says:

        Though I think you still cannot send more than that specific series, like your regular newsletter, I presume?

      • Loralee says:

        I agree with you Elsewine. For an email course/series, I’m planning to include a few subtle invitations to join my newsletter (and probably my Facebook group). But if they’re not interested, the final course email would be the last time they hear from me.

    • Scott says:

      The freebie is a bonus you get for signing up for the newsletter service. You only sign up if you want the newsletter service and then as a “bonus” you get the freebie.

      And you can’t get the newsletter service without signing up, obviously.

    • Shane Melaugh says:

      Thank you for your comment!

      This is where framing your offer makes all the difference. You can’t force people to consent to receiving emails by withholding your PDF from them. The problem there is that you have your offer (the PDF) and you’re using it to “trap” people onto your mailing list. But if your offer is “an informative, useful newsletter including online courses and downloadable material” then people either sign up for this newsletter, or they don’t. There’s no deception or baiting, there.

      The purpose of the regulation is to stop misleading visitors or omitting information about what data will be collected and how it will be used.

      • Lorenzo D says:

        Thanks for the post Shane, it’s actually the clearest and soundest piece I’ve read on this matter.

        I think you are technically right, though this leaves with a problem that it is much more difficult to advertise a newsletter service than a more self-contained freebie. Think of the classic Facebook ad offering a pdf with a specific solution to a specific problem. According to the strict interpretation of the GDPR this commenter suggested, that’s now illegal, unless you really offer it with no-strings attached, which makes it damn near useless.

        One of the first lessons I learned in email marketing is that NOBODY want to “SUBSCRIBE” to another “newsletter”, no matter how you spin it.

        Besides, if the law was really meant to prevent us “baiting” people with a freebie and then send them our emails as we did before, well, the approach you suggest (which I think is sound, based on the information I have) could well be interpreted as going against the spirit of the law. I.e., what you call “reframing”, they can call “illegitimate bypassing”, “avoidance”, “sophistry”, and so on. I mean, if they’re out to get you.

        BUT. I think the commenter is referring to Suzanne Dibble’s videos, and as I recall, the freebie issue was actually discussed in one specific video, and doing it the way you suggest was actually deemed acceptable.

        The problem – as usual with these sorts of regulations – is that the law is complex and full of grey areas. I guess the best we can do is do our best right now, then wait and see how the regulators actually behave.

        The big fish too.

        This is how Digital Marketer is handling it for example: the offer the classic short course with the usual for (no checkbox in sight), then they add a few lines of fine print at the bottom:

        “IMPORTANT: As an added bonus for registering for this class, you will also receive free access to the DigitalMarketer bi-weekly newsletter which contains bonus content, exclusive offers, event information and helpful tips. View DigitalMarketer’s Privacy Policy for more details and info.”

        Which is exactly what you are NOT suppose to do if you interpret the regulation in the strictest way possible, absolute granularity.

        Here’s the form:

        It should be said that satisfying each and every requirement of the law in the strictest sense in technically impossible for a small business, and even if they could, they would mess the user experience to the point that having a freebie and a form would be useless anyway. It’s a joke. I mean, if I live in Europe and use ActiveCampaign as an email service, do I have to specify ON THE FORM that their data will be processed in the US? Come on, that’s ridiculous, your form will look like the stack of papers you have sign before heart surgery.

        It’s a law written by people that don’t understand how the internet works (at least for small businesses) and one that if applied literally, would basically break it (the internet). We’ll just have to wait and see.

      • Shane Melaugh says:

        Yes, if you take the most conservative interpretation of the regulations and try to stick to every aspect of it, it’s wildly impractical. Especially for small businesses.

        And what’s worse, it makes for a poor user experience. I mean, if you really wanted to be on the safe side, you’d have to force visitors to read through your privacy policy before they do anything. Maybe show it as an overlay on your site and only allow them to dismiss it when they’ve scrolled to the bottom.

        And then add potentially dozens of checkboxes to get separate consent for every possible use of their data that can be interpreted as “separate”. And of course, this would go along with a system that can deal with your site tracking, cookies, email marketing and so on, finely differentiated based on which of the checkboxes were ticked by each individual user.

        Now, imagine if every single website implemented this and you’d always have 10,000 words of legalese and a dozen checkboxes between you and the next website you want to visit. Highly compliant, but hardly what anyone wants from the Internet.

        This is why I’m advocating a more “common sense” approach to all of this.

        As always, we’ll have to see for actual legal cases involving GDPR to play out, before some of these gray areas become clearer.

      • Elsewine R says:

        Thank you Lorenzo,
        I actually refered to the webinar from Heather Burns which she did with Clare Josa.

        I agree with what you said here:
        “One of the first lessons I learned in email marketing is that NOBODY want to “SUBSCRIBE” to another “newsletter”, no matter how you spin it.

        Besides, if the law was really meant to prevent us “baiting” people with a freebie and then send them our emails as we did before, well, the approach you suggest (which I think is sound, based on the information I have) could well be interpreted as going against the spirit of the law. I.e., what you call “reframing”, they can call “illegitimate bypassing”, “avoidance”, “sophistry”, and so on. I mean, if they’re out to get you.”

        –> and by no means do I think this advice in the article was off, I am just trying to wrap my head around the best way of approaching this and indeed the reframing as you say above might not be accepted.

        Then again, when you state they will receive a newsletter and you have an unsubscribe link at every mail at the bottom, I cannot see why they would make such a big deal out of it.

        Trying to avoid setting up a whole new workflow which I’ll have to re-do in a few weeks when it turns out that’s not acceptable.
        That’s all.

      • Danielle E says:

        Yes, I agree. I think GDPR is about weeding out smarmy marketers, not stopping honest businesses from growing their customer and fan base.

      • Shawn says:

        Hey Shane, great post. Quick question… I was informed that you do not need your terms or privacy on the optin form that it just needs to be on the same page as the optin (i.e. footer of a website as an example). What is your understanding?

      • Shane Melaugh says:

        I don’t know for sure. It’s one of those things where I’ve gotten a lot of question dodging on this. It’s a safer bet to put it in the form itself.

      • James says:

        Your privacy notice is required by law to be clear and conspicuous. The footer of your website is not clear and conspicuous and is a poor place to link to it. Shane is right, put it in the form itself.

    • Ariel says:

      Good point

    • Danielle E says:

      Somebody in one of the other comments suggested this article. It seems to me that the 1st paragraph alone talks about legitimate situations where someone is joining the mailing list of a legitimate business and the plan is that you are using your list simply to communicate with them about your business and not sharing or selling their personal data.

      For example, I purchased a product online once and I had to give my phone number “in case it was needed by the delivery company.” If I didn’t give my phone number I couldn’t get the product. After that purchase I started getting a million and one robo calls from telemarketers.

      Stuff like this is what GDPR is targeting, legitimately connecting with people who are free to unsubscribe at any time.

      Here’s the link to the GDPR page.

    • Bhavesh N says:

      If you go with the “fix your offer” approach, this takes care of that. With this approach, what you are offering is not a PDF download but the whole series of content that comes as emails that also includes the PDF download. But you would have to be careful not to offer that same PDF as a free standalone download elsewhere.

    • Dalila Jusic-LaBerge says:

      The enforcement officials probably don’t know themselves what to do at this point. This issue is still new and they will take the time to figure out how strict they want to be. I think they are targeting businesses such as Google and FB.

      Law is often up to interpretation. If it was so cut and dry, we wouldn’t need lawyers, judges, and jury.

      In the end, we all need to do what makes sense to us. We need to be comfortable with how much gray area we walk on.

  • Dominique says:

    I agree to read these valuable tips. Thank hou !

  • Len R says:

    Once again, I can always count on Thrive Themes to provide me with useful, actionable content. I have learned so much from being a Thrive Themes member over the last year. You are right about everyone giving check-box advice. I’ll be interested to see just how prevalent the use of check-boxes becomes. I will be interesting. Something else to test I suppose.

  • Lisa says:

    Thank you. This is probably THE MOST HELPFUL (yes, yelling) thing I’ve read on GDPR. Gah! If I never hear those words again, I’ll be happy.

    • Shane Melaugh says:

      Thank you, Lisa.

      I’m very much with you. If I never hear about GDPR again, it’s too soon…

  • Peter H says:

    Oh yes, I’d love to hear more about the Newsletter-as-a-Service approach! 🙂 You could maybe compare it to the Seinfeld emails approach, they’re probably not so different.

  • Alex says:

    Great post!
    I really appreciate the whole NaaS idea and I’ll probably move my newsletter in that direction.

  • Yes please Shane, I would definitely be most grateful to learn more about the Newsletter-as-a-Service idea with guidelines and tips to make this effective for both my clients and for GDPR reasons.

    • Shane Melaugh says:

      Thanks for your comment, Alice!

      It’s difficult for me to write about this because I’m not a lawyer and as you can see from the comments here, everything’s one big, muddy gray zone. But if I can do so in a good way, I’ll create some more content about this approach.

  • Latrice F says:

    Thanks so much Shane, I love the NAAS ‘Newsletter as a Service’ piece. I’m not very consistent sending newsletter emails anyway, but this advice have totally changed my perspective.

  • I don’t think your advice regarding changing the copy on sign up forms is GDPR compliant. You cannot bundle offers. The message on the first example “Subscribe to Get the Awesome Guide!” is bundling the getting of the Awesome Guide with signing up for a subscription. It is clearly not free because it depends on signing up for the newsletter. It is exactly the same with the second example. THe Headline is “Free PDF for You: Get the Awesome Guide!” That would be fair enough if that was all the page visitor was getting but the text below the headline is conditional: “Subscribe to our newsletter to receive regular updates…… and get instant access the free PDF”. Again, that is bundling because getting access to the “free” PDF is conditional on signing up for the newsletter. There actually DOES have to be separation between the PDF and the newsletter. The form does state what is to be expected but there is no opportunity to take the PDF without signing up for the newsletter. It also denies the claim that the PDF is free if it can only be had by signing up for the newsletter.

