What if you woke up one day to a world that no longer made sense? A world where something that you’ve held as rock-solid truth suddenly…isn’t?

That’s how a lot of content marketers are going to feel after the EU’s General Data Protection Regulation (GDPR) goes into effect and everyone starts to realize just what the law means for one of the most time-honored best practices of content marketing: Using content downloads for growing your email list.

Because the May 25 implementation date is coming up soon, I’ve been watching online discussions. There’s been plenty of talk about the law’s impacts (some accurate, some not so much). But I’ve seen next to nothing about what it means for growing your email list in a GDPR world. In fact, it’s quite the opposite: A lot of content marketing gurus are still talking about list-building activities as if there were no such thing as the GDPR.

Straight talk about email lists…

It’s not hard to understand why content marketing gurus put so much value on email lists: Email marketing has an ROI of around 3800%. That means that, for every dollar you invest in your email marketing, you’ll see an average return of $38.

So growing your email list is a big deal. And, for years now, one of the tried-and-true tactics for doing so is offering gated content and/or content upgrades. Visitors enter their email address and download the content, and you’ve got another lead for your marketing emails.

Everybody’s happy, right?

Well, maybe not. Not anymore, anyway.

Growing your email list in a GDPR world

content marketing GDPR

The EU’s General Data Protection Regulation, which goes into effect May 25, 2018, throws a big kink in the works for brands that have been using this list-building tactic. You can still do it, but the rules are changing.

You and your company need to make an informed decision — and the sooner, the better — about whether you still want to use content downloads to build your subscriber list. If you choose to continue, you’ll most likely need to make some changes in the way you do it.

And you’ll definitely want to proceed with caution.

The first thing to understand is that the GDPR’s requirements aren’t geographically limited to the EU. It’s based on the EU residency of the individual, not the location of the company that collects or processes the data. So an American company collecting or processing the data of an American residing in the EU would be bound by the law. In theory, it would also apply to an American company collecting or processing the data of an EU citizen living in the U.S., because that individual could return to the EU — and therefore qualify for the law’s protections — at any time. And you might never know.

In other words, this is huge. And nobody seems to be talking about it.

I think the reason is that most people don’t understand what all of the law’s implications are yet. So I talked to Digital Governance Consultant Kristina Podnar (no relation) about how to grow your email list in a post-GDPR world.


Let’s start with a brief overview of what the GDPR is, just in case someone may have seen the term filling up their news feeds but hasn’t had time to dig into it yet.


Kristina Podnar Digital Governance Consultant

The GDPR is very complex, so I don’t want to mislead anyone by oversimplifying it. In essence, though, the GDPR is an EU law that unequivocally answers the question of who consumer data belongs to: It belongs to the consumer, not the businesses that collect and store it. And only the consumer can give consent for how the companies they do business with may use that data.


I know from our previous conversations that the law covers just about every imaginable aspect of consumer data. But let’s get specific. What does it mean for the practice of using content downloads to collect email addresses?


This one has some subtleties in it that seem to be confusing a lot of people.

content download

The law says that consent has to be freely given, specific, informed, and unambiguous. That has several implications, but one of them is that you can’t take personal data you collect for one purpose and use it for another purpose without getting separate consent.

That’s the change that’s going to hit marketers the hardest. The standard practice for years has been that, when you collect a consumer’s email for a content download, you’d automatically add that address to your email list or CRM platform.

You can’t do that under the GDPR. Once you’ve sent the link to download the content, that email address reverts back to private customer data that you have no right to use for anything else unless you obtain explicit consent. And you have to get separate consent for each purpose.

There’s an exception for cases where there is a legitimate reason for a business to use the data, but it’s pretty narrow. If a customer purchases a product, for example, you may need the customer’s name, phone number, and home address for shipping purposes. But that doesn’t mean you can start sending catalogs to the address.


Can marketers just change their notifications to say something like, “By downloading this content, I agree to receive promotional emails from you”?


No, not exactly. This is another tricky area. Governments can’t force businesses to give content away to anybody who stumbles across their website. So businesses are within their rights to ask for information like your name, phone number, and email before they grant access to a content download.

