Transcript: GDPR for Entrepreneurs: What You Need to Know with Bobby Klinck

April 30, 2018

Click here to download the PDF version of the transcript. 


AMY PORTERFIELD: Hey there, Amy Porterfield here. Welcome to a bonus episode of The Online Marketing Made Easy Podcast. This episode is all about the GDPR. 

GDPR stands for the General Data Protection Regulation. It’s a privacy law from the European Union that goes into effect May 25, 2018. 

I’m recording this about a month in advance of that deadline because, as online entrepreneurs who attract an audience to our website and from there build our email list, we have to pay attention to the GDPR. 

If I had it my way this regulation would go away today. It’s a pain in the butt, to be quite honest. However, we do have to pay attention so I decided I would find a really educated voyeur who knows all about the GDPR. 

I’m was going to find someone who can break it down in layman’s terms so we all understand what we need to do now before the deadline and what we need to do moving forward as we collect data on our website and build up our email lists. 

I found just the perfect person to break it down for us. His name is Bobby Klinck. Isn’t that just a great name? 

Bobby Klinck is an intellectual property attorney but he’s not your typical lawyer. Sure, he went to Harvard Law School and he worked at some of the most prestigious firms in the country but if you look at the big whiteboard in his office you won’t see much about the law. 

His whiteboard is filled with tasks related to platform building, inbound marketing, and sales funnels. Bobby is a full-fledged online entrepreneur whose area of expertise is the law. 

He helps other online entrepreneurs safeguard their online businesses. I first met Bobby inside of my Insider’s Club. He is a student of List-Builder’s Lab. How perfect for the GDPR! He’s also one of my B-School bonus members. 

He was one of the very few gentlemen that joined and, let me tell you, I always say, “Men that join B-School are the smartest men out there.” They always get extra attention in my groups because there are very few men. 

He has also really made it his mission to support my B-School bonus members to understand, not just GDPR, but everything you need to understand as an entrepreneur as it relates to protecting yourself and your community online. 

I won’t make you wait any longer. We are going to bring Bobby on and we’re treating this as a mini workshop. When you’re done listening to this episode you are going to understand what GDPR is all about, how it affects you as an online marketer, what you need to do now with your website and your list-building efforts to get ready for the deadline, and what you need to do moving forward so that you are GDPR compliant. 

It’s not as bad as it sounds. However, you do need to understand it and take some action right away. I’m taking action inside of my own business. I’ll be sharing my journey with you. But this is the start of it. Let’s get educated on what it’s all about. 

Let’s dive in! 

AMY: Bobby, thank you so very much for coming on the show. I’m so excited to have you here today. 

BOBBY: Thanks for having me, Amy. I’m excited to talk about this subject and to help your listeners and students really understand what they need to know about the GDPR. 

AMY: It’s time to dive into it. But, before we get there, tell me a little bit about you and your background. 

BOBBY: I’d love to. Amy, I started as a really normal lawyer who knew nothing about business. When I launched my law firm four or five years ago my idea of marketing was to talk to other lawyers, write articles for other lawyers, and network for other lawyers. 

I kind of missed the part about how you should be talking to your clients. I slowly but surely transitioned and nowadays I really spend all of my time working with entrepreneurs and trying to help them understand the issues that affect them, especially in the online entrepreneurship space. 

I help them understand how it’s just a little bit different and that there are all of these different rules that we have to live by than a brick and mortar business does. 

AMY: For sure. I love your mix. I know I said this in the intro but I love your mix of being an entrepreneur and having a legal background and really understanding what online entrepreneurs need to do to protect ourselves. 

You are the perfect person to have this conversation with. Are you ready to dive in? 

BOBBY: I am ready although let’s not say we’re excited but we’re ready to talk about this. 

AMY: I know, we shouldn’t lie. Right? I shouldn’t be saying “excited.” I’m excited to finally get the facts and put it out to my audience but I do not love this topic and I’ve been very honest about that. It’s not my favorite but we’ve got to do it. We’re an adult team today. We’ve got to dive into it. 

BOBBY: Yep, good idea. 

AMY: Okay, let’s do it. We’re going to start at the top. What is GDPR? 

BOBBY: GDPR stands for the general data protection regulation. It is a new law that goes into effect in the European Union. I say “new” but it’s not new. It’s been around for a while but enforcement starts on May 25, 2018.  

Now is the time everybody’s ramping up and getting ready and getting compliance in effect before that May 25 deadline. Although it’s a European law it really affects all of us. Unless you are someone that doesn’t touch any data or any individuals in Europe you do have to worry about it and make sure you’re ready to comply. 

AMY: What activities are covered by the GDPR? 