    • MJ says:

      Then just offer the newsletter as the freebie, but frame it in a way that will entice your audience to want it. I.e. Don’t call it a newsletter…. Weekly tips on blah, blah.

      NaaS your list. Simples. Unless you’re not providing valuable content to your list in the first place. Might be a bit tricky then.

    • Oleksii says:

      So what if we stop saying it is “FREE” then?

      For example, the alternative link to get the PDF separately from newsletter will lead to a shopping cart page with price tag 9.99 or something.

      Then if you subscribe to newsletter – that is just an alternative method of payment for the said PDF.

      What do you think?

      • I think that every attempt to bundle the giving away of a “free” item with the consent required for the use of the recipient’s email address in order to send the recipient a newsletter is really an attempt to get around the rules.

        It is an exploitative mindset that is not in the spirit of the legislation which is about protecting people from their own naivety or even stupidity. It is all very well to rely on the old saying “Buyer beware” but most people have no idea what is really going on in the deeply analytic, data-fuelled, psycho-tactical world of online tracking, segmentation and profiling. This is the underbelly of online advertising, marketing and selling. Some of it crashes through any reasonable ethical barrier.

        We console ourselves with the idea that we are helping people. I think its time to get over such conceit and ask people first. This what this legislation is about.

        I stop unwanted mail coming into the mailbox on my gate with a sign saying NO. This legislation goes a step further because the sender has to get an explicit and active YES. That makes sense because the cost of sending emails is so low that the incentive to abuse privacy is very high.

        Change is always hard to accept but privacy is being invaded on a gargantuan scale, identities are being stolen and kids are being served up stuff that no one in their wildest nightmare would have dreamed up 50 years ago. It will settle down in time and some aspects of the legislation will no doubt alter to business and social realities.

        The legislation may seem draconian. In some ways it is but the point of is surely to change our mindsets to thinking hard about the consequences of invading personal privacy or losing someones personal data to a hacker or, more likely, to careless procedure.

        There has been a lot of emphasis on the financial consequences to business – the costs of becoming compliant and the size of the fines. Not much is being said about the consequences to people of when their privacy is invaded.

        There is also the extraordinary degree of complacency that many younger people have in regard to their own privacy on social media. As though such a thing could not matter in this brave new world and that the concept of privacy no longer exists or has any real meaning for human beings.

    • Bill says:

      I fail to see why most can’t see the GDPR for what it is, an EU catastrophe in the making. THis could very well kill off a large portion of EU based businesses of all sizes depending on how the final rulings come down.

      Another thing of not; the EU cannot penalize any company or person outside their borders for anything. When the rubber hits the road they do not have the power to write andor enforce binding global regulations.

      Even the United Nations, although they seem to think otherwise, does not wield such power.

      I intend to carry on business as usual and simply state any citizen of any EU country can choose to do or not do business with me as they see fit.

      If the US government passes a law requiring me to conform to this regulation then I will worry about it.

      • Nick Marshall says:

        I doubt this will kill off a large portion of business in the EU because it will be a level playing field for all businesses in the EU but not, perhaps, a level playing field against businesses outside the EU if they choose not to co-operate. The largest businesses around the world which are outside the EU are co-operating for now.

        You are right in thinking that the power to enforce has yet to be tested. However, since the end of the Second World War, Nation States have on the whole moved towards co-operation and agreeing to abide by rules covering trade and human rights. These agreements have surely had a role in expanding human endeavour and preventing outright aggression.

        Just because technology has enabled business to track, profile and use every kind of psychological tactic to get a customer through the funnel to a sale, does not mean that it is right or ethical to do so. A line has been drawn in the sand. No doubt it will be modified over time and with testing.

        I think it really boils down to asking whether the economy should be for the benefit of people or whether people are there merely to serve the economy.

  • John D says:

    Incredible Article Shane – thank you again for your awesome software and advice!

  • Andre L says:

    Hey Shane! 🙂
    Thanks for all the effort you put into that article! Love the “fries with that” 😉

    Will there be mandatory checkboxes in thrive leads anyway?

    Because my laywer strongly advised me to start with these.
    Not only for accepting the newsletter but also for having agreed to the privacy policy.

    Thanks and greetings!

  • Ian Brodie says:

    Hi Shane – very good common sense and similar to the approach I’ve adopted. The “you need a checkbox” is a major misreading of GDPR. As is saying that double optin solves it.

    The point that people are picking up on is the requirement for granularity. Consent for different processing purposes shouldn’t be bundled together. You can mess this up if you consider your lead magnet to be “a free report I send them” and your emails to be “marketing I email them”. Those sound like two different purposes. but done right, a lead magnet is “valuable information and a small promotion of my services I send them via email” and your regular emails are “valuable information and the occasional promotion of my services I send them via email”, ie they’re really the same purpose and so no need for separate consent.

    There’s also a case to be made that legitimate interest applies to people signing up for a lead magnet to send them related emails. And also that a lead magnet is similar to the “discount coupon” example of an allowable incentive cited in the GDPR guidance.

    Just a minor point, in the small print below the optin form you really should say who they’re giving their data to (the name of your business) and that they can unsubscribe at any time. Also mention any 3rd parties you give the data to (most likely no one so that bit not needed for most of us).

    • Robert says:

      Great points, Ian. It’s all in whether the lead magnet and newsletter are perceived (or pitched) as a “bundle”. Those who argue that no matter how we spin it, it’s a bundle and requires seperate consent will then surely have to add a check box to consent to receive every single “regular email” since that alone is one giant bundle.

      And what if down the track, I have a “newsletter” with an additional PDF attached? (Eg a cheat sheet) Is this now another seperate item, requiring reconsent? The lawyers are overruling commence sense.

      Of course, if email addresses have been purchased elsewhere, no consent granted etc, then GDPR ‘may’ help reduce some inbox clutter, but somehow I think most of those spammers will ignore it, as they have CAN-SPAM and the rest. Just take a look at any Gmail spam box.

    • Shane Melaugh says:

      Thanks for your comment, Ian.

      There’s definitely an issue with semantics as it regards to the “bundling” of consent. The main problem I see with this is that bundling or not is in the eye of the beholder.

      If you send out a series of emails that are all the same kind of email (in your eyes) individual subscribers can still interpret them as separate. As in: I consented to the emails I’m interested in, not to the ones I’m less interested in. I consented to the first half of this email because I agree with it, but not the second half because I disagree with it.

      Even with the NaaS approach, any email you send can be interpreted as a marketing/promotional email. If I send an email with a link to a blog post, that blog post is not far removed from some place where you can buy one of our products. So the email can be interpreted as nothing but a stepping stone to get people to buy stuff. The way I see it, any way you want to “unbundle” the kinds of emails I talk about in NaaS is arbitrary. A court might rule one way or another, but in reality it’s going to be arbitrary.

  • Meredith says:

    Thank you! Unrelated to GDPR – I’ve moved my Newsletter to NAAS recently not knowing what it was. My business had grown as a result more than sending the “snake oily” emails. I just send 3 “picks” each week. And this article will be one of those picks next week!

  • Eduardo says:

    Thank you for taking the time to write this post Shane, I was super worried about GDPR, but now I feel a great relief! Thank you again!!

  • Luke says:

    What about comments on our blogs? Subscribers have to type in an email before leaving a comment. What about Privacy Policy and Cookies Policy? Do we need to change something in them or they should be fine as they are?

    • Erik says:

      I would be very interested to hear Shane’s take on this question, especially as it pertains to ThriveComments: Does ThriveComments have the ability to extract all of someone’s contributions to a given site? I imagine this might become an issue some day.

  • Chris says:

    Excellent article on the topic. Appreciate the no-nonsense approach and actionable advice. I will be sure to share it with my audience, as we have been discussing this exact issue the last few days. Thanks!

  • John E says:

    Fantastic article, Shane! Thanks. I’ve been wondering a lot about GDPR and now I know what to do. I also like your NaaS idea. I think it’s in line with what we all should be doing anyway… be helpful, first and foremost, and then subtly introduce your offers as part of being helpful. Love it!

  • Alex Adams says:

    The voice of reason in a sea of fluff and nonsense – thanks Shane for this clear and insightful perspective.

    I particularly like the reframing of the offer or slight rewording of the form copy to easily become compliant.

  • richard says:

    I can be compliant with the simple optin system and none checkbox ?? 😮

  • George says:

    This is the first sane comment I have heard in this GDPR madness. Everyone is threatening gloom and doom with 20 million Euro fines. It reminds me of Y2K. Your approach makes perfect sense. It will help me not suffer from a nervous breakdown on the 25th! 🙂

    • Danielle E says:

      I agree. I think people are making a big fuss about something that’s meant to protect your personal data from being shared or sold to people you didn’t consent to, or being forced to give your info in an unnecessary way.

      For instance, I bought a product online once and I had to give my phone number “in case it was needed by the delivery company.” It was required or I couldn’t purchase the product. After that purchase I started getting a million and one robo calls from telemarketers.

      This is the type of B.S. that GDPR is targeting, not businesses connecting with people who are interested in what that particular business has to offer.

      Besides, they can always unsubscribe at any time.

    • David W says:

      The main intent of the GDPR is to inform people of what data is being captured and how it is being used and give them the opportunity to CONSENT to such use. In other words total transparency, which is not a bad thing.

      I think Shanes approach clearly demonstrates that there is no intent to deceive so complies with the “spirit” of the GDPR. We can all go around in circles arguing various points but to solve this I think the only way would be for a breach to go through the courts in order to set any president.

      I think there is such wide and varied use of personal data that people are going to take some time for this to settle in. The ICO and other European regulators included

      I have seen 2 TV interviews with different representatives of the ICO (The UK’s Information Commissioners Office) and they both stated that the fines will be for repeat offenders, in other words, those businesses who have been advised of wrongdoing but do not take appropriate action to mend their ways.

      The ICO see their main role as advisory, so if they are made aware of any breaches they will first make contact to inform you what you are doing in breach of the rules and NOT hit you with any fines of any size. So let’s all think of our customers, be transparent in our use of their data, seek their permission and relax and see how things pan out.