BUT — and this is really important to understand — those companies can’t do anything with that data without the consumer’s explicit consent.

You can have a popup that requires consumers to enter personal data before granting them access to content downloads. And you can have a statement on there that asks consumers to check a box if they consent to receiving promotional emails, newsletters, etc. But consumers can say “yes” to the download and “no” to receiving additional communications. If that happens, the consumer still gets the content download, and the company is now carrying additional risk and liability for data they can’t do anything with. I would struggle to come up with a situation in which that would make sense.


That’s a huge change to something that’s been standard practice for a long time. What should marketers do?


Marketers need to look at the situation in terms of the company’s overall business strategy as well as their tolerance for taking on risk. Here’s what I mean by that:

  • A small US company might choose to continue business as usual and hope they don’t get caught. I’d urge them to have a very frank conversation with their legal counsel first, of course, but it is a feasible option, since a lot of people who have studied the legislation don’t think the EU is going to start tracking down small businesses in other countries the minute the law goes into effect.
  • Another company with less of a tolerance for risk might decide to completely stop doing business with EU residents. The reality could be that the revenue generated from their EU customers is less than the cost of bringing their practices into GDPR compliance. Verve is a great example. They entered the EU market two years ago, but now they’re shutting down all operations there. While the GDPR isn’t the only reason, CMO Julie Bernard confirmed that it played a large part in the decision. Another company, Drawbridge, is shutting down its EU ad business rather than deal with the compliance issues.
  • Some may decide to completely stop offering content upgrades and gated content.
  • Others may continue using them in the interest of establishing authority and thought leadership but no longer add emails collected for that purpose to their subscriber list.

And, as we mentioned, some may rewrite their download popups to include a request for consent to send the user promotional materials. It all comes back to weighing both the risks and the opportunities associated with collecting and storing that data.


What about all of the email addresses they already have?


There’s no grandfather clause to the GDPR. If the emails they already have were obtained using consent that doesn’t meet GDPR standards, they’ll have to correct that. One option is to launch a re-consent campaign, explaining what you had to change to meet GDPR requirements and asking subscribers to renew consent.

Other companies, however, may decide to delete the email addresses they already have and start over from scratch. Or some may search their databases for emails ending in country-code domain names like .eu, .de, .fr, etc. There’s no guarantee that you’d delete all EU residents with that approach, but it’s one option. And it does, at least, demonstrate a good-faith effort at compliance.


What else do you think marketers should know about the GDPR’s effects on building their email lists?


I think that, once the law’s implications start sinking in, a lot of marketers are going to feel as if a fundamental truth — like the force of gravity, or the sun rising in the east — has just been invalidated. For years, content marketing thought leaders have been telling everybody to do this, and now the GDPR is saying, “Not so fast.”

content marketing gdpr

But, while that’s a natural reaction to change, I encourage marketers not to get caught up in the gloom and doom. The transition phase may be challenging, but the end result will be an email list that includes only those people who want to hear from you. You’ll be able to better optimize your messaging for that audience, and your click-through rates and ROI should improve significantly. And the internet as a whole will gradually get better, as businesses have to compete for the right to show up in consumers’ inboxes. If you don’t produce content that consumers value, you’re not going to get consent.

Conclusion: List-building, content upgrades, and the GDPR

For years, we’ve been told that using content upgrades was the best way to grow our email lists and that growing those lists was the best way to build our businesses. Now…not so much.

Feel kind of like your dentist just told you that brushing your teeth causes cavities?

content marketing gdpr

Or that lettuce has more calories than ice cream? (Don’t I wish!)

One of the primary rules of content marketing just changed, so go ahead take some time to adjust. Have a glass of wine. (Or some of that ice cream.) Go for a run (maybe to your yoga class?).

Then get back on track and start thinking about how you can use these new rules as the motivation for creating content that’s so valuable your readers will be eager to click on that “Consent” button. Because, in the end, that’s what the GDPR — kind of like those constant Google algorithm changes — is intended to do: deliver a better content experience for everyone.

Originally published at Patti Podnar Content Marketing