BOBBY: The GDPR covers any time that you’re doing what they call processing of personal data. Processing here is just a fancy word for doing anything with data. It literally defines it. It has a long list.  

Everything from the point you collect it until you delete it and everything in between is covered by the GDPR’s processing. So, anything you’re doing with data from collecting, storing, using, and anything else is included. 

The other piece is that it only applies to personal data. Personal data though isn’t just personal data. It’s anything that is associated with or related to a person who is identified or who you can identify. 

There are a couple of things in there that are included. Obviously personal identifiers like your name, your email address, or your address are included. There is also pretty widespread agreement that your IP address, if you get the whole IP address, would be included although Google Analytics has a work around where they are going to delete the last three digits. 

All of that stuff’s included but it also includes any kind of processing of information that you’re adding to your contact database. Think about it, if you have quizzes, if you have tagging, if you have segmenting within your CRM database, or anything else, all of that’s included because what you’re doing is effectively monitoring what people are doing. 

If you’re monitoring what people are doing that’s included. I like to use the example that in my email system that I’m using I have a system instead of it automatically doing lead scoring for me I set up automation.  

Every time someone opens an email it adds a point and every time someone clicks on a link in an email it adds another point. That way I can kind of see and track how active my subscribers are. All of that is included and covered by the GDPR. 

AMY: It’s a lot. Moving on then, who does the GDPR apply to? 

BOBBY: The best way to think about it is that if anyone involved in a commercial relationship, even a free commercial relationship, is in the European Union it applies. An important thing to keep in mind is that it’s not citizenship, it’s not residence, it’s where they are when you’re interacting with them. 

What this means functionally is for an online marketer, one of your listeners or students who is in the European Union, it applies to everything they do in their business, 100%. Every transaction, every piece of data they touch is covered by the GDPR. 

For folks like you and me who are not in the EU though, it applies to us when we are interacting or collecting data from people in the EU. But it gets a little more complicated than that.  

There are some carve outs if you’re not doing certain things. I know you’re going to get to that but basically what it comes down to is whether you are making offers to people in the EU. If so, you’re going to be covered. 

AMY: Got it. So how does it apply to non-EU entrepreneurs, which is a very big bulk of my audience? 

BOBBY: As I mentioned, it applies when they are interacting with people in the EU. But there are some exceptions. What the GDPR says is that it applies to processing that’s related to either offering products or services to people in the EU.  

That would include offering free products and services. Lead magnets and those types of things are covered as well; or, if you were monitoring the behavior of people in the EU. 

This is one of the areas where there is some gray area. I’ve had a lot of people ask me if they can just avoid the GDPR by saying on their website that they don’t offer anything to folks in the EU. 

The answer to that is that it’s not clear, unfortunately. There’s not a clear answer to that one way or the other. I’m a pretty typical example here. My products and services are really tailored to folks in the United States, not the EU. 

When I do Facebook advertising I only target people in the United States. But, when I’ve looked at my list, about 5% of my list is people in the EU. Candidly would I say they couldn’t buy one of my products? No. Would I say they couldn’t download a lead magnet? No. 

I think I’m covered and I have to comply with the GDPR with respect to those folks. But some people have said I might be able to avoid it if I really did put in some real limitations and refuse to do business with people in Europe. 

But I don’t think most of us are going to do that. So, if you’re not you’re going to have to comply with it, at least when you’re interacting with and how you’re handling your data for people who are in the EU. 

AMY: Okay. There are six principles of the GDPR. Can you quickly walk through those principles with us? 

BOBBY: I’m glad to. The first principle, and this is really the one you’re hearing about the most. It’s that data shall be processed “lawfully, fairly, and in a transparent manner.” 

There are a couple of parts to that. One is lawful. You have to have a lawful basis for doing it. You have to be fair about it and you have to be transparent. You have to tell people what you’re doing so they can make a decision about that. 

The second principle is that data shall be collected for specified, explicit, and legitimate purposes. In other words, I can’t just collect data for some reason that I might use it in the future. 

I have to tell you what I am going to do with it. I have to be explicit and it has to be a legitimate purpose. That’s the second principle. 

The third principle is that data processing shall be limited to what is necessary for the purposes. This has a couple of elements to it. You can’t collect every piece of personal data about a person to give them a lead magnet. You just don’t need all of that information so you have to minimize what you’re collecting. 

Once you have it you also have to limit what you’re doing with it to what is necessary for the purpose for which you collected it. If you collected it to deliver a lead magnet you can’t then use it for everything in the future. 

We’re going to talk about that more when we get into the list-building part of this training.  

The fourth principle is that data should be accurate, kept up to date, and corrected. Luckily that doesn’t really apply to us. That’s more for the Googles and Facebooks of the world where basically they’re supposed to make sure they are keeping data that’s accurate. 

