Menu Close
Managing Follows, Opt-ins, and Emails Under GDPR

Managing Follows, Opt-Ins and Emails Under GDPR

Influencer Marketing and GDPR

In just a few days, the European Union is set to roll out the General Data Protection Regulation (GDPR), a law designed to protect the personal data of EU citizens, and enable them to retain control over what happens to their personal information when it gets in the hands of well… merchants and marketers. That’s not all it covers, but for our purposes, that’s what matters.

GDPR makes it plain that regardless of who you are or where you happen to live and work, if any aspect of your day-to-day existence puts you in contact with the personal data of an EU citizen, GDPR applies to you.

In my last post on GDPR (which you can read here), I provided you with a comprehensive overview of the law itself. If you’re like me, the better you began to understand GDPR, the more questions arose in  your mind.

Well, what about email lists?

What about databases? Do I have to put a time limit on how long prospects stay on my list?

Do I need to get permission a second time if I didn’t use a double opt-in the first time?

Data portability? Wha…???

For the sake of convenience, I will recap the finer points of GDPR here before moving on to how it will impact influencer marketing, direct marketing, email marketing, and the sales cycle.

The 5 Big Takeaways of GDPR

The EU General Data Protection Regulation is designed to make sure the data that organizations collect from EU citizens is kept private and properly protected.


A data  controller is the person or entity collecting personal data and determining how to use it. A data processor hangs on to the data after its been collected and uses it as the data controller sees fit.   

Interestingly, GDPR also requires ALL marketers to have a Data Protection Officer, someone who is knowledgeable about data protection and who will take responsibility for data management. No, you don’t have to hire someone new. Sole providers may be their own DPO, but someone on your team needs to be on record as the person to contact with GDPR-related issues.


Data controllers must be able to document when, where, and how an EU citizen gave permission for you to collect and use their data.


EU citizens (also called data subjects) retain the right to control how their information is used. Consent can be revoked, and objections can be made by the data subject. The data controller must respond to any change requests, modify, or remove a person’s information quickly, and without financial cost to the data subject.


Data must be portable, meaning data subjects have the right to view every piece of data you have on them and transfer their personal data from the data controller’s database in a format that is usable for the data subject.


Data controllers are responsible for informing local EU authorities of any data breaches that happen within the controller’s database OR within their processor’s database within 72 hours of learning of the breach. Data subjects affected by the breach must also be informed shortly thereafter.

Why GDPR is a Game Changer for Influencer Marketing

The power of social media is that people can find and engage with like-minded individuals from all over the world using topic-related hashtags that are NOT location specific. For marketers, that means the right influencer can give you immediate access to a group of people that you know are interested in what you are promoting, which can expedite a prospect’s move through your sales funnel. Under GDPR, before a marketer can engage further with a prospect (or officially put someone in their funnel), the marketer still needs to get explicit, documented permission from any prospects who happen to be citizens of the EU.

Under Article 6 of GDPR, there are six – and only six – reasons to process the data of an EU citizen.

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

As a marketer, your strongest position is to go with Reason #1 by getting explicit, willful permission from the EU citizen to collect their data.

Reason #6 also applies to marketers, but do not get it confused. Legitimate interest is the prospect’s documented interested in your content, goods, and services, not the other way around. So, legitimate interest is not a government-issued permission to cold-email people you think may be interested in your content or products. In fact, it is best applied to your right to continue emailing people who have already opted in to your list without any previous attempts to unsubscribe.

As a matter of practice, GDPR requires data collectors and data processors to enact data protection by design and by default.

Isn’t a follow a type of permission? Yes, it is permission, but no it’s not the same as explicit consent to drop down into your sales and marketing funnel. A social media follow is one user giving consent to the platform for the platform to show the user your content. It is not consent for you to necessarily send them on a sales journey.

Followers are people who have agreed to be shown the content you create for that specific social media platform. But that is the extent of the permission. It is not permission for you to gather more information from them, or to contact them via email or instant message. Even if they don’t mind you marketing to them, if the person you’re targeting is an EU citizen, your contact with them needs to follow the rules of the General Data Protection Regulation. 


The caveat in this whole thing is that marketers need to make positive opt-ins the foundation of targeted digital marketing. A positive opt-in is one in which your prospect has given YOU explicit and willful permission to contact him or her at a later date. There are four key elements of a positive opt-in:

  1. A prospect, subscriber, or follower must manually provide their information to you
  2. A prospect, subscriber, or follower must manually check any boxes on your opt-in form indicating they want to receive information from you – the box cannot be pre-checked
  3. A prospect, subscriber, or follower must confirm the subscription, probably via a double opt-in email, this is how you will get a record of their consent
  4. The opt-in cannot be compulsory, meaning it cannot be a situation where there’s verbiage somewhere that says something like: “By joining this Facebook group, you agree to also receive a subscription to our newsletter. ”

For these reasons, a social media follow is not (and cannot) be considered consent for future marketing on another platform. GDPR requires you to get permission from an EU citizen specifically for marketing. People can no longer default to being in your funnel just because you happen across their information, or are in the same group, or they follow your brand on Instagram. Converting a follower into a subscriber requires the subscriber to know and agree to that conversion.

