Popups and GDPR: What You Need to Know

If you’re an email marketer, you’ve probably heard about the GDPR already.

But do you know how it will affect your website popups?

We thought it was time to clarify what you can still do and what you need to adapt.

Disclaimer: This FAQ is not intended to be a source of legal advice. Any answers have been prepared for informational purposes only. We recommend you seek specific legal advice by GDPR legal experts.

What Is the GDPR?

The GDPR is an EU law that regulates data protection and privacy for all individuals within the European Union. It governs the collection, use, and processing of data of individuals by companies.

Do I need a GDPR popup?

What the Law Says

GDPR will affect every company that is established in the EU and/or that uses personal data from EU citizens.

If you’re established in the EU (regardless of whether you process data in the EU or not) or if you’re collecting email addresses and send email to subscribers in the EU, you’ll have to comply with GDPR.

This will apply to your business even if you’re storing your subscribers and/or sending your email with a tool that is not hosted in the EU (e.g., MailChimp, Sendgrid, etc.).
Let’s take a few examples.

• If you run an ecommerce website in Texas that sells hats and belts worldwide, you’ll have to comply with GDPR for your European customers.

• If you run a SaaS business out of Germany and sell your product only in Europe and in the US, then you’ll need to comply with GDPR rules for your European subscribers and not for your American users.

• If you run a Shopify store out of Hong-Kong and sell items only in Asia, then you’re not affected.

If you’re not in one of the situations described above, then it’s good news: you don’t have to change anything.

If you are, we recommend you read on.

Do the Same GDPR Rules Apply in B2B and B2C?

What the Law Says

The GDPR concerns any processing of personal data. Period.

What It Means for You

In other words, the new law doesn’t distinguish between B2B and B2C.
Personal data is defined as “any information relating to an identified or identifiable natural person.” This can be a name, an email, a phone number, etc.
Business data such as business name or generic email addresses (such as [email protected]) cannot be considered as being personal data and are out of the GDPR scope.

Do I Need to Update My Email Popups?

What the Law Says

The GDPR not only changes the level of information you must provide to your visitors, it also changes the conditions to collect what lawyers call “consent” –the authorization to contact your subscribers by email.

The new law says that such consent must be clear, free, specific and unambiguous.

What It Means for You

The new law leaves marketers two options to collect a valid consent.

Strategy 1: Use Double Opt-In

A simple opt-in system, as long as it includes a checkbox, is enough to comply with the GDPR (see strategy 2).

But you can also use double opt-in to make sure the consent is valid. As a reminder,  this is how double opt-in works: after the user subscribes, he or she receives a double opt-in email to confirm his subscription.

The biggest advantage of using double opt-in is that it requires little, if no update of your existing popups. What’s also interesting for marketers is that it will store the consent of your subscriber –another requirement of the GDPR– right into your email marketing solution.
But to be valid, your double opt-in email must include the following details:

• The purpose of the email collection (for example: receive the weekly newsletter)

• A link to your privacy policy

• A reminder that users can be removed from your list whenever they want and request access to the data you store about them

This double opt-in must be configured directly in your email marketing solution.

Strategy 2: Use Checkboxes

You can also update your email popup.

More specifically, you should include:

• A clear explanation in the popup message of what kind of email the subscriber will receive once added to your list

• A checkbox that the user must check in order to submit the form, agreeing to your privacy policy (if you plan to send different kinds of content, you’ll need a separate checkbox for each)

• Links to your privacy policy

The checkboxes must not be pre-checked for the consent to be valid.

To demonstrate that your subscribers have given a valid consent, we recommend you keep your popup sample to prove that you complied with this rule in case you are audited.

To add a checkbox in Wisepops, click on your email field and open the “Terms” section. From there, you can add a consent text and a link to your privacy policy.

What About Lead Magnets in Popups?

What the Law Says

As a reminder, lead magnets are a marketing technique where subscriptions are incentivized with a freebie, often an e-book or a white paper.
The GDPR says that you can collect, process and use emails only for the purposes agreed by the subscribers.
This means that if the subscribers have given their consent to receive a specific document by providing their emails, you are not entitled to use such emails to send any other documents.
The law also says that the consent must be free. In other words, you can’t force a user into subscribing to your newsletter to receive a gift.