The fifth principle is that data shall be kept in a way that it identifies the actual person no longer than is necessary. Again, this means if I collect the information to make a sale and I don’t have any other purpose I can’t keep it for 100 years or 50 years. At some point I have to get rid of the information that identifies the person. 

The final principle is that data shall be processed in a manner that insures appropriate security. This shouldn’t be a big deal for us. We should all be using SSL certificates and other ways to actually make sure we’re protecting the data. But you have to do that. You can’t just have your data in an unsecured method anymore under the GDPR. 

AMY: Got it. I love learning from you, Bobby, because you make it so clear. I can actually understand this so, just an early thank you for this. 

BOBBY: You’re welcome. This is a complex subject. It’s 250 or 260 pages. It wasn’t a lot of fun to go through it but at least I’m trained to do it. 

AMY: Yes, and you can talk about it in such an easy way to understand, which is exactly why I chose you to do this so thank you so much.  

You have a really cool three-part free video series we’re going to talk about at the end but from the training I went through I know that to collect, store, and use data, including names and emails, you must be able to demonstrate there is a lawful basis for the processing of the data. 

Can you talk about how that relates to online entrepreneurs? 

BOBBY: I am glad to. This is actually really the big point. This is where the big headline comes from. The big headline is that we’re going to have to change the way we go about collecting email addresses from potential leads, at least for our marketing efforts. 

The only real lawful basis that is going to give you the right to market to someone under the GDPR for any long period of time is going to be if they give you consent. Consent under the GDPR is higher than what we’ve been operating under for the last five or ten years in the online marketing world. 

It requires that consent be freely given, specific, and unambiguous; and, also at a very granular level. Consent for one thing doesn’t mean consent for everything. 

There are a couple of pieces of that and what it means. Under the new standard the big thing to know is we can’t just automatically add everyone who grabs one of our lead magnets and add them to our general marketing email list. 

They have not freely given us specific and unambiguous consent for us to send them those marketing emails. We have to get a separate consent to add them to our marketing list, not just “send me the lead magnet,” but you also have to get a separate consent to add them to your marketing list. 

In that, an important thing that a lot of people thought, “Oh, I can just get around this,” and this was what I thought at first before I really dug into the law, I thought I would just put something in that says, “As a condition of getting my lead magnet you have to consent to allow me to add you to my marketing list.” 

That’s not allowed under the GDPR. It doesn’t say it 100% but my read of it and everything I’ve read from guidance from others you cannot say you only get the freebie if you’ll consent to something else. 

Instead, we have to find a way to sell our prospects on why they want to be on our email list and convince them they want to sign up voluntarily for our list, not just because we’re going to require it as part of getting our lead magnet or getting some other freebie or signing up for a webinar or some other training we’re doing. 

We have to sell them on the benefits. The other big part that people need to understand and that a lot of people aren’t thinking about and why you need to be taking action now is that this new consent standard applies to your existing list. 

If you can’t show you have the right kind of consent for people who are already on your list and to whom the GDPR applies you have to stop emailing them come May 25. 

You need to kind of take some action between now and then to make sure you are compliant. 

AMY: That’s the big thing here. We’ve got to do some work up front before May 25 and then we have to have something in place so that we are staying compliant as we add new people to our email list. 

The great thing is we’re going to break that down and give you some suggestions as to what you can do now and moving forward. 

Before we get there, I’ve got this question. What if I want to send a nurture sequence after somebody opts in for a lead magnet? I teach that you don’t just have someone sign up for a freebie and then say, “Okay, here you go,” and you’re done. What can I do under GDPR? 

BOBBY: Again, I wish I could give you a clear answer for this one. This is one where I’ll tell you that when I started really diving into the GDPR I found different answers from different people. 

Some people said, “Absolutely no question, you cannot send any kind of marketing email because someone signs up for a lead magnet.” All you can do is deliver the lead magnet.” 

Other people said, “You can do these short nurture sequences leading to a sale.” When I looked at it what I would tell you is I think there’s a good argument for being allowed to make these nurture sequences but it’s not crystal clear. 

The GDPR has a provision that talks about expanded processing, basically processing data beyond the original purpose for which you collected it. It gives a list of factors you would consider in deciding whether it’s okay to do expanded processing. 

One of them is the link between the purposes of collection and the purposes for the expanded collection. Is there a clear link between why they gave you their info and why you’re sending them this later email? 

The next one is the context in which the data is collected. I don’t know what that means, quite honestly, but I think it is asking if you’re collecting it freely or if you’re putting some pressure. You could think of different meanings to it.  

The nature of the personal data that’s collected is another one. Luckily for us, in the space of a lead magnet, we’re not collecting really personal data. It’s a name and an email address. We’re not collecting something that’s very sensitive.  

