Essential Guide to GDPR for Membership Site Owners
I’m sure by now you’re already well aware of the EU GDPR (General Data Protection Regulation) rules that came into place in 2018.
But you may not be fully aware of what these regulations actually are, or how they apply to you, and most importantly, how they might impact your membership site.
So, whilst we’re by no means lawyers and recommend you receive professional advice to ensure you’ve got all of your ducks in a row (insert butt-covering disclaimer here*) we wanted to highlight what this means for you and what you need to do.
Firstly, does this even apply you?
Yep I’m afraid it most likely will, no matter whether you actually live in the EU or not.
The only reason this won’t apply to you is if you have no dealings with members of the EU whatsoever (e.g. your website is only for people in the U.S. or Australia) – whether that’s as paying customers or someone signing up to receive your lead magnet.
The bottom line: it doesn’t matter what country you are in, it’s the country that your customers and subscribers are in that matters.
What happens if I don’t comply?
So, GDPR applies to you, but why should you actually pay attention and how can these regulations even be upheld (especially if you're not in the EU yourself)?
Well, worst case scenario is you get a fine. A very very big fine – up to 20 million in fact (or 4% of your turnover).
Now, realistically speaking that’s unlikely to be the first step, especially for a small business.
And it’s highly unlikely that the GDPR watchdogs will be out in force ready to clamp down on any minor non-compliers – they will go for the big fish, and the most unscrupulous, first.
But that doesn’t mean that you shouldn’t comply!
If nothing else, what the regulation allows is for anyone to lodge a complaint against a business for being non-compliant.
So all it takes is for one disgruntled email subscriber to complain, and you have an investigation on your hands.
So, whilst you’re unlikely to get slapped with a giant fine immediately, don’t use that as a reason to be complacent.
Do your due diligence, make the required changes and sleep peacefully.
Plus, as the impact of GDPR becomes commonplace, more people will be aware of the data held by companies and the risks involved in that, and not showing that you're playing by the rules may mean you're turning away subscribers and customers who prefer to know where their data stands.
Can you block EU countries to avoid this regulation?
You can, but why would you?
At best this cuts out a huge potential market for you, and at worst it could be seen as discriminatory.
Don’t be like Unroll.me:
Nobody wants to get that message from a company they are interested in.
While the regulations do mean a little more jumping through hoops, at the end of the day for most businesses it’s really just some extra awareness, increased security and a few checkboxes.
Add to that it’s likely that, in these days of increased awareness and concern about data protection and security, other countries will soon implement similar regulations.
So better to buckle up now and get it out of the way.
So, what are the regulations?
You can see the full GDPR info here – it’s pretty ‘dry’ but the upshot is that you need to ensure that any personal data you possess for someone is secure and processed with their consent.
The official FAQ refers to personal data as:
“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
So this includes:
- Email Address
- Postal Address
- Phone Number
- IP Address
- Bank, credit card or PayPal details
Basically it covers any identifying information that you may collect, use or store on someone who visits your website, signs up to your email list or, in our case, joins your membership site.
So the GDPR provides every individual (including you – don’t forget GDPR applies to you as a user as well!) with a certain number of rights when it comes to the collection, storage and security of their data.
Read about each of these rights and what they mean here.
The most important points for membership site owners:
- Someone can request access to any data you store on them and how you use it, and you have to be able to supply a copy of the data if requested
- Someone needs to be able to request their data be changed if incorrect, as well as have the ability to remove consent for their data to be used and request that existing data be erased
So, what does this all mean for your marketing?
Well, essentially it means that consent, security of personal data and privacy are more important than ever.
Our good friends Andrew and Pete put together a pretty fun video about what you actually need to do:
The main area you’re going to need to pay attention to is your opt-in forms and lead generation.
You need to be clear about what someone is entering their email address for, and you need to get explicit consent for the kind of emails you want to send to them.
And then only send that information.
This means getting granular with your email types as well (e.g. weekly newsletter, monthly offers, new product releases), ideally with a checkbox for different options so that someone can select only those that they agree to. And provide granular opt-out options on your emails too if you send a lot of different email types.
In an important change, any checkboxes for consent cannot be pre-ticked. And you need to be able to prove that this consent was given.
Now, checkboxes aren't actually essential. For a lot of people they will be the go to because of the different kinds of emails they send, but all the law actually states is that someone needs to be fully informed of what they are giving their data for and consent to this. If you're only going to be sending them their free guide and a weekly email, then something like the following would be sufficient:
“Enter your email address below to get my free guide and my regular weekly newsletter”
What you can't do is use that as the basis of consent, but then also send them several emails a month about your products.
You also only want to collect data you actually need. Do you really need first name, last name, business name, phone number and email address in order for someone to download your free PDF? If the data is not essential, don’t collect it.
Much of the above will need to be put in place with the help of your email marketing service or any software you use to collect emails – if you’re not sure if your email service already allows you to comply with the guidelines, check with them.
Practical & Legal Stuff
You also need to have options for someone to see any data stored on them, and to request its deletion.
This also means that you need to know what any third-party software does with any data you pass to them, and the security and protection they have in place. This includes things like your email marketing service, your payment processors, your website analytics service, and storage sites like Dropbox.
The good news is that all these companies also need to comply with GDPR so getting this information shouldn't be difficult.
Cookies & Site Tracking
Perhaps the trickiest aspect of GDPR comes down to people giving consent for things BEFORE they even access your site.
All websites these days contain some form of cookies and tracking, even if it is just good old Google Analytics. Often this tracking begins the moment someone lands on your website.