  • Joe says:

    Does this compliance also apply to U.S. email marketer’s?

  • Solène says:

    Thank you for this super useful article ! I love that you mention the “spirit of the law” or why it was created in the first place, as an intro to what we can apply as small business owners.
    I believe this is where some of the confusion comes from, because in the US (mainly), they apply the law as it is written black on white…. but GPRD is a european law so the spirit matters in how we comply to it !

    I was already using my Newsletter as a Service (love your video !), with clear accessible T&Cs (already in French law), now I just need to adjust the wording on my optins to make it clear they’ll also receive newsletters. No checkboxes for me ^^
    Thank you so much for the clarification, now I am confident the change I had planned to make are legit (no matter what american interpretation may seem) 🙂

  • Simon S says:

    Great content. However, I am wondering how to proof the opt-in process. In my Thrive Leads Report I can only see the name of the forms but there is nothing indicating if the lead was generated by using an opt-in process or not. So what do you suggest?

  • Mehrban says:

    Thanks so much! I really like that not only is Thrive Themes awesome and generally easy to use, you guys (and gals) provide so many fantastic and helpful pieces of content to help us on a consistent basis. All your hard work is very much appreciated! 🙂

  • Barb A says:

    Great article, Shane! I have the same question as Elsewine R: You stated earlier in the article, “under GDPR, you are not allowed to disadvantage anyone because they don’t provide consent.” …. but then later on in the article the language you suggest for the opt-in, “Subscribe to get the Awesome Guide” which seems to directly violate that rule. ????

    • Tony E says:

      This part of the law is true, but it has been put there so that companies like Facebook can’t withhold access to Facebook because you refused to let them use certain personal information about yourself.

      I am talking in principles, rather than actual precise real world events.

      The law was never designed to punish bloggers who want to encourage readers to sign up to a newsletter in the way that Shane described.

      Therefore it is not in the public interest to fine small guys like us, who are trying to stay on the correct side of moral, whilst trying to make life easy for our readers/customers etc….

      Also, if you were caught in breach of the GDPR laws, you get the chance to put things right first.

      Nothing bad happens until you are given clear instructions by your local law enforcement people on what is wrong and what you need to do to put it right.

      You get a warning first, and a chance to put things right, and plenty of time to put things right. Only after continually ignoring warnings will any action be taken.

      People do need to relax about this.

  • Mark B says:

    Great article…. Many thanks for the useful suggestions and information.

    I do have one concern regarding Quizzes. If one uses the Explicit Opt-In checkbox within the Quiz Opt-in Gate, will this be good enough to comply with the new GDPR requirements? It seems there are no other alternatives within the Quiz builder framework currently?

  • Pit says:

    Very Instructive Shane, thank you!

  • David L says:

    Excellent post Shane and a real breath of fresh air re GDPR. It’s been fascinating watching people panic about it and speculate about what needs to be done.
    I will be implementing your advice in my opt-in pages immediately and adopting your NaaS system too. I’d love to hear more on this too.
    Many thanks!

  • Sam says:

    Unfortunately ‘Fix No.1’ is inaccurate. You absolutely cannot bundle two consents. I’ve spoken at length to the UK’s ICO about this and they were pretty clear that a user MUST be able to access a download or freebie without having to sign up to a newsletter. It’s very tempting to want to re-interpret the law in our favour, but sadly, the very fact there is no separation in this example is exactly why it’s not GDPR-compliant.

    • George says:

      Taking the logical side of this issue – no marketer would have any reason to give out freebies to anyone unless there is something in it for them.

      So unless we can figure out a way to do this in a way which benefits the customer AND us, we might as well forget about freebies altogether. Our benefit is to get the email of a customer who showed interest in what we have to offer.

      I think that Shane is onto something with his idea. Personally, I get around this single freebie issue by offering a series of free videos which obviously require their email to deliver them.

    • MJ says:

      I think the point is that the newsletter IS the freebie. With a bonus attached. It’s not two consents.

      It’s all about framing the offer in a smarter way, as Shane said.

      Example – sign up to receive weekly tips on how to live a more stress free life. We’ll also send you a cool cheatsheet with 7 things you can do right now to bring calm to your day (rough copy).

      The checklist is the bonus. People are signing up for the free weekly tips. You can’t send the weekly freebie unless you have email consent. Do you agree?

      Heck, you could not even mention the bonus if you’re worried about it looking like two consents and this is too grey hat for you.

      Alternatively, offer the bonus as a stand alone free download, then use that as a tool to get people to sign up to your weekly tips (if you liked this cheatsheet, you’ll love our weekly tips… Insert like to sign up form)

      Really, I’m in the UK and what Shane says make total sense to me as business owner.

      With all due respect, this GDPR thing isn’t just a matter of ticking boxes to show you are compliant, it’s about working with the regulations in a way that makes sense to your business and customers. We need to be thinking creativity here.

      The UK ICO doesn’t understand what’s best for your individual business. They don’t understand online marketing, nor do they care whether that shitty opt in form with 3 check boxes is affecting your conversion rate, and therefore affecting your business.

      We, the business owners, have to be the ones that make this work for us, in line with the GDPR.

      • This legislation is not intended to be about what is best for business. It is about the rules which will govern the entry to anyone’s Inbox. Your intentions, your reasons for those intentions must be granular or not bundled and they must be explicit, transparent and stated upfront in words that are clear cut and not misleading to non-legally trained people. It is clearly designed to restrain many of the questionable practices that have been employed to build an email list and then for the owner of that email list to use that list in accordance with the explicitly stated purpose.
        Yes, it very definitely is a thrust at business by the regulators who have a very good idea about the difference between what is good for business and what is good for consumers.
        Read Bobby Klinck’s comment. He gets it.

      • MJ says:

        I hear what you’re saying. I’m all for weeding out the good marketers from the bad, and protecting consumers.

        The latter part of my comment was not to rant at GDPR/ICO. I’m beyond happy that I, and many others across the EU will be better able to protect our privacy from unscrupulous forces.

        The point of my comment was to address the freebie/multiple checkbox/bundling scenario.

        Shane’s suggestion makes perfect sense to me, and to anyone who understands the importance of creating a good user experience for their audience.

        If you spend time creating a worthwhile weekly resource, that adds value to your subscribers, saves them time, and helps solve their problems, THAT is the actual freebie. The addition of a supplementary PDF is just a bonus.

        But, as you feel this would be ‘bundling’, what if the opt in freebie consisted of just the free weekly resources?

        Can you speak to that?

      • I think that the inclusion of anything “free” will be seen as a lure or a bait to take people’s minds off the fact that they are signing up to a newsletter. The word “free” is so abused in advertising today. It is simply a psycho-tactic in the same way that the word “discount” is.

        People respond like Pavlov’s dog to these words even though it is very rare to find anything that is genuinely free or discounted. If you have a worthwhile resource that is valuable to your audience, why do you have to bribe them to sign up to your newsletter?

        You probably do it because everyone else is doing it. Surely, part of the reason this legislation is so specific about not bundling a sign up with an inducement is to create a level playing field? You may not be able to offer a free something with your newsletter signup form but neither will anyone else – at least not to customers from the EU.

        Unfortunately it gets complicated in countries like the US or Australia where the majority of our customers are not from the EU and you can continue to use these tactics. My view is that this legislation will become the world standard so we might as well treat it as such.

      • David W says:

        Great MJ

        I really don’t get why people are afraid to give away something for free it’s been pretty standard business promotion practice for many years.
        Unless you are concerned about the quality of you freebie offering that is.

        You can put links to your business website in the freebie and like you say, explain that more great useful tips, advice with occasional offerings are available to anyone who signs up to your newsletter (Put a link to a subscribe form in the freebie).

        Even encourage people to pass on the freebie to their friends and contacts the more the better.

        Sort of like a try before you buy offer although the newsletter will, of course, be free. Why does anyone want to entrap people onto their email list, surely we all want to build a quality list of potential customers?

        That initial freebie should be our vehicle to sell ourselves and our business.

      • Sam says:

        Please don’t shoot the messenger. I don’t know why people are getting so emotional to someone who is simply stating what they’ve been told by a government body as if I made the rules!

        It’s irrelevant whether the ICO understands or cares about Marketers. The guidelines clearly say you cannot bundle two consents and this has been confirmed to me by the ICO. I was very careful to ask this very question to more than one adviser and, as frustrating it might be to have to grasp this concept, they were very, very clear on the matter.

        The visitor MUST be able to access ANY freebie, however imaginatively presented, without being contacted again by the marketer. In this example, this is impossible. The consent is therefore bundled. It’s a ‘permission wall’. You can dress it up however you like, and this is about what I think or believe, it’s just the way it is, so accusing me of being ‘worried’ or things being ‘too grey hat’ is just silly. Reading far too much into a simple statement.

        As much as we’d love to believe that the ‘newsletter as freebie with PDF as bonus’ is a convenient workaround, sadly it doesn’t stand up in their eyes. ‘We the business owners’ just can’t pick and choose what suits us. I mean you can, but that’s totally your call. It’s a bit like affiliate marketers failing to add disclosures today despite years of this being a requirement. People do, all the time, and get away with it, but you know, you go for it. That’s your call, your business.

        It doesn’t mean this doesn’t suck for us all but it doesn’t mean we can re-interpret the law because it doesn’t work for us. Believe me, I hate the dreaded checkbox as I’d already added it and it was already having an affect on my sign-ups, so I would love to believe Shane’s workaround will fly, but I know it’s just wishful thinking. I ended up ditching my freebies and the checkbox altogether for what it’s worth, so there is just one consent – for my newsletter.

        I’m a huge fan of Shane, Thrive and what they do, but that particular piece of info was just not entirely correct and I felt I had to point it out. I knew how much of an affect this was going to have for bloggers and marketers who rely on their lists.