Another factor is the consequences of the expanded process. For a nurture sequence, what are the consequences? They get three to four emails from you over a week or two? That’s probably not something that’s that bad. 

The last factor is whether you have appropriate safeguards in effect. You should have those in place no matter what. 

When I look at those factors and I think about, for example right now one of my lead magnets is a guide about the different policies you need on your website, someone who downloads that clearly probably need these policies or at least have some concern about whether their policies are good enough. 

I have a short nurture sequence that would lead them to template forms. It seems like I’m serving them and not hurting them in any way, shape, or form by doing that.  

I honestly haven’t decided whether I’m going to continue with nurture sequences if I can’t get a separate consent. I think there’s a good argument that you’re allowed to. 

AMY: Got it. When you said that last bullet point, “existence of appropriate safeguards,” would a safeguard be a privacy policy on your website? 

BOBBY: That would be part of it but also just general safeguards to make sure the actual processing that happens isn’t going to put them at risk. One thing we have to remember is the GDPR is not all about emails. 

The GDPR is about all kinds of processing of data. It’s about what Google does with our data or what Facebook does with our data. So we’re having to look at this much broader law and see how it applies in this very specific context. 

The important thing here is because all you’re doing is sending them a couple more emails you’re not really changing or putting the data at risk in any other way.  

You can see if Facebook collected it for purpose #1 and all of the sudden transfers it to this other place for a different purpose there might be some extra risk. The question would be if there are safeguards. 

That one, I think, is always going to weigh in our favor on this point. 

AMY: Okay, cool. Here’s the big question. What do I need to do for list building? 

BOBBY: I think you foreshadowed it a little bit ago. There is what we need to do to preserve our existing list and then there’s what we need to do going forward to collect emails and consents in a GDPR-compliant way moving forward. 

I think we need to first break it into what you do for the past and then second what you do going forward. 

AMY: Here’s the deal. What’s the tactic to get compliant? 

BOBBY: For your existing list it’s two or three prongs, really. Basically what you need to do with your existing list is figure out who you have to get a consent from and then you need to figure out a way to do that. 

I would say for people outside the EU your first step needs to be to segment your list between your subscribers who you can clearly say are not in the European Union and the second category are subscribers who either are in the EU or who you can’t identify so you don’t know one way or the other. 

If you don’t know where they are you should just act as if they are in the EU and so the GDPR will apply to your interactions with them. 

The good news is a lot of service providers are rolling this out. Amy, I think one of the email providers you talk about is ConvertKit. They have built this functionality in. 

AMY: Awesome. 

BOBBY: You can search for people in the EU based on IP locations. Most of the other service providers have it. I’m using Kartra, a new system that has IP address locations so I can sort that way. 

I think all of the providers will likely roll that out in, hopefully, the next week or so. We’re still waiting for some of the big ones to say what they’re going to do. 

AMY: You’re going to segment your existing list. Talk to me why this segmenting is so important. 

BOBBY: Ultimately what you’re going to do is for the people you need to get consents from you’re going to do a reengagement campaign. You’re going to try to get them to consent between now and May 25. 

Amy, I think you’ll know better than I will but we are not going to get 100% or anywhere close to 100% to reengage and consent. I don’t know what your open rate is but my open rate hovers at 15% sometimes 20% if I have a really good subject line. 

My click rate is not nearly as good. The reality is that you’re going to lose a lot of the people that you’re sending this reengagement campaign to because they’re not going to consent. 

Remember, the GDPR, for folks like you and me, only applies to how we interact with people in the EU. We can continue to do all of the same things we’ve been doing in the past for folks in the United States, Canada, anywhere else that’s not in the EU. It just doesn’t affect those relationships. 

By segmenting what we’re going to do is basically say that we’re not worried about the folks who are not in the EU and we are keeping them on our list. In my case I did some segmenting based on the portion that I could segment and something like 63% of my list could be clearly identified as not in the EU. 

AMY: Were you so excited? 

BOBBY: I was excited. But the bad news is I’ve got two legacy providers and one of the legacy providers has not yet rolled out this capability. In their system I can see the IP address so we could do it. 

But they wouldn’t even let me export that data. That’s a fight for another day. But, for at least this part of my list I was able to segment. So I get to keep that 63%. 

AMY: You’re good to go. 

BOBBY: Yes. Five percent are in the EU and I couldn’t identify 32% one way or the other. 

AMY: And why couldn’t you identify those? 

BOBBY: Because, for some reason or another the system just doesn’t have the data. I’m not technical enough to know why. 

AMY: I’m not either. 

BOBBY: If you’re using a new system the problem is that you’ve probably taken your list and moved it and didn’t bring in the data to identify where they are from when you went to the new system. 