Under the new regulations however, someone needs to give consent BEFORE you can implement this tracking. So this means needing something like a pop up informing them of the cookies and tracking your site is using and requesting consent. (check out CookieBot as one option for this)
And yep, this includes Facebook Pixels too.
If you’re using ActiveCampaign they have developed a way of getting this consent before turning on site tracking. Check it out here.
It’s also believed that this aspect of the regulation may be amended slightly in future as services like Google Analytics work based on IP Address, which isn’t immediately identifiable information. Google Analytics also offers an option to annonymize data, which we recommend turning on.
Unless your current email list has already been collected in a GDPR compliant manner, then you may need to reconfirm permission to email your existing list (or at least the EU portion of your list).
An important point of the new regulations is that you need to be able to prove that consent was gained, so ensure you know where this consent information is stored.
If someone doesn't re-consent, then you need to remove them from your list.
It’s worth noting though that even though everyone seems to be asking for consent again, it’s not actually a hard and fast rule that you need to do so and there’s a lot of confusion around the issue.
If you know and can prove where people signed up from, you’re only sending the information they expect to receive or you’ve got grounds to claim legitimate interest, you’re might not need to send a re-consent email after all.
Whilst asking for re-consent is likely going to result in some pretty big email culls happening, the upshot is that at least you know that the emails you're left with are the people who really want to be there.
A large part of this regulation is designed to stop data being used for purposes that it wasn’t intended for. Which is why consent is such an important factor.
What this means in practical terms though is that if someone has signed up for a lead magnet, then unless you actually state on the sign up page that they are also going to receive your weekly email and marketing offers, you won’t be able to send them.
That in itself is a bit of a blow to marketers, but the bigger issue is if you use your list to run affiliate promotions, or you run giveaways or take part in other peoples giveaways on the basis that you will receive the emails submitted.
If you’re frequently promoting other people’s products and offers to your list, you’re going to need to ensure they consent to receiving those particular emails, and give the option to opt out of them.
What does GDPR mean for your membership site?
In addition to the above, as membership site owners we also have other things to consider as we hold even more personal data than an average email list owner.
The regulations aren’t necessarily different here – you still need to update your terms and conditions and know what data you’re collecting, how it’s used and how it’s stored and secured. So, terms and conditions and privacy policies need to contain this information.
It’s important, if you’re not already doing so, to get proof that terms and conditions have been seen and read before someone completes purchase. Your membership plugin or checkout software should be able to allow this.
You’ll also need to know how someone’s data can be accessed, downloaded or deleted throughout your membership site. WordPress has some features to help with this, and if you’re using a platform software then they should also have features to help you comply.
The more complicated aspect here is your community – some communities will enable the downloading of data and posts for a specific member but others won’t. You’ll also need to consider what happens with the community if someone requests all their data to be deleted.
So, a large part of what we need to do as membership owners is be fully aware of everywhere we are keeping members data, which may include:
- membership plugin
- payment processors
- email service
- messaging systems like livechat or Intercom
- help desk software
- community software
- LMS plugin
- tracking systems
Once we know where we're keeping data, we need to know for each of those systems how that data is stored and secured, how it can be accessed and altered, and how a copy of that data can be sent to the member if requested, or even completely deleted.
A little good news
One good thing as a membership site owner is that explicit consent for email is not necessarily needed (although you may want to get it anyway).
As someone has purchased the membership from you, there is a reasonable expectation that they will want to hear from you about the membership, so emails to your members are likely to fall under ‘legitimate interest’ or ‘contract’ basis – but as always it’s best to check with a professional and is still wise to get opt-in consent to be on the safe side.
Also bear in mind that legitimate interest would only cover you for sending things like onboarding emails and updates about the membership. It wouldn’t cover you for things like sending emails about other products.
The cancelled members conundrum
We're a big fan of not burning your bridges when it comes to cancelled members, and for our site in particular a lot of ex-members come back again in the future.
However under the GDPR regulations, a significant change is the ability to email cancelled members after they leave your membership.
If at the moment you're moving them onto your general email list, or a special cancelled member email sequence, then you may no longer be able to do that unless you gain separate permission to do so (especially if you're using legitimate interests as your reasoning for emailing when they are a member) or they were already on your general subscriber list.
This could be a bit of a blow when it comes to sending things like win-back campaigns.
So, What Now?
GDPR is a huge beast and we can't possibly look at all the potential repercussions and details in this post. But the above are what we consider to be the biggest implications for membership site owners.
Now, it is a lot to take in and it may feel a little overwhelming, but there are some simple steps to put you on the path to compliance:
- Don’t panic!
- Take some time to learn exactly what you need to change and implement
- Identify every source of personal data that you collect and use – for web visitors, subscribers, members and anyone else you come into contact with in your business
- Write down all the different places you store data, and check what each has in place to enable you to comply with GDPR
- Find out how you can access, change, download and delete someone's data (from all sources) if requested
- If required send an email asking for re-consent to your existing email list – remember you need to be able to prove this consent
- Remove any unneeded or outdated data – a great chance to clear your email list of those who haven't opened for years!
- Create a process for identifying and dealing with data breaches and be sure to have things like your website security up to scratch
Remember this is only in effect for EU based members, so you may be able to splinter some things off – like sending a win-back campaign to cancelled members who aren't from the EU. However I actually think in many ways it's easier to put the regulations into effect for everyone, regardless of location. More and more people are becoming consciious of data security these days after all.
To make the process of becoming complaint easier we also recommend you look at the following resources:
- Get the free GDPR checklist
- Buy the GDPR compliance pack to make the process as easy as possible when it comes to getting your legal ducks in a row
- Join the GDPR Facebook group for some great videos and advice on specific issues