First things first: Explicit, informed consent is good for humans, in every context. This is important grounding. Yes means yes, and anything else means no. Adopt it, live it, embrace it.

Over time, we as marketers and revenue drivers have relied on tactics that err on the side of implicit consent -- meaning, if you didn't say no, we're going to assume yes. This goes for elements such as pre-selecting that opt-in checkbox for signing up for email updates; not requiring your audience to read your privacy policy; and assuming your audience understands how you're going to use and release their data.

The reasons that growth marketers do this aren't inherently malicious (don't tell me if you know otherwise). We want to be able to stay in touch with consumers, and we want to drive people to take the actions that we consider helpful to that goal. This is digital marketing 101. We're also not as informed as we should be about who qualifies as a third party and what their data practices are. 

What the data tells us in the last several years is that consumers don't like this process of being auto-opted in. And now, we have to do something about that with the rise of laws like the EU's General Data Protection Regulation (GDPR) legislation, which went into enforcement in 2018.

The principles behind GDPR are guiding much of the regulation that U.S. states are adopting now. Even if you don't live in or serve constituents in the states that are adopting these policies, you need to keep in mind that the tools you rely upon to do business DO have to comply. As they make changes to their audience data collection policies, that will have a trickle-down impact on you.

The GDPR requires consent to be opt-in. And the burden of proof is on you to prove that people found their way onto your file because they opted in. GDPR states specifically that: “Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

All of this means that making your intent clear to audiences and ensuring they have options to agree or not agree is critical.

So what's next?

Update your form collection processes

Forms should follow this set of standards:

• Include a privacy statement that explains why you’re asking for your audience's details; what you’re going to do with that information; and that they can withdraw consent at any time.
• Add an opt-in option, such as an unticked checkbox or a disabled toggle switch to get user consent to collect data. You can't pre-check the opt-in box for your audience.
• Preferably, add a link to the Privacy Policy for further information.
• Ensure you have obtained the necessary rights and permissions and a lawful basis, including any necessary consents, before you share any information with a third party.

Luckily, there's no requirement under GDPR to have a double opt-in process where audiences verify that they opted into your communication a second time. This process is known to be a best practice in the EU, but also drops email opt-in rates significantly. 

Know your third parties

A good rule of thumb: If a vendor or tool or service doesn't live under your organization or company, it's a third party.

So, each time you do something that seems simple -- like uploading an email list to Facebook for the purposes of ad serving -- that's data sharing with a third party. If you use Google Analytics on your site, you're data sharing with a third party. And the responsibility to relay to your audience that you're doing that lies with you. If you can't prove that people who joined your email list -- or were opted into it -- did so understanding those terms, you don't have a consented email file. (Let's talk about how to fix this before your lawyer(s) make you.)

You'll also want to closely examine from whom you’re buying mailing lists. In most cases, you can’t be sure whether those email addresses were collected with the users’ consent, so you'll need to validate with your vendors that they've followed lawful practice. If an acquisition vendor suggests that you need to update your privacy to comply with how they collect audience data, that should be considered a yellow flag. Closely examine whether the suggestions they're making follow the standards of unambiguously communicating to audiences how their data will be used.

Follow CAN–SPAM regulations

Users should be able to opt out of emails at any time. To do this, the user has to be able to click on an unsubscribe link found in your emails, and it should take them to a page where they may easily unsubscribe without any difficulty. 

Full CAN-SPAM rules can be found at this link.

Examples of compliant audience collection forms

 Communication opt-ins by channel

Gated content/lead magnet form

Newsletter opt-in form

Next Steps

This is a lot to understand on your own. I can help you get the lay of the land and know how to adjust. Let's talk.