I don’t know why that applies, I’m talking about ConvertKit, but I think it was the first system I really used actively to build my list. It may be that some had come in through Zaps or something else where I brought them in. It just didn’t port that data over. 

AMY: I think we’re all going to deal with that. We’re running my list right now so I’m going to find out. So you ran this segmenting and you got these numbers. Now that you have the data how should you run a reengagement campaign? 

BOBBY: There are two parts to my reengagement campaign. First, everybody on my list is getting extra value and has been for the last almost month now. I’m normally sending one email a week where I tell people about my new podcast episode coming out. 

Now I’ve added a second email each week. This is a pure give. I’m giving them something of value. I created a new lead magnet recently and I didn’t ask them to opt in I just gave it to them and said, “Here you go.” 

When I launched this training, first I invited people to the training about the GDPR live and the second email I sent them on my list was an email to the membership area where they can now go and access the training. 

I’m just giving them a ton of value. The reason why is I want them to say, “I want to stay on this guy’s list,” at least the people who are opening it. That’s the idea. 

You do that. You build the goodwill. And then you have to just start sending reengagement campaigns. You’ll have to figure out how to do this within your system.  

Either you set up a new opt-in page somewhere that is just a very clear opt in that says they are opting in to stay on your list; or, if your system is more advanced it may that clicking on a link will be good enough for you to mark that and store the data but you have to get a consent. 

I’m going to start sending emails on a regular basis to that list come May. I’m going to start sending them to the people who are either in the EU or who I could not identify and try to get them to reengage. 

I haven’t decided on subject lines. Early on it’s probably going to be kind of tame but eventually I’m going to start using subject lines like you would in a reengagement campaign where you say, “I’m going to delete you.” 

It will get more and more dire as we get closer to the deadline. Come May 24 everyone who has not opted in will be deleted. I will get them out of my system so they are not there. There will be no question that I’m not storing, using, or otherwise processing their data. 

AMY: I like it. I think it’s just an easier way. You don’t have to worry about it and you’re just moving forward now. 

BOBBY: That’s the plan. Again, it helps because if they’re not going to engage with me over a two-month period they are probably not going to be my ICA anyway. 

AMY: That’s a good point. This is a really great opportunity to clean up your list as well, in some way, and also a lot of my students will ask how I’m going to do this. We’re still working out all of the specifics based on what we’ve learned from Bobby. 

Because I use InfusionSoft we will most likely be sending multiple emails, as Bobby suggests here, and people will click on a link letting us know they want to stay on my list. If they click on the link I can then tag them to be somebody who has given us their consent. 

We’re still working out all the details but I just wanted to give that information. 

One of the things I really like is when you were talking about this reengagement campaign, Bobby, you were saying that you are sending multiple emails. You want to be really mindful of the subject lines and you want to have some fun with this and still stay on brand. 

When I say to have “fun” that means if your brand is fun. But you want to make sure these emails are written in your voice. You want to have really catchy subject lines so they see it and open it up.  

You could just straight out call out the GDPR because they are probably very aware of it or you could play around with different things. Bobby, you said you’re sending multiple emails and you might get even a little more aggressive (I don’t think the word is aggressive) or inventive with those subject lines as you get going, right? 

BOBBY: Yeah I think that’s right. I think early on it will just be something about the GDPR or that I want to check in. I haven’t decided and I am still working on those. But as we get closer to the deadline I may play around. I try to be playful in my emails. 

I try to lighten things up because I tend to be talking about serious subject matter. I will probably say, “I’m crying because I’m going to lose you,” or things like that to maybe get people’s attention. 

I think you and I both know the challenge is getting people to even open the email. I want to give every chance I can so I will do things like that. But then I will say that I am deleting them from my database if I don’t hear from them and then maybe it will be, “No, seriously, I am going to delete you from my database,” just to make it clear and really up the ante there. 

Some people may send a “Do you hate me” email if that’s on brand for them. That’s probably not what I’ll send but I’ll send some playful things and also tell them in the subject line very clearly that I will delete them if they don’t respond. 

AMY: I think we need to be really straightforward at that point. Bobby helped me write some notes about summing this all up before we move on to the next step. Here are Bobby’s recommendations as we just went through them. 