        As Shane points out, lawyers will interpret things differently, particularly lawyers who are hired by marketers who make a living out of email marketing. I didn’t speak to lawyers, I spoke to the ICO who are the mouthpiece of the regulators.

        I figure I will personally just have to work harder to create a good word-of-mouth reputation that my newsletter is worth signing up for. Old school!

        I’ll continue to be an advocate of Thrive.

    • Tony E says:

      It’s not two consents, that’s where the misunderstanding is.

      Punishing people who want to do things the way that Shane is suggesting is not in the public interest, and isn’t what the GDPR is designed to stop, prevent or punish.

      If people like us start getting fines because we had the audacity to send a top ten list of cupcake recipes in PDF format, then it will be a public relations catastrophe for GDPR, and that is something that the EU wants to avoid right now.

      You can question everything in the most paranoid way if you want, but neither Shane, or anyone else is suggesting ‘gaming’ or cheating the system in any way.

      What Shane has suggested is a moral interpretation of the law that that removes friction between the website owner and the user/customer/reader.

      Ultimately it comes down to personality, if you are naturally a bit paranoid and a worrier, then put the check boxes in, if you are relaxed about it and apply a bit of common sense, then the check boxes aren’t necessary.

      • Sam says:

        Tony, with respect, you’re not understanding yourself my friend. It’s quite sweet that you believe this is about ‘personality’ and that being ‘relaxed’ is a way to circumvent GDPR regulations. Like others, you’re getting a little too emotional, reading way, way too much into the short paragraph I wrote, and shooting the messenger.

        Again. The user is unable to get to the ‘bonus’ PDF without being required to sign up to a newsletter. It’s a permission wall. The user must be able to access the bonus PDF without having to be forced to hand over data to join a newsletter. It’s annoying, and yes, it’s going to affect how people build newsletter lists, but it’s not paranoia. It’s the law, baby! Give the ICO a call. They’re very helpful.

      • MJ says:

        Whoa, whoa whoa Sam, no one is attacking you here. You’re really taking this personally and then deflecting your emotions onto random strangers in a comments box. Sitting wondering what’s up with that (… Well the psychotherapist in me is doing the wondering)

        This is a discussion for grown people with differing points of view, is all. No need to turn this into a personal bashing fest.

        Moving forward, have you seen the latest FB live from Suzanne Dribble? She offers her viewpoint on the opt in offer. Around the 30:40 mark she appears to corroborate what Shane and a few of us are saying.

        Have a watch. Would be interesting to get your view on this.

      • Sam says:

        *sigh* I didn’t accuse anyone of ‘attacking’ me. I said ‘don’t shoot the messenger” and for people to stop being so emotional over a point I made about one issue that has been confirmed to me.

        I really can’t keep repeating myself and I think Tony is a big boy and can respond for himself – no need to jump in and put words in my mouth (yet again).

        Suzanne has said varying things over the course of her recent media blitz. I’m only saying what I was categorically told by three different people on the GDPR helpline (that was a LOT of wait time I can tell you)- it was a counterpoint to ONE point in Shane’s otherwise informative post.

        Suzanne herself has just emailed her list (today) with a link to OptimizePress’ recent May 17 blog post (not linking directly out of respect as it’s a competitor but please google away):

        “James Dyson, the founder of Optimizepress wrote a great blog on whether you need to get re-consent and how to put together your opt in forms. HE WROTE IT USING MY MATERIALS and it’s a comprehensive yet simple read.”

        I encourage people to read that post – particularly the bit about Selena Soo’s non-GDPR compliant opt-in form, and the clear stance on the bundling of consents.

        Honestly, that’s all I think I can add on these comments. I’m not concerned too much now personally as I’ve already made the changes I feel I need to make to my opt-ins, which is personal to my business. I’m sure we’ll all find our happy place, opt-in wise, and in a few months clear protocols will emerge and any uncertainties will be removed.

      • MJ says:


        This has been a very interesting discussion.

        Guess we’ll see how it all pans out after the 25th. It’s adapt or die. I know which camp I’m in.

    • Daniel says:

      That’s exactly my point in one of my posts above.

      The user has the right to choose to have the freebie without having to signup for your newsletter.

      I think this is a poor attempt at trying to come up with a solution because the checkbox feature in Thrive Leads is poorly implemented.

      Instead of just one checkbox, you could have two checkboxes, either YES or NO, making them required for the user to choose before moving forward.

  • Michele V says:

    Great article, thanks.
    Today afternoon I was thinking about newsletter in the same terms 😉
    Now, you confirm to me that was a good idea

  • Richard L says:

    An excellent guide with clear and easy instructions. Not those scare monger articles.

    I will go for the optin without the checkbox. I’m already planing to do my email marketing with soft sell and story telling / giving good advice so I assume this will be correct done also.

  • Kat says:

    Really helpful blogpost thanks Shane! I have shared it around my networks.

  • Gail Woodard says:

    Thanks so much for this sensible response to the GDPR hype. Well done. Glad to be a member of this thoughtful community.

  • Sharon Landis says:

    Great article Shane. It clears up a lot of confusion for us little guys

  • Amber R says:

    This was by far the best post I’ve read on this topic. I now know what to do and trust the information. Thanks so much for solving this problem for me and giving me actionable steps that aren’t too overwhelming. I do have one question. I’ve noticed a few people I subscribe to send me an email asking me to give them proof of consent; otherwise, I will be taken off their list. Do you think this is necessary? And will you do this for your business?

    • Shane Melaugh says:

      Hello Amber,

      Thank you for your comment!

      Regarding the emails you mentioned. It’s only necessary if you don’t have some form of proof of consent yet. This article explains it in some more detail. I don’t think we will do this, but I don’t make the legal decisions around here.

      Having said that, I do think it’s a good idea to clean up your list every once in a while and kick subscribers out who don’t actively tell you they want to keep getting your messages.

  • Mark van Horik says:

    Thanks for the insight, Shane! One of my roles is being a Marketing Technology Consultant at a MarTech agency. So you can imagine I have been talking a lot to worrying customers about the GDPR. I agree that we should not be fearsome about the whole GDPR and we definitely should not make your website one big Checkbox Mania place. By the way, checkbox consent may not always be the best ground for processing personal data. If you have a good relationship with your audience the legitimate interests as ground might work better for you. More about this read this on the ICO website:

    The whole NAAS-concept I find intriguing. I advise our customers to think in creating theme-based mailings that offer their customers relevant information based on their customer journey. Or more simply said: create relevant messages and content for the right persons and send them at the right time. I will definitely bear the NAAS-concept in mind in future e-mail based offerings, for instance with quizzes/scans/tests built with Thrive Quiz Builder:)

    Keep up the good work. Always enjoying reading your blogs.

  • Luis Lorenzo says:


    This is a fantastic explanation accompanied by an actionable guide to solving our GDPR compliance needs.

    The NaaS technique looks great and I think I understood most of it with the James Bond example and the video, however more content and guidance on that matter would come in handy.

    I want to thank you and the whole TT team for all the efforts on providing great products and also on the magnificent job you accomplish by educating us all. You do take really good care of your clients and I look up to you guys. You are definitively part of the few internet businesses and entrepreneurs I follow and learn from, simply because I truly believe you use and teach the best practices in this industry.

    Now I need to go and start working on that GDPR stuff, just in case. Thankfully I have all the TT tools to back me up.

    Best regards.

  • acu.insights says:

    Thanks, Shane, for a great article and for the suggestions to meet the requirements in creative ways. I thought of another way to avoid the checkbox using Thrive Leads and I’d like to know what you think. In the same way an upsell is used after a purchase, how about using TL’s “slate” feature to say “hey your free report is on the way… how’d you like to stay in touch via regular email … just click here “YES!” and you’ll be on my email list” (better copy of course) but you get the idea. You’d just be offering the lead to subscribe AFTER getting them to download the lead magnet. Thoughts?

    • Shane Melaugh says:

      Yes, as far as I can tell, this constitutes separate consent and is therefore fine with GDPR.

  • Matt says:

    Shane– Loved the post. Informative and entertaining to read. 🙂

    I think you live in the EU, don’t you? So you have the “inside scoop.” I am a Thrive Themes member so I value this information.

    Now, I have a question. Could I have my lead magnets set up as normal, deliver the freebie when they send their email info (instead of making them get it after confirming at their email inbox) and do this instead…

    Could I pitch my email newsletter (mentioning benefits to them) in the “confirm your subscription” email? The freebie was already delivered. So it would be their choice to confirm and get the emails from me.

    Or would this be a conversion killer?

    • Shane Melaugh says:

      Hi Matt,

      I live in Switzerland, which is the non-EU island in a sea of EU-blue. 🙂
      Can’t say I have an inside scoop of any kind.

      To answer your question: yes, I believe that what you suggest would be perfectly compliant. I say that as a non-lawyer in my “this is not legal advice” voice, though.

      • Matt Philleo says:

        Thanks, Shane. Switzerland has always managed to keep itself independent over the centuries. Love that. 🙂 Thank you again for your article and input.

      • Danielle E says:

        Switzerland has always been on my list of places to visit, and hearing that it’s not part of the EU makes it even more appealing. I don’t fully understand the EU, but it sounds like alot of bureaucracy and control to me. Although admittedly, I live in the U.S. and can’t say I know everything there is to know about the EU.

        That being said, since I live in the U.S., do I even need to be concerned with all this?

      • Shane Melaugh says:

        Unfortunately, yes. The EU have gotten a taste for making legislation that affects the whole world, not just the EU. Namely, the EU VAT on digital products and now this GDPR. In both cases, the thing is that it doesn’t matter where you or your business are based. What matters is whether a person from the EU can purchase from you or visit and use your website.

        Now, you can ignore the EU laws if you can make a legitimate and strong case that you in no way advertise to, talk to or appeal to EU citizens. For example, if your website is in Vietnamese, you can make a case that – while it’s possible for EU citizens to visit and use your site, you don’t do anything to invite such interaction (your whole site is in a language that isn’t the official language of any EU country). If you have a website in English, it’s a harder case to make, though.