What It Means for You

You can still create lead magnets, but you have to adapt their copy.
If your popup says “Enter your email to receive our free ebook,” then you can only contact this user to send her the ebook.
If you want to add her to your newsletter list as well, you’ll have to pick a wording that’s more explicit, such as: “Enter your email to subscribe to our newsletter. As a welcome gift, you’ll receive our exclusive ebook.” The other advantage of this wording is that it doesn’t suggest that subscribing is mandatory to receive the gift.

Do I Need to Update My Privacy Policy?

What the Law Says

Wisepops acts as what the GDPR calls “a data processor” and processes the personal data of your newsletters’ subscribers under your control. This personal data includes email addresses, names, etc.
The GDPR requires that you inform your subscribers of the existence of the processing operation and its purposes. You should provide them with any further information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data are processed.
In particular, you should provide information related to any recipients to which personal data are disclosed.

What It Means for You

It is highly recommended that you update your privacy policy to include your data processors.
Here’s an example of what one of our customers included in their cookie policy:

Here’s our cookie info page.

Can I Still Keep My Emails Forever?

What the Law Says

According to the GDPR, every subscriber has the right to: (a) data portability, (b) request from you access to and rectification or erasure of his or her personal data, and (c) either restriction of or outright objection to processing.

What It Means for You

With respect to the right of access, upon request from a subscriber, you should provide a copy of his or her personal data that is undergoing processing.
The right to erasure, or the right “to be forgotten” is provided by article 17 of the GDPR. Under this right, subscribers can withdraw their consent. In this case, you will have to permanently remove all his personal data that you have in your possession and request the same from any associated data processors (including Wisepops).

What Should I Do with My Existing Emails? Are They Affected?

What the Law Says

The GDPR applies to all the emails you collected before the law came into force. In other words, all signups are involved, not just the ones that happen after May 25, 2018.

What It Means for You

If you didn’t apply the GDPR-like rules until now, you need to implement a re-permission program.
And there’s only one way to do it: send an email (how ironic!) to ask for permission to continue to send emails.
This email should include a clear call-to-action to let the subscriber confirm that she still wants to receive emails from you.

All the subscribers who don’t confirm that they want to receive emails from you should be deleted from your database.

Compliant? Not Compliant?

Let’s finish our review of these new rules with a few examples of popups.
We’ll assume that we’re a company that must respect the new GDPR rules.

The New-York Times Popup

Verdict: This popup is GDPR-compliant. Here’s why:

• The headline states the purpose of the email collection –Receive the morning briefing

• The consent checkbox is unchecked

• The consent text details what the subscriber will receive

• The popup includes a link to the NYT’s privacy policy

Pull & Bear’s Popup

Verdict: The popup is compliant because:

• The copy explains what the subscriber will receive (newsletter + coupon)

• It includes a consent checkbox

• It includes a link to the privacy policy

The consent checkbox could be improved by including a confirmation that the user has read the privacy policy and that he accepts to receive the newsletter. Ideally, we would replace “I accept the privacy policy” with “I’ve read the privacy policy and I confirm I want to receive the newsletter.”

Feeds’ Popup

Verdict: The popup is not compliant. The popup is missing a consent checkbox and a link to the privacy policy. This popup would be acceptable if double opt-in is activated.

Practical Ecommerce’s Popup

Verdict: The popup is not compliant. It’s missing a consent checkbox and a link to the privacy policy. The free e-book should be mentioned as a welcome gift as well. This popup will be acceptable if double opt-in is activated.

Wrap-Up: Your Popup GDPR Checklist

Ready to apply our recommendations? Here’s your checklist:

• Add a consent checkbox to your popups or activate double opt-in in your email marketing solution to collect a valid consent

• If you’re using lead magnets, update them to comply with the new regulation

• Include  your data processors (including Wisepops, if you’re a client) in your privacy policy

• If you were not collecting a GDPR-compliant consent before now, send a re-permission email