  1. Build goodwill by delivering amazing value to your list between now and then. As you are listening to this I want you to find a day this week, carve out a few hours, and totally focus on this. Chloe, myself, and one other gal on my team, Rechael, were sitting down and we’ve blocked out hours to map this out to see how we will implement it. You have to give it the time it needs. I’m talking about going above and beyond the normal value I’m sure you deliver. Make your content so good that no one will want to miss the opportunity to stay on your list. 
  1. Create your list of targets from whom you need new consents. This is the whole segmenting thing. For entrepreneurs in the EU this will be your whole list. For entrepreneurs outside the EU, which is most of you listening, this will be everyone in the EU and anyone whose location is unknown. This is all about segmenting in Step 2. 
  1. Run a reengagement campaign to the list of people who need to provide fresh consent. Sell them on the benefits and do this in your own style. Good copywriting is still key here. You know your audience and you know how they will want to hear from you. You will want to plan for a series of emails with increasingly interesting subject lines to make sure people pay attention and don’t miss them. 
  1. Anyone who doesn’t give the necessary consent by May 24 should be axed from your list. Remember, even storing or deleting their info is considered processing so this work needs to be done before May 25.  


Did I do a good job there Bobby? 

BOBBY: I think you did. I should actually add one other thing in this segment. I can’t do this because I’ve never had this. If you have part of your list that opted in cleanly to be on your newsletter you can probably put them in the okay category. 

AMY: That’s a great point. 

BOBBY: If you had a, “Hey, sign up for my newsletter.” Those people have already given you consent to receive your marketing so they are probably okay. I have never really had that. 

AMY: Me neither. What’s so funny is I totally teach against it. I’m not a huge fan of saying, “Sign up for my newsletter,” I don’t think it’s as powerful. But, anyone who was doing that is probably like, “Oh, I’m so glad I did it.” 

BOBBY: The thing is you have to be able to identify that’s how they signed up. If you have that kind of data and can say, “This is how they signed up,” you’re good. You can treat them as if they’ve already given you consent and you can put them in the okay file. 

AMY: That would be taking some serious segmenting steps beforehand so you truly know that’s how they came in but if you’re organized you might just have a chunk of your list that you don’t even have to worry about and that’s awesome. 

Moving on. What do I need to do moving forward in my list-building efforts? 

BOBBY: Because we are now at the point where you can’t just add people to your list because they download a freebie or sign up for a webinar or something like that I think we have two choices: 1) Go back to the old “join my newsletter,” which I know you’re not going to suggest, Amy, and I wouldn’t either, or 2) We continue to use lead magnets but get consent somewhere else along the funnel. 

I also want to point out another option here that’s quick. If you don’t care about people outside of the United States or the United States and Canada you could just decide, if you can segment later, you’re going to just do everything as normal and just delete anybody who’s not in those countries. That’s another option you have available to you if you want your list to be 100% people outside the EU. 

But, ultimately, if you’re going to continue to market to people in the EU and allow them on your list you are going to need to get a consent from them somewhere along the way.  

That consent will be good as long as you tell them you are going to send them marketing materials and try to sell them things. You can do that with a privacy policy and we’ll talk about that later. 

That’s the way you do it. You’ve got to find a place to get them to consent. We’re going to go back to having to sell them on the benefits of getting on our list. 

AMY: With that, what would the workaround look like? 

BOBBY: I’ve thought about this and I’ve tried to come up with different options. The good news is we can still deliver our lead magnets via email. That’s allowed because they’ve consented for us to do that but it’s also fulfilling a contract, which is one of the lawful reasons to process data. 

The way I tried to think about it is that everything from the point they first interact with me until I deliver that delivery email, where could I put touch points in to try to get that consent? 

I came up with four different places. First, you could put something on your opt-in page. You can put a check box or dropdown menu but we’ll talk about this in a second, I think. You’re going to have to make sure they take an action that’s affirmative. 

I am calling the second option a sandwich page. I’m not sure what the right technical term is but it’s the equivalent of a one-cell or one-click upsell page in a sales funnel but we’re doing it as an opt in were we basically have a page between our opt in and our thank-you page where it is completely devoted to saying, “I would like to add you to my newsletter list.” 

You will sell them all of the benefits and will use great copy and explain all of the reasons they want to be on your list. You have that page where they will click a button to say “yes” or “no” and then they will move on in the funnel. 

The third touch point is the delivery email itself where you could try to convince them of the value after you deliver their freebie. 

The final one is, and I think we should all start doing this, put something in all of our lead magnets that invites them to join our newsletter. We should probably change all of our lead magnets so that it has a paragraph and a link where they could go to sign up for our newsletter and then get on to our newsletter going forward. 

AMY: I want to break this down just a bit to make this really actionable as that’s what I’ve promised for this special bonus episode. First, let’s talk about the opt-in page. Can you give us some pointers around that? 

BOBBY: There are a couple of things you have to keep in mind. It has to be clear what they are doing, that they are going to give you consent to be on your marketing email list. It has to be their choice to do it. 

There are a couple of things you can think about. You could do a check box or a drop down menu on your opt-in page that gives them the option to sign up for your list. 