  • Luis Lorenzo says:

    Sorry, but I have some questions after reviewing some of my opt-in forms and pages:

    You mention that it is good to have your privacy policy and terms of service visible and reachable, especially on lead generation pages. So, what happens if I have a 2 step opt-in form?

    Is it ok to show the privacy policy and terms of service on the page but not on the actual form being displayed as a second step? or do I have to show them on both?

    Thank you.

    • Shane Melaugh says:

      I have not gotten a straight answer to a question like this. The “play it safe” answer is: yes, put links to your terms everywhere.

  • Joe says:

    Hey Shane,

    Thanks again for more of what I have learned to love about Thrive Themes; amazing pricing and the most relevant, useful and practical marketing information I can find anywhere (to name a few).

    It has already changed my life and I’m just getting started!

    Yes vote from me, I’m looking forward to seeing more on GDPR. Also want to mention that I really appreciate all you (and the team ;*) do…



    • Shane Melaugh says:

      Thank you, Joe!

      • Christine says:

        Thank you for offering simple, clear-cut solutions, and for making this issue more calm and less nerve-wracking. I’m just getting started, but my newsletter has always been purely informational anyway, so I’m glad to be on the right track.

  • William J says:

    Thanks very much, Shane. This was extraordinarily useful; the fact that it, incidentally, mentioned Theme products was a bonus rather than an “interrupting” ad.

  • Falk says:

    As much as I like what you wrote, and it all makes sense to me: I wonder what somebody like UK attorney & GDPR expert Suzanne Dibble would say to what you suggested.
    May I ask, Shane: did you run this an attorney who is familiar with GDPR, and they said this is OK? (I would LOVE it, if so…)


    I recently asked the following in a GDPR FB group:

    What do you think of the follow advice (I read somewhere recently)? Is this GDPR-compliant??

    “Restructure your opt-ins to say something like: ‘By submitting the form, you are signing up for our newsletter, which qualifies you for this freebie, ongoing tips, and occasional promotions.’

    This way every person is automatically opting in for your ongoing newsletter and giving that consent by submitting the form.”

    (With link to privacy policy as well, of course.)

    RESPONSE from GDPR tracker guy:
    GDPR Training Course:
    “The issue I see with that is the freebie – you are not allowed to offer someone a freebie only if they consent (at least not at the time of giving consent), at that moment the freebie would have to be available whether they consented or not.

    The way around that is to be creative in your wording – so maybe have a link to a sample newsletter which includes details of a freebie and text along the lines of “this is the sort of newsletter you could be missing out on” and so giving heavy hints about the freebie but not directly offering the freebie as a reward for giving consent.”

    “I’m not qualified to say but from what I have read that is not OK for GDPR. The choice to provide consent must be clearly distinguishable and separate from other initiatives. Which means that each different thing you want to send them must be consented to separately.”

    Another potentially useful link:

    • Shane Melaugh says:

      Thank you for your comment, Falk!

      In my research, I’ve also seen that different lawyers give different answers and the main factor is, in my opinion, how conservatively they interpret the regulations. I can understand the stance of a lawyer or adviser in this case to basically say: play it as safe as humanly possible. To make 100% sure that you can never get in trouble, the best thing is to remove all opt-in incentives, add many checkboxes to all your forms or, better yet, cease all email marketing activity.

      From a business perspective, none of those are good ideas. My stance on this (and let me reiterate that I am not a lawyer, this is not legal advice and you should consult with a qualified expert about how you will choose to comply with these regulations) is that we will have to wait for actual legal cases involving GDPR to unfold. Only once some precedent has been established can we give clear answers about how safe you need to play it, to stay compliant.

      • George says:

        That’s an excellent answer, Shane. Lawyers are not marketers and they will lean towards the safest side, even if this strangles our business and ruin’s the customer’s experience on our sites.
        There are clearly two sides to this story, and no doubt there will be court challenges coming up. Until that time nobody, lawyer or not, will be able to have the final word on this.

      • Elsewine R says:

        Shane, that is a valid point.
        Yet ceasing all email marketing activity would not even be enough…

        We’re focussing on that in this thread (of course) yet it is also your offline data, cookies/facebook retargeting ads and all more data you have from people in the EU.
        Trying to get the best approach and get it right as easy as possible, without 4 overhauls changing the changes 🙂

        Thank you for all your valuable responses and ways to make things easier for us.

    • Ian Brodie says:

      Suzanne has a video where (similar to my comment below) she explains there could be multiple ways of using a lead magnet that don’t require checkboxes (legitimate interest, the fact it’s for the same purpose, the fact it’s similar to the discount codes incentive mentioned in GDPR.

      The fact is that the legislation is not 100% clear (as to be expected – they can’t cover every eventuality and their main concern isn’t people giving away free reports, it’s people being deliberately misleading). We won’t know for sure until test cases run through the courts. Anyone stating this is compliant or this isn’t compliant with 100% certainty is either talking about an obvious point of the legislation where they give an example or more likely has limited experience of how laws like this are actually implemented in practice.

      Right now, “bundling” depends on how you word things. If you make it clear that your lead magnet and emails serve the exact same purpose you should be OK as the unbundling rule is for consent for different purposes.

      And in terms of the line about not making consent a precondition of receiving a service – that depends on whether you consider sending a free report a service. I doubt that was what was on the minds of the legislators when they wrote the rules. And if it was, I doubt it will survive as a rule for long – in the UK we have a common law right to refuse service to someone as long as we’re not being discriminatory.

  • Great article. It explains the GDPR effect on small businesses very clearly and illustrates the options we have to comply. Very informative.
    Thank you.
    Catherine Adam

  • Sophie Henshaw says:

    Great article! Very informative thank you. I just did a review of my site and I believe it’s now GDPR compliant. Do you know anyone who can check these things?

    I think your privacy policy and disclaimer are excellent in TA – I modified those for my business.

    I like to use “email coaching series” for my emails because I do all I can to keep giving great value. I believe the word “newsletter” may put some people off!

    • Shane Melaugh says:

      Thank you for your comment, Sophie!

      I can’t make any recommendations for an auditor or auditing service. I recommend that you search for someone local who has the qualifications and offers such a service.

    • Danielle E says:

      I agree with your point about the word “newsletter.” I’m working on finding a better sounding and more descriptive way of describing what my emails actually contain.

  • Cheefoo says:

    Great stuff with clear explanation. Sometimes, I get few spams which I believe these marketers are buying emails from solo ads. Hope with the new rule kicks in, more marketers to provide quality content rather than pushing out promotional items.

    • Shane Melaugh says:

      Thanks for your comment. In theory, that should happen, yes. I get the feeling that people who’ve been buying and selling solo ads won’t be deterred anytime soon, though.

  • Scott says:

    Finally someone gets it! Great post! I’ve been banging my head against a brick wall of negativity and hysteria about this GDPR and how way to many marketers are panicking unnecessarily and to many marketers are going over the top with compliance.

    You may have been exaggerating to make a point re the checkboxes but i’ve seen them with 3 and 4 boxes as what you now must do!

    Thanks for helping to bring some sanity to this whole affair!


    • Shane Melaugh says:

      Thank you for your comment, Scott!

      It’s true, I’ve also seen articles that gave straight-faced examples of adding 3 checkboxes to a form, as a way to make it GDPR compliant. It’s like we suddenly don’t give a damn about user experiences anymore…

  • Deborah S says:

    Question: I am using Hanne’s suggested method from If the user checks the consent box, are all of your APIs going to pass that consent across to the relevant field in that email provider’s service? For example, I use Drip – Is your GDPR consent box updating Drip’s EU Consent field?

    • Shane Melaugh says:

      Hello Deborah,

      Thank you for your comment. At this point, not yet. I don’t know the specific status of Drip, but from the services we looked at, most of them haven’t made changes to their API yet, so we can’t interact with their inbuilt GDPR related features yet. We will update our integrations when possible, though.

  • Gemma says:

    Thanks for this. I recently made changes to mine so that people still enter their name and email to get my free guide but then in the email sending it to them I invite them to continue hearing from me with tips and inspiration and the occasional promotional email if it is relevant and helpful and I include a button with a Thrive Segue link so it’s only a one step process and they don’t need to enter their info again. My emails will ONLY go out to those who have confirmed using the button and nothing furyjernwill nensent to those who asked for freebie but did not confirm to continue hearing from me. Is that enough???!

  • Marjolein M says:

    I LOVE this post, this was where I was looking for. I needed this confirmation for what I already thought about GDPR and I even learned more. Thanks you so much Shane, you are a real awesome guy. So happy to be here!!

  • Patrick M says:

    Hi Shane,
    I’d like to thank you and your team for such a clarifying post amidst all the GDPR hysteria. It is wise and full of integrity.

  • Alex Frêne says:

    Thank you SO MUCH for those clarifications. That’s cristal clear, I know exactly what will do to comply.

  • Remy says:

    Thank you Shane, you do a great job. Pas facile de tout regarder mais dis-nous: chacun de tes articles ou video nous est bien envoyé, l’un après l’autre ?

  • Dennis says:

    Awesome post Shane. Now, we’re talking here about leag generation, but how about when a customer purchases a digital product (membership or stand alone)?

    My guess is that they should receive the access info in their email and/or after purchasing it, but if we want them to be part of our newsletter then we would require an additional form, gift, permission or SOMETHING, because we can’t tell them anything like “sign up to our newsletter and we’ll send you your access info”.


    • Shane Melaugh says:

      That’s a good question, yes. There’s another problem of gray areas in this case. From what I’ve been told, there are two things to consider.

      First, if you want to be 100% safe, you need to add all kinds of checkboxes to your checkout process. Checkboxes to get consent of analytics, retargeting, sending product updates, sending educational content, sending marketing content, sending affiliate promotions and so on and so forth. You’d have to think of every possible future use you might make of someone’s email address, describe it in detail in your terms page and add a checkbox for it.

