U.S. marketers who work for small businesses or agencies tend to have one of two reactions when someone brings up the GDP and its looming implementation date of May 25,

  1. “What the heck is a GDPR?”
  2. “Whew…I’m sure glad I’m not a marketer in the EU!”

The reality is that both responses show a lack of understanding that can put you and your company at serious risk. If you think there’s no way the GDPR regulation could affect you, ask yourself these questions:

  • Do any of the email addresses in your database end in .uk or .eu?
  • Can your website be accessed from the EU or the UK?
  • Have you ever shipped a product to someone in the EU?
  • Do you employ any EU citizens (even if they’re currently living in the U.S.)?
  • Do you have a server in the EU?
  • Do you work with any third-party vendors or processors located in the EU?

Even if you have no physical presence in the EU, you’re affected if you employ, sell to, or market to EU citizens or residents (such as a U.S. citizen currently residing in the EU).

If you think there’s even the smallest possibility that the answer to any of those questions could be “yes,” ask yourself about these common marketing “best practices”:

  • Do you use gated content to build your marketing email list? In other words, do you send promotional materials to people who gave you their email address to gain access to a white paper or ebook?
  • Do you collect more information than you need to complete business transactions so that you’ll have it “just in case”?
  • Does your website use cookies?
  • Do you buy email lists from third parties or sell your email lists?
  • Has personal data on customers ever been sent via email from one employee to another, or to a third-party vendor?
  • Could customer data be sitting on unused computers?
  • Do you have paper records containing personal data?

Hopefully, it’s now clear that the only safe response to a mention of the GDPR is, “What do I need to know?” So let’s talk about that.

What is the GDPR?

GDPR stands for the General Data Protection Regulation, an EU law that goes into effect on May 25, 2018. It’s intended to make it clear that EU citizens have ownership rights to their personal data. They have the right to know how it will be used, to request that it be deleted, to correct incorrect information, etc.

There are many steps businesses have to take to comply with GDPR requirements. Ideally, GDPR compliance should be addressed globally and incorporated into all of an organization’s business processes. But, if that’s not already well underway, it’s unlikely to happen by May 25.

The good news is that, while it may not be ideal, there are things individual functional areas can do on their own. Developers, for example, can come up with a method for deleting all data associated with a particular user ID. And they can create a notification that alerts user to their website’s use of cookies and explains exactly what those cookies do.

In this article, however, we’re going to focus on how the GDPR will affect marketers.

What does the GDPR mean for marketers?

While the GDPR is not the marketing doomsday some have claimed it will be, it does mean that businesses will have to take a closer look at a number of practices that fall under the umbrella of “But that’s how we’ve always done it…”

The main way the GDPR will impact marketers is in regards to the notion of “consent.” Businesses will have to make it crystal clear how personal data will be used, and consumers must give explicit consent for each type of use.

What does that mean in real life? Here are a few examples:

  • Email lists: It’s long been common practice to add every consumer email address to your mailing list, regardless of why it was provided. Under the GDPR, that’s no longer legal. So if a consumer provides an email address to gain access to a white paper or ebook, for example, that address can’t be used for any other reason. You can only send marketing emails to consumers who have given explicit consent to receive them.
  • Opt-in vs. opt-out: Another common marketing practice is to make opting into marketing communications the default so that consumers only have to take action if they want to opt out. That will no longer be legal under the GDPR; consumers must take action to opt in.
  • Existing data: The GDPR has no grandfather clause, meaning that personal data you already have isn’t exempt. That may present a huge challenge for market segmentation because you’ll need to either delete your existing data and start over or get new consent for each specific use case.

So…what’s a marketer to do?

There’s not a single “right” answer to this question; it’s really a matter of deciding how much risk your company is willing to absorb. Here are some things to consider:

  • Is it worth it? If you’re a small business with only a few contacts in the EU, it might make more sense to delete their data and stop doing business with them than to take all the steps necessary to achieve compliance.
  • What is the value of the data you collect? The more data you collect and store, the more risk you assume. Instead of collecting as much data as possible, collect only the data that adds enough value to outweigh the associated risk.
  • What do your popups and opt-in forms say? Any popup or form that asks for personal information must clearly explain how the data will be used. If you’ve been using pre-checked forms, toss them out. If you’ve been using general consent or unclear language, rewrite it.

The one thing you shouldn’t do is cross your fingers and hope you can fly under the radar. The fines are nothing to play around with: 20 million Euros or 4% of global annual revenue, whichever is larger.


There’s a lot more to the GDPR than what I’ve covered here. As I mentioned, it’s best addressed universally, starting in the C-suite. It’s also important to consider the long-term view, which is that this law will have the overall effect of improving the quality of content because marketers will have to earn the right to a spot in a consumer’s inbox.

My purpose for this article, however, was to give a gentle tap on the shoulder to marketers who either have not heard of the GDPR or who have assumed that they’re in the clear because they’re in the U.S. rather than the EU.