There are a couple of things: 1) You cannot make it so that they have to agree to be on your email list to get the freebie, and 2) You cannot default the choice to “yes”. They have to be the ones that go to “yes”. You can either default to “no” or unchecked, one way or the other. 

What I want to say is that I believe you can force them to answer a question. So if I were going to do this I would probably, because of the way my system works, use a drop down menu. I can make a drop down menu that asks them a question, “Do you want to be added to my email list?” 

You will have a yes or no and, again, I would try to do it in a playful manner instead of “yes” or “no” because those aren’t good from a copywriting standpoint. I would force them to answer the question one way or the other. 

I would make it clear they are going to get the freebie no matter what and then they answer it and move on. If they said, “Yes,” they are added to my list and if they said, “No,” I’m not going to do it. 

That’s how I would go about it on the opt-in page to make sure I was getting the right kind of consent. With my system if I put two check boxes they could put both so I would not put a check box because I don’t have that option. 

If you can use a check box where they have to pick one of the two, a yes or no, you could use a check box and do the same thing. 

AMY: I want to point something out because a lot of my students said, “Oh, Amy’s already compliant because,” right now on my home page I have the opt-in box and you can sign up for my freebie and then there’s a little box that says, “Hey, when you sign up I’m just letting you know you’re going to get more emails from me” and some added language around it. 

That is not compliant guys. Here’s what I’ve learned after going through Bobby’s training. The reason it’s not compliant is you have to check that box in order to opt in for my freebie. The actual freebie form won’t move forward until you’ve checked the box that you know I’m going to send you emails beyond the lead magnet. 

Based on the GDPR you cannot force that. You have to give them the lead magnet, freebie, the option to opt-in for the lead magnet even if they don’t want to be on your list. Bobby, this is all correct, right? 

BOBBY: That’s right. Actually, the funny thing, Amy, you tricked me. I went to your home page and I clicked because I wanted to see what you were doing. I looked at it but I didn’t follow through. I didn’t try to click the submit. 

I just saw that you had a check box that I could check to say, “Yes, I want to be on your list,” so I thought you had actually done this. But, then I realized someone said you have to click it or you don’t get the freebie. Oh yeah, that’s not allowed. 

AMY: Not allowed. So I did this well before GDPR just to make sure people knew what my plan was. I wanted to be more up front with it but I’ve got to change that all around. 

That’s also custom. People ask me how I did that. I had a programmer customize it. Again, I’ve got to change the way I’m doing this and, of course, those members of List-Builder’s Lab, yes, I have to update the program.  

Now that I know all of this and I’ll implement it in my own company, the next step is to make sure List-Builder’s Lab is compliant with GDPR so I’m on it guys. It just takes a little while to get it all in place. 

Bobby went through the opt-in page. Now, let’s talk about this sandwich page and what that might look like to get GDPR compliant. 

BOBBY: Again, I call it a sandwich page. I don’t know if you have a better word for it.  

AMY: I’ve never had a word for it so I thought that was such a funny name. I wondered why you were calling it that but then I realized it’s sandwiched in between. I get it. 

BOBBY: I’ve heard that term used for an intermediary page. Like I said, think of it as a one-click upsell in a sales funnel. You are going to try to sell them on the benefits of your list between the time they opt in and they get to your thank-you page., 

The idea is people will see this and because they see it and haven’t gotten to the thank-you page they will actually respond. Amy, I think you would understand this. Part of my concern with an opt in, if you don’t force them to answer a question on the opt-in form, they are just going to skip it.  

A lot of people won’t even pay attention but the sandwich page really makes sure they will do that. I would treat it just like a whole additional opt-in page in the middle where you will talk about the benefits of your list. 

For example, any time I could actually sell it I would actually talk about the fact that they are going to get tips, tricks, and strategies; that I send exclusive freebies just to my list; that I will give them the best pricing, the best discounts, the best bonuses; and anything like that will be put in.  

I might even mention some examples of other freebies I’ve given to my list in the past to give them an idea of what they would be getting by being on the list. Again, think about it like any other sales page where you probably have some bullets about the advantages and why they want to do it. 

Set it up based on however your system works, either as a button where they can maybe just click “yes” or click “no” and it records which one they choose and then moves them forward. Or maybe you have to have a whole separate opt-in form if that’s what your system allows.  

The idea is to present them with this, sell them on why they want to be on it, and then they make the decision. If they do that’s a clear consent that satisfies the GDPR requirements. 

AMY: Awesome. In Bobby’s training that I’m going to give you guys a link to at the end he shows examples of all of this in his own business, which is really cool since he does business like all of us so you’ll get to see some examples. 

Moving on to the delivery email. I like this one so talk to me about how to make this get the consent you’re looking for. 