      Second, there are some uses of a customer’s email address that could be interpreted as “legitimate interest”, for which you wouldn’t need explicit and separate consent. However, if you want to play it 100% safe, this would only include emergency messages like if your database was compromised and your users are affected.

      I’ve asked about emails that are necessary to help customers understand your product and get value out of it (onboarding emails) and gotten ambiguous answers about it.

      I can’t give a clear answer about what needs to be done here. I think the situation is the same as for lead generation: the proposed legislation is wildly impractical and basically impossible for small businesses to follow, so we have to find some compromise that works for us.

  • Sonia says:

    Hi Shane,
    This a great post! I like the practical examples you provided. Newsletters with useful and informative content are a must so I totally agree with your NaaS.
    Thanks for sharing these insightful tips with us!

  • Bobby Klinck says:

    Hey Shane,

    I love your stuff and use Thrive on both my websites (my law firm and my online business where I offer do it yourself legal for entrepreneurs).

    I think it bears noting for your readers that the approach you are suggesting is not clearly okay. It is in a grey area under the GDPR.

    The GDPR pretty clearly says we can’t require consent as a condition of a contract where the consent is not necessary. Article 7, Paragraph 4 says:

    “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

    And the GDPR makes clear that a contract can be for Free. The territorial scope says it applies where data processing is related to “the offering of goods or services, irrespective of whether a payment of the data subject is required…”

    When these provisions are put together, it’s clear that the old way of doing things is not okay AND that we can’t add a checkbox for consent and REQUIRE people to give consent as a condition of downloading the freebie. That really is not controversial among lawyers who have looked at this.

    Your suggestion seems to simply be another way of doing the same thing. You are REQUIRING consent to to be added to your general list as a condition of giving someone a freebie.

    As much as I love semantics as a lawyer, switching the offer doesn’t change the nature of the situation. And this still seems to run afoul of Article 7, Paragraph 4 to my lawyer’s mind.

    That being said, I’ve seen a number of people suggesting this method. To me, this method is (at best) a grey area.

    And there are other solutions for folks outside the EU that don’t require checkboxes and are clearly okay. Among other things, folks can segment EU v. Non-EU and send different delivery emails. In the email to EU people, you can ask them to consent and sell the benefits of your list. For Non-EU subscribers, you don’t have to change a thing.

    I think your readers should understand there are other solutions they can employ that are clearly okay (and that may actually get better conversions overall).

    • Elsewine R says:

      Indeed! So I now try to have an optional checkbox to my Thrive leads (so far it’s mandatory) – I know it’s not ideal, yet I think it’s better than the turn around option pitching the newsletter.

      So then I can prove that everyone that is on the list actually checked the box, else they did not get on the list. Hmm, hope to make that tech work 🙂

    • Elsewine R says:

      Also, Bobby, as a lawyer what is your stand on this… I see they DO it, but is it legal/feasible to say that the law that starts the 25th applies to everything done before that date?

      How is that even possible?!

    • Hi Bobby, I listened to your conversation on Amy Porterfield’s podcast as well and you had some great points. One questions: I understand that it’s not possible to only offer a leadmagnet to people who signs up for your newsletter. But how about offering a 10% discount in the shop or free shipping if you sign up for the newsletter. These were always good options for webshops but it doesn’t make sense if you also have to include people that don’t subscribe.

    • Shane Melaugh says:

      Yes, I agree that this could be interpreted either way. The answers I’ve gotten have been positive with some hedging. As I’ve stated elsewhere in these comments, it’s not playing it as safe as possible, if you use the NaaS approach I suggest here. But playing it as safe as possible makes for such a terrible user experience that we may as well shut down our email marketing altogether.

    • Paul says:

      Bobby what you suggesting is quite frankly ridiculous.
      You are essentially saying that the legislation doesn’t allow for email newsletters that have free content?
      If you say “look at this great free content my email newsletter readers now have access to” (be that a pdf or web content its irrelevant), you are saying that by being on the email list you will have access to this content.
      You can’t have it both ways – its an email list!!??? If people dont want to consent to giving their email address for digital content then they don’t have to, but then obviously they cannot get email content.
      What Shane is saying, (my interpretation) isn’t saying
      “sign up to my general list and I’ll send you x”.
      “X is now available to readers of my x list/newsletter/free membership”
      So there IS NO CONDITION.. In the example above we are simply telling people the content they would have access to if they were on “x list”.

      What if, anything needs clarifying is whether or not having an “email wall” is legal. And of course it should be, I cannot believe the spirit of these rules is to kill marketing in email newsletters as you seem to be suggesting.

      To my mind, this is going way, way to far – I mean we all use 2nd or 3rd line email addresses anyhow when we have to, and even when we use our 1st line email address we know we can unsubscribe.
      With regards to email marketing GDPR is trying to solve a problem that doesn’t exist with rules and wording that is beyond comprehension for the majority.
      From where I’m sitting its just a lawyers bonanza, and a headache for for just about every one else on the planet.

    • Leslie says:

      As a U.S. business, I think the best solution to this is to exclude all EU users from access to my site for the time being. I have very few EU users and the law does not apply to most US users.

      I refuse to give yet another thing for free because of a law on another continent. My time and work is worth something.

      If I go to the store and want something, I have to pay for it. If I don’t want to pay for it with money, if I were in a barter society, I would have to barter something. The barter in this case is an email.

      As a web user myself, I appreciate the occasional freebie I down load, and as an adult with a mind, I can freely decide to only download from sites that are reputable, and unsubscribe if I want to. I totally agree with and appreciate the emphasis on user control of their data. I don’t appreciate being excluded from getting something because there were too many hoops to jump through for the offerer. Often, a freebie from a reputable site leads to only targeted subject matter emails that drop off if there is no interaction.

      This policy, contrary to it’s intent, still DOES force me to join a “newsletter” to get something I want, in the same way that so many consents works… that is, if the offerer even bothers to offer a freebie anymore due to the legal hoops.

      We fool ourselves when we think that requiring consent will prevent people from signing up, but it’s a matter of what the sign- up barrier is and what the service is. Do people really not sign up for banking, cell phone service, electricity service, Facebook, etc, because they don’t like the terms? No, we consent away because to not consent is to be left behind and to go without. It’s an underhanded form of coercion, extortion, whatever you want to call it. There really is no choice if you want that important thing. This law will not change that (though it will give control over your data, which is a good thing). This is going to turn into a clickfest for the big boys and services we need or very strongly desire. But for the honest little guy with a freebie, not so much. It’s a simple barter made impossible.

      Frankly, I have a business to build and keep afloat. Trying to promote newsletter signups, and forms with a bunch of consent boxes, are equally bad propositions for conversions.

      I will be using forthcoming offers, disclaimers, and yes, probably even some checkboxes. And definitely proof of opt-in. But this is out of hand and I simply don’t need the headache of the EU lawyers in regards to my honest small business marketing, promotion, and communication efforts. I’ve already wasted too much precious time on this. Maybe in 6 months things will be clearer.

  • Olly says:

    Very helpful article. There are many cases where marketers will need to take a slightly more proactive approach than “NaaS”, and send emails with some kind of urgency/scarcity, such as a deadline or bonus related to the offer. In other words, emails that would reasonably be considered “marketing emails”, even if they are directly related to the newsletter that was opted in for in the first place. In this case, my understanding is that you’re required to obtain separate consent for receiving marketing emails. (Consent needing to be granular.)

    So, while I see how your well-explained approach works if you have a super-passive email marketing strategy, many people will need to figure out a way of gaining separate explicit consent to receiving marketing emails. This couldn’t be through double opt-in, because you can’t make your newsletter contingent on agreeing to marketing. You could, however, make your first email a well-crafted message saying: “Here’s what I do, and why it’s in your interest to receive marketing from me in addition to the newsletter… eg. discounts etc… click here to join my VIP club or whatever…”

    It’s still pretty cumbersome, though, and I don’t think it’s really in the best interests of the user. If they’ve opted in, they’ve expressed a clear interest in your stuff.

    I’d like to know how others are approaching this.

    (BTW, the possible way around this I’ve seen is by using the “legitimate interest” argument (the only alternative to obtaining consent) – namely that it’s in the legitimate interest of a direct marketer/blogger to grow their business by sending marketing emails. )

  • angella.andrea says:

    Fantastic blog post. Thank you so much. I sent my re-consent email this morning and made the decision to only change the copy on my opt-ins forms so reading this was a great validation of all the efforts I made so far. Like the idea of the newsletter as a service approach.

  • john h says:

    Hi Shane,

    Thanks for a breath of fresh air. I was getting very tired of all the gloom and doom, “let’s see how frightening we can makes this sound” rubbish that others have been writing.

    Well done for bring common sense to the whole thing.

  • Ron Olcott says:

    Something else to consider for US marketers is this is an EU law. It does not apply to your US, Asian, Australian, etc mailing list. As I exclusively sell in the US I am in no hurry to go beyond CAN-SPAM requirements until some dust has actually settled on actual implementations and enforcements.

    • Melanie says:

      I think a LOT of people are missing that point, Ron. I am following the AU (AOIC) advise and as such won’t be making any changes.

  • viniciusdiamantino says:

    Hi Shane! I’ve just found this blog and I’ve been “bingereading” everything like if it were a Netflix’s show.

    Please, is there an example of terms and conditions to put in my website?

  • I think there is a fair bit of denial going on here. The legislation is going to put a serious dent in list building activity. The last few years of the internet half-life have been devoted to list building – the getting of those precious email addresses and the consent to basically spam the owners of those addressesy.

    The GDPR is not there to stop websites gaining visitors email addresses but it does seem to be on a mission of education where website owners are the means by which the general public become fully informed of what the consequences are if they sign any kind of online form. The other big part of the legislation is making anyone handling personal data responsible for its security and responsible for knowing where it goes. That includes checking that the system and processes for data handling by any 3rd party processor are also GDPR compliant.

    The thrust of Shane’s post has been about whether or not the legislation will harm the getting of email addresses for the holy grail of the email list. There is no consideration of whether the general public really want their inboxes invaded or not. The consideration is more about whether checkboxes or the copy used will ease the conversion or provide more friction.