GDPR-Compliant Email Marketing


Another important part of converting followers to subscribers, or getting them into your funnel is your EU subscribers now have to know exactly what they are agreeing to when they subscribe. Lead magnets are an industry standard – the free assessment, the free ebook, the free worksheet, the free webinar. But prospects must also know what you have planned for them after the lead magnet.

Now, this isn’t the metaphorical spot where the villain captures the hero and reveals his diabolical plan just before the hero breaks free in time to stop the plan. It’s much more laid back than that. This is more like:

“We’re going to comb the web for the best in biohacking, and dump all that goodness into your inbox every single Sunday night. Without fail. Rain or shine. Super Bowl or Grammy’s. And all you have to do is let us know who you are and how to find you. To do that, complete the form below.”

Or something much simpler, like this neat little CTA bar for the Hustler’s Digest on the homepage of

Opt-In form of The Hustler's Digest

Notice how the button is easy to see. There are no tricky boxes pre-checked. The summary statement of what the subscriber will get and how often he or she can expect to get it is detailed right above the form. Simple stuff.

Suppression Lists

Subscribers have the right to be forgotten, which I discussed a bit in the previous post on GDPR. Brands and marketers need to have a way to ensure that when a subscriber chooses to stop getting emails from you – either partially or altogether – he or she gets removed from whatever list they were on, and that they don’t get emails related to that list ever again.

Few things in digital marketing irk me more than going through the hassle of subscribing from someone’s list only to continue getting daily emails from them.

A suppression list is your list of ex-subscribers who have unsubscribed. They were previously on one of more of your lists, but took steps to opt out. Having a suppression list will help prevent accidental correspondence in the future.

Existing Subscribers

One bit of good news is that you do not have to re-qualify your existing EU-based subscribers. Your existing relationship and their engagement as members of your list falls under legitimate interest.

A Buyer’s Right to Be Forgotten

Say goodbye to your fattened database of old contacts that used to do business with you. Article 17 of the GDPR covers the Right to Erasure (right to be forgotten). In addition to your subscriber having the right to unsubscribe from your list and be completely removed from your database, GDPR also has a built-in “necessity” factor, which can make remarketing a little tougher. The regulation states:

“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;”

The GDPR requires brands to tell data subjects what they can expect to receive via email.  Article 17 goes on to say that once that task is fulfilled (i.e. the person has received your digital book or 30-day email course, or whatever promise you made), you should delete the buyer’s personal information from your database. That means regularly purging actual buyers from your list, OR having them opt-in to your newsletter separately after the purchase.

Why not during the purchase? Well, to make sure the newsletter subscription and the purchase decision remain separate, so it doesn’t look like you roped someone into an ongoing relationship when they were only trying to buy your lipstick.

Data Protection By Design and Default

I want to conclude with this: Every element of GDPR that I’ve talked about thus far has been in an effort to support Article 25 –  Data Protection by Design and Default.

Data protection by design and default means taking an accurate assessment of what information you need, why you need it, and the length of time for which it is needed BEFORE collecting personal data. It means that even before the very first interaction, you have procedures in place to protect your subscribers’, followers’ and prospects’ personal information.

Data controllers must be able to demonstrate that at every instance of data processing you are actively adhering to this core principle of data protection by design and default. Data controllers must implement technical and organizational measures that ensure personal data is protected during collection and processing activities. Not doing so can trigger those hefty non-compliance fines I talked about in the first post.

So, you must ask yourself and your team the question: “Is there a less intrusive way for us to accomplish this?” And then, “How do we keep this person’s data private and secure?”

That end is what the General Data Protection Regulation seeks to accomplish.

*    *    *    *    *


On behalf of the fine folks here at TheShelf. com, it must be said that we are not lawyers. Please do not consider this post legal advice. If you are dealing with GDPR issues, or joining the rest of the digital world in the mad scramble to become GDPR compliant, you should seek appropriate legal counsel to assist you. Also, while GDPR has far-reaching impacts the world over, this particular post is geared toward our North American readers.

Influencer marketing is super-effective...

But running a campaign in-house can get a little INSANE!

Planning, strategy, wooing influencers, shipping products, monitoring campaigns… it's a lot for any team to handle. If you want to work with influencers but you don't have the amount of fairy dust it'll take to get an extra 3 hours inserted into every day, call us.

We dream up and roll out fully-managed influencer campaigns that are creative, memorable, and hit all the important KPIs (seriously, we're all about that ROI).

Ready for a little marketing magic? ✨ Then you'll want to talk with one of our strategists!

Schedule a Strategy Call



Ready to run your next campaign?

Make me famous

I want clicks