    It kind of misses the point. The point is that getting into anyone’s Inbox now has been made much harder. Now, all email is potentially spam unless the recipient is made fully aware of the consequences of signing up.
    The example of the 20 videos signup box is clearly in breach as are many other examples of ways to “get around” or comply with the legislation on blog posts at the moment.

    The best part of this blog post are the thoughtful suggestions on NaaS.

    Its like we have gone from an online world without borders to one where there is a real border at every Inbox. The GDPR is like a worldwide Customs & Immigration force to ensure that a business cannot email anyone without a valid entry visa to do so.

    The legislation forces all of us to answer the following questions truthfully. In terms of the Customs & Immigration metaphor these questions are:

    “How long do you intend to stay? Where will you be staying? What is the purpose of your visit? Are you on an educational, a holiday or a business visit?”
    In return for being granted a visa, everyone involved in the chain of data handling from the controller to 3rd party processors is equally liable for the auditing and security of that data.

    The wild west side of the world wide web officially ends on May 25th.

    • Joe says:

      This comment really got me!

      If a person signs up and gives their email to a form that is completely transparent and leaves no room for doubt what the person will get after signing up, and yet can’t move their wrist 3cm to click an unsubscribe link… they aren’t welcome on my list to begin with.

      Consent to spam the owners? What frame are you coming from? for most if not all legitimate email marketers who base their marketing on value and building trust with their audience, this statement makes no sense whatsoever and is presumptuous.

      “There is no consideration of whether the general public really want their inboxes invaded or not” Again, vast generalizations of how people email their lists. Invade someones inbox? They gave their email to you! And now completely understand what to expect when they do. If they don’t want emails, the unsubscribe link is there and requires a single little click. Done!

      This regulation will hopefully weed out those abusing the system but there is absolutely no reason why shanes method is not upfront, honest, considerate of our prospects and in the spirit of the legislation.

      There has been no testing under law yet of these basic list building practices and shame on all those, professionals included who are categoric and adamant about their interpretation.

      • Nick Marshall says:

        Joe, I have yet to come across a sign up form that is completely transparent. When someone gives consent to join a newsletter list they are rarely informed how many newsletters they will receive or how many additional marketing messages. Signing up to a newsletter often means signing up to a funnel and being segmented according to the response to the funnel emails or the answers to questions that may be asked. That is the point of the list but most people who sign up have little idea of the funneling process that they have unwittingly embarked upon.
        The legislation is aiming to address this digital version of the salesman’s foot in the door.
        I have no doubt that there are many email marketers that do not abuse their potential customers but I have certainly experienced abusers. Shane’s example of the 20 videos is not a good example of an honest and transparent sign up form.

        Yes, the unsubscribe link is there but that is no guarantee that the details will not be sold to someone else. All an unsubscribe should do is prevent any more emails from that particular source ending up in the ex-subscribers inbox.

      • Jonah J says:

        Not sure how many newsletters or ecourses or free PDF’s you have subscribed too recently but it has been common practice for a number of years for any new subscriber to go through multiple hoops and multiple security gates before they actually receive anything that they subscribed too.

        ICANN and Spam Laws kinda instigated those hoops and security gates and the majority of the email service providers enforce it and the majority of internet marketers adhere to it because it prevents them getting blacklisted and improves email deliverability.

        Once a subscriber is through those many gates they are generally met with St Peter’s welcome email that calmly describes in full exactly what they can expect to receive from here on in.

        The unsubscribe button is a 4inch mouse scroll away north or south on each and every email sent.

        Very few of us are in this to scrape and then resell email addresses.

        The world has not gone mad and people do not need wrapping in cotton wool and eyes covered with blinkers.

        They do not need saving from legitimate emails ffs.

        Tarring every marketer with the same brush is ridiculous and I’m sure that GDPR will see sense.

        People have a brain. They have a choice.

        What you are proposing takes away that choice.

        If they don’t want or need products or services……stay away from the internet. Simples.

        If they don’t want emails……don’t opt in for stuff. Simples.

        If they do opt in and they are not happy…….they can opt out. Simples.

        We have many marketing scams in the UK as it is. Cold calling from accident lawyers or those call centres they employ or pay commissions too etc, yet it continues because people have a choice to hang up or ignore the call or block the number if not recognised.

        Your interpretation of GDPR and of how you believe email marketing is being used by the majority simply takes those choices away and prevents anyone from ever opting in for anything whatsoever.

        The internet is then dead and we should all go get a real job.

        What happens the next time you want to purchase you car insurance online?

        What happens the next time you want to order your shopping or weekly grocery supplies online?

        Are you going to get pissed off because a follow up email tells you that bananas are on special offer or that your insurance premium has been reduced?

        At what point would you be happy for it to continue or stop?

        There is just no pleasing some people……that old adage!

  • It’s very interesting, Shane but I’ll stick with my checkbox for now. I noticed that freebies like ebooks and cheatsheets are mentioned a lot. What about the old “join the newsletter and get 10% off in the shop”? Or free shipping…whatever.

  • Michael says:

    Very helpful, thank you.

  • Jeni B says:

    I sent a link for this post to my entire list on Friday and see several commenters here that I know and love. <3 Just wanted to say thanks for standing up for the "little guy" and helping reframe these requirements into just good, honest, common-sense marketing that builds a long-term business. I appreciate you!

  • Luis Lorenzo says:

    Hello again, Shane.

    Will there be any tutorials on how to use the new features on TT products to be GDPR compliant?

    I just want to make sure to get the most from the updates.

    Thank you.

  • Chris says:

    Yet another question, Shane.

    The EU happens to have 24 official languages.

    I believe that legal stuff on a website like Privacy Policy, Imprint, Terms and Conditons are good when they are in English language only and it is not required to have them translated 23 time.

    Do you agree?

  • Dan N says:

    Thanks for the article Shane – that makes sense and sounds like a sensible approach. So are you guys making any changes to your privacy policy for GDPR and if so what?

  • Anil Agrawal says:

    Shane, Awesome post and really great idea or concept of Newsletter-As-A-Service!

  • Šárka says:

    Great article. Thanks. Šárka

  • Matt Tomkin says:

    I genuinely hate this subject. However, reading this post gives me a little more hope that the world hasn’t gone completely mad! My personal take on GDPR is that there are very few people who actually know the implications of the rules and how to keep safe of them.
    It is going to make for an interesting few months.

  • blbpublishing says:

    Nice job of simplifying this for us. Much appreciated.

  • LynnB says:

    Wow, it’s about time someone really explained this. I was kind of freaking out! Thank you!

  • Philipp says:

    Now, to take this one step further, what I’d love to see in Thrive Leads is that we can show a different popup to EU and non-EU residents. This way the phrasing could be different for GDPR compliant and not-that-compliant popups.

  • Karen says:

    This “bundling” approach to offering a free item in return for signing up for the newsletter may be “ok” for simply building your newsletter list, although I have to agree with Nick Marshall’s comments that this approach isn’t in the spirit of the end-user protections the GDPR is meant for. Additionally, this approach only leaves you with opt-in approval to use their email address for an email newsletter. You can’t then use those email addresses to target those same people via social media and internet ads, since they only opted in to the newsletter.

  • Matthew N says:

    Hi Shane,

    Outstanding post as ever – thank you very much. I love the NaaS approach, and would also be interested in further content from you and Hanne on this. Best wishes from Edinburgh 🙂

  • MJ says:

    Hmm, just watched the latest FB live (21 May) in the GDPR group. Very informative.

    Incidentally, around the 30:40 mark Suzanne Dibble states that it’s fine to ask people to sign up for your content/marketing emails etc, and THEN say, in Suzanne’s words, ‘as a thank you we’ll give you our freebie’.

    Suzanne corroborates exactly what some of us have been saying all along lol.

    Interesting that…

  • Rob says:

    Thank you for the great explanation, it was really helpful.

    I still have something unclear I’d like to verify –

    What if I change the copy of the sign-up form, but I still have links that lead to the opt-in page from multiple YouTube videos that state –
    “get free advanced course”

    Do I also need to change the copy of ALL of the links that lead to the opt-in page? Or should I just change the copy of the signup form?

    Thank you, I highly appreciate your answer.

  • Theresa W says:

    Yes! I’d love to know more about applying the Newsletter As A Service approach!

  • Rose says:

    I have a question that’s somewhat tongue in cheek, but I’d also like to know the answer. I know that in my terms and conditions page that I purchased from a lawyer I say that my website is for those 18+ only and that I’m not responsible for people underaged on my site and that by using my site they are agreeing that they are 18+. *Could* I say that my site is meant for people outside of Europe and I’m not responsible etc. etc. in the same way that my terms say for underaged users?

  • Great explanation! Well done.

  • Laura says:

    I love this great article! I don’t mind giving free stuff. People who want the free stuff without the relationship have no value to me. They will not use my free content so my PDF is of no value to them either.

    My main offer has always been GET FREE COACHING UPDATES + “this Amazing freebie” so I’m OK. No way I’m using a checkbox. I will start my email series with a PDF download and request consent if they want more. That’s it.

  • I can’t thank you enough for this common-sense article. Tweeting and forwarding to many colleagues.

  • Bernd says:

    Thank you for this relaxed and worthy view on gdpr. This helps a lot

  • Nick says:

    Thank you, we are just planning our new campaign on concerning GDPR. This is a great timing.

  • Pete says:

    @Shane (or anyone!) – Does Thrive have a way to serve show GDPR-compliant forms to users with a EU IP address and a different form for non-EU IP addresses?

    • Shane Melaugh says:

      Not yet, no. But it’s something we’re considering. If it’s something we’re allowed to do (legally) and it’s technically feasible, we’ll add such a feature.

  • Ricki says:

    I love the NaaS model, but wondering how it would work for someone who has a newsletter (or sends informational emails) about food (as in, a food blog). If the product is a cookbook, say, you couldn’t really weave that as an example into an email about “how to use oats effectively” without actually giving away the contents of the cookbook (or at least part of it). Shane, in that case, what would you recommend? Using one recipe from the book as an “example” of how to use oats (or whatever) effectively?

  • Cat says:

    Well this is a very comprehensive, clear article about GDPR compliancy and how we can do it – thanks 🙂

  • Dust says:

    Awesome article, thank you so much! My newsletter has separate sections, one of them being a (fotnightly) product review where I personally road-test a product and write objectively about the good, the bad, how much it costs and where it can be purchased (aff. link.) Obviously I only promote products which I would recommend and they are all related to my niche. In this format, would you still consider it NaaS, -and- GDPR compliant? Thanks.

    • Shane Melaugh says:

      That’s a good question, yes. Because it’s an explicitly different part of your newsletter, it may be something that requires extra consent. But I really don’t know.

  • Leelo Bush says:

    Thanks Shane for removing the hype and fear-mongering from the topic of GDPR. Your opt-in examples are great but I wonder about a special circumstance we have.
    Typically our emails and blog posts have a NaaS feel to them however
    with our online school a few times each year we’ll offer deep tuition discounts to prospective students. On the final few days of discount week, we send out several reminders that the discount is ending. While a few opt out, many more are grateful and register for training.
    Do you have any suggestions for improving these necessary messages?

    • Shane Melaugh says:

      That’s a good question, yes. I think even this is a gray area. Maybe it could fall under “legitimate interest”, but it’s probably safer to get extra consent for it.

      However, I think a check box is probably still not the best way to get consent for what you describe. Instead, I’d consider mentioning these discounts in your NaaS emails and saying something like “if you want to make sure not to miss out, click this link and we’ll send you reminders” or something like that.

      In other words, you can still get consent during the ongoing conversation you have with your subscribers. It doesn’t have to happen at the point of signup. And I can imagine that once you’ve established a relationship, you’re more likely to get that consent than before someone even signs up.

  • Jarrod says:

    Best GDPR article I’ve read so far! Thank you so much!!

  • Max says:

    “Plus, there’s an extra twist: under GDPR, you are not allowed to disadvantage anyone because they don’t provide consent.”

    Excuse me, please? I don’t mean to disrespect anyone’s privacy or say anything gdpr related is a bad thing – I just had no need to look into this and don’t really care tbh, but that sounds stupid to me. Not sure if you misunderstood the law there or the law actually is so stupid, but if I want to give out my pdf that I have put 1000 work hours away only to the people who consent that I also use their email address for advertising, then how can this be forbidden? People don’t want to pay money for the download but they also don’t want to see advertising, they just want to get free content for literally nothing at all, and the law supports that?
    I mean, I am not forcing anyone to download the pdf (speaking exemplarily), but if someone wants to have it he _has_ to accept something at some point. If my car dealer decides that he wants to give away cars to people who are willing to receive ads, that means I can walk in, not consent to his offer and just take the car neither paying or allowing him to use my data…?

  • Shane Melaugh says:

    Hi Richard,

    Yes, there are a few more things to consider for GDPR compliance. Regarding the data removal, we’ve written about it in our post about GDPR features in Thrive Themes products. For this post, I deliberately wanted to focus on opt-in forms and email marketing, because trying to cover everything kind of blows up the scope of a blog post.

  • Ali B says:

    I’ve been writing a newsletter for 20+ years. When I started it I never thought about making money with products. I now incorporate products and would love-as-a-service as you describe here. Thank you for such excellent information – as always.

  • Will says:

    Thanks, Shane….this has eased some of my worries and given me an action plan!

  • Sandra Bellamy says:

    I just have to say something. I keep reading that no one wants to subscribe to another newsletter, but that simply isn’t true. As I have no freebie but my newsletter, and that is exactly what they give their email address to me to sign up for.

  • Thanks for your very helpful post. It seconds the way that I modified my optin forms. Your idea to do soft promotions is very smart. I will add that to my email funnels!

    I only wish that Thrive would be available for non WordPress sites too. I am very unhappy with LeadPages which I have been using for 4 years now – and which is still very buggy…

  • Jay Fenichel says:

    Thanks Shane… Posts like this are why I am a Thrivethemes member and I why I always recommend your products and services to other online marketers.

  • jan t says:

    How to place the checkbox on the web form? I can’t find the options in my TA

  • JEREMY BOONE says:

    Enjoyed reading this article as well as all the comments (took a while).

    Looking forward to using your advice here.

    Any suggestions on what you did for your email list prior to the GDPR taking effect?

    Is there a template email available to send out to my list you would suggest?


  • It appears Aweber is in agreement with Shane’s take on it. They seem to say that this ‘bundled’ approach is okay as long as the bundled incentives are related (They suggest that unrelated bundled incentives use checkboxes.)

    I like the wording in the example they gave:

    Get 20 FREE VIDEOS

    Get regular information on bushcraft, survival and outdoor life,
    starting with 20 FREE VIDEOS today.


    The one thing I’m adding below the privacy link is a link to learn more about the free course. I’ve done that on some of my optin forms as it suits my purpose. On the linked page I give more info but I also offer to get the course without signing up. The reason I do this is that I noticed for some time now that a fifth of my customers never opt in – the only way they purchased my product was watching a VSL that they arrived at via an exit pop up that said – ‘Get the free video without signing up’.

  • Sonya says:

    How does this apply if you have an opt in to be notified when enrollment to a course reopens?

    • Hanne says:

      If you only notify people when the course re-opens and that’s what people sign up for there is no problem. If you add them to your regular newsletter you would need to be very clear about that. “Sign up to our newsletter to know when the course re-opens”

  • Alisa G says:

    That’s a definite yes on the naas approach! And email templates would be outstanding!

    I’m sure it’s coming but do we have to be gdpr compliant in the US?

  • Co says:

    Your conversion rates go down not because of a checkbox, it’s because nobody wants your emails, and now you’re no longer allowed to trick people into signing up to them. Don’t try to find tricky ways around it, just stop sending people spam. If people actually care about your product / site / service / whatever, they don’t need annoying newsletters to be reminded of you.

    Fix your product, not the amount of popups and tricky call-to-actions on your website.

  • Jonah J says:

    GDPR is still very young and finding its feet but relevancy and context is a key factor to most businesses and will certainly be the same to GDPR and something that is really quite simple unless you are intent on selling just about anything to anyone via any means.

    Too many people have an issue with identifying genuine relevancy.
    If a customer, client or website visitor is on a website that sells Blue Widgets then they are obviously interested in or looking to learn more about Blue Widgets.

    This is the beginning of relevancy.

    Now, Blue Widgets may or may not be related to Pink Widgets but if there is a clear and unambiguous relationship between the two, then you will be fine with GDPR if you subsequently offer those Pink Widgets at a later date.

    Let’s look at a local building company.

    They offer multiple services from bricklaying, plumbing, roofing, drainage, plastering and landscape gardening.

    They may also offer to supply products that are relevant to each of those services.

    Any sane person can see that these are all related and relevant to a potential homeowner looking for the services of a builder, even if their first enquiry via the submission of an opt-in form or newsletter was about plumbing. Under GDPR, does that customer need to give explicit consent to receive additional helpful information in relation to any other building service other than plumbing? I very much doubt it!!

    As another example…..take a look at some of the large and established DIY stores in the UK. They offer thousands of products that many here would argue are unrelated and in their interpretation cannot be cross sold under the new GDPR rules…..unless the customer explicitly opts in and gives their consent to be cross sold. This again is utter nonsense and completely unworkable. Industry and marketing would collapse as a result. Businesses would go broke.

    GDPR is not about damaging genuine, relevant and related business. It’s about ridding the internet of the scammy marketers who set up get rich quick websites that sell just about anything from their grandma to skateboards through hard sell techniques to just about anyone they can.

    Now look at Amazon……..who routinely offer additional items through their ‘people who bought this also bought this’ to everyone who visits their site.

    Will GDPR bounce Amazon for offering something that wasn’t on the customer’s initial shopping list or that they never consented to being presented with as an upsell, cross sell or down sell?

    I think some people here are taking this and making it far more complex and scary than it needs to be.

    Shane hit the nail on the head……..don’t try to sell a lady some underpants and a razor when she is on your website looking to learn something and then potentially purchase something related to web design.

    The scaremongering lawyers do little to help, regardless of how much they’ve read or how well polished their webinar may be. Context is more important than the words they often misinterpret.

  • Jasper S says:

    I’ve been looking for a simple explanation for this whole GDPR thing. Finally found it. This was great – thank you!

  • Irina Lee says:

    This is BRILLIANT!! I’m hereby embracing #NaaS as my NEW motto, until we have implemented all the action steps you suggest in this post.

    GDRP suddenly felt a lot less threatening, because now I KNOW what do to.

    Thank you!

  • Does anyone have any research that helps illustrate the impact on conversion rates of forcing someone to opt in vs. giving them the option to opt out? I am having a hard time finding this and feel like it *must* be out there somewhere.

  • Alberto says:

    Are you sure the “Copy only” solution works? My provider for the consent solution says I need copy for the newsletter and a checkbox for a lead magnet, or viceversa. Plus, a checkbox for promotional content.

  • Samuel says:

    Thank you so much for sharing such a huge clarification! I was like searching all over YouTube and haven’t found even single good step by step resources. Please keep up the quality articles coming. Really appreciate the quality you put into the articles.

  • Kamal says:

    Hi, Thanks for sharing nice post, keep updating.

  • lina moda says:

    Hi Shane! Great article, thanks a lot for bringing some sanity to this crazy GDPR rush.

  • You are making a huge assumption there that sending someone a free PDF is what the legislators meant by a “service” when they wrote those rules.

    • Last time I checked, I believe it was actually specified in the legislation that delivering something electronic automatically (ie. not requiring human time / manual processing to do so) is not classified as a service. This is not legal advice, though.

  • ram garg says:

    I think it’s in line with what we all should be doing anyway… be helpful, first and foremost, and then subtly introduce your offers as part of being helpful. Love it!

  • >