BOBBY: My emails normally don’t look like this. Normally, my emails deliver and then it’s a “what this say’s about you” because I am a student of List-Builder’s Lab. 

AMY: You are a good student. Those of you who are not in List-Builder’s Lab, we teach something called, “What this says about you,” which is a special delivery email that packs a good punch. It’s kind of screwing up our really good punch, I know, so talk to me about what you do now, or what you will do. 

BOBBY: For these folks, what you can do with your delivery email is…The way my traditional delivery email was structured I had a first line that says something about, “Congratulations, I’m excited you downloaded” whatever it is. Then I’ve got the download link. 

I then go into the “what this says about you.” It says, “I’m excited. I want to say thank you on behalf of your future business. It shows me you care about protecting your business.” Then I go further down the line. “I’ll stop there. This shows me that you want to protect your business.”  

Then I will say, “As someone who wants to protect your business I want to invite you to join my newsletter.” The rest of that email, again, is a sales piece. I’m not going to make it long. I’m not going to make it drawn out. 

It will talk about the benefits of being on my list, the same things, “You’re going to get tips, tricks, and strategies; you’re going to get free guides, checklists, and other goodies; you’re going to get exclusive access to discounts, bonuses, and promotions.” 

I’m going to sell them on it and then I’m going to tell them about something I just gave away for free recently. Then I will have this thing about how I don’t spam them. I won’t rent or sell. I will give them access to my privacy policy and then I will ask them if they want to stay on my list and I will have a link. 

My original plan was to just tag people but when I was messing around with my system I discovered it is better to have that link take them just to a stand-alone opt-in page to opt in to my newsletter.  

I may continue to mess with that, however you can get that and tag that someone clicking that link is giving you their consent to be on your list. That’s the email approach and that’s how you can get consent from your delivery email. 

AMY: I like it. Then, finally, in the lead magnet you alluded to this one a bit but give us a quick recap. 

BOBBY: Again, I was thinking at the end of the lead magnet, but… 

AMY: Me too. 

BOBBY: But I’m not sure if I want it at the end or not because they might not get there. But the idea is I’m going to put something in the lead magnet, a short paragraph (I haven’t worked this out yet but I have to because I have to work with my designer) that invites them to my list, talks about the benefits, and has a clickable link. 

I think this will be good because, among other things, any time they go back to look at the freebie they will see it and it will be a reminder to them to go ahead and decide, “I actually want to do that.” 

Again, it will send them to a stand-alone opt-in page to sign up for the newsletter. 

AMY: I like the lead magnet idea. I have so many lead magnets that I don’t know what I’m going to do about that. I wouldn’t just do that one. I really think it could be a mix of a few of these. I love how you talked in the training how you might do a few like the opt-in page and the delivery email and in the lead magnet. 

I like how you talked that doing it on the opt-in page and the sandwich page might be a little bit of overkill. 

BOBBY: It depends on your audience. If your audience is used to seeing these things and are people who go through sales funnels with five upsells and down sells that won’t bother them. 

For most of us, I think most of your students and listeners, aren’t used to that. I would either do the opt in or the sandwich page. But I actually need to give a special piece of guidance here for folks who are outside the EU. 

If you’re in the EU you need to use as many of these touch points as possible. But if you’re outside the EU you shouldn’t ask for consent, in my view, until the point in your funnel where you can start to segment because the question is: What happens if you do this on the opt-in page and someone from the United States doesn’t want to opt in? 

They don’t opt in or skip your sandwich page but you could be emailing them under the GDPR. There’s no problem but all of the sudden you’re in a pickle because they’ve kind of said they don’t want to get it. Maybe it was an option and maybe it wasn’t so I wouldn’t want to add them to my list then. 

I think we know that can be a problem so I’m only going to use anything that comes after the point I can segment based on whether they are in the EU or not. With me and my current system that means I can’t use anything until the delivery email. 

I’m not that worried about it, personally, because again my services really are limited for folks in the U.S. Someone outside the U.S. could use my products but they probably wouldn’t be using them very often. 

In light of that I’m not that worried about it but you need to find where, in your funnel, you can start the segmentation process. If you can show different landing pages to people based on their location start at the opt in is what I would do. 

AMY: Oh I like that. That’s what we’re going to look into with my team. If we could right away figure it out and then show different landing pages, based on inside or outside the EU, that is really optimal but it’s going to take a little workaround or at least really understanding your email service provider and how it’s going to integrate with all of this. 

It’s worth the extra effort and time to look into it because what I really keep thinking is I just want the list that is non EU to move aside and be what it is right now. I don’t even want to have to worry about all of them and just take the smaller segment of the EU and worry about them specifically. 

I’m looking into as much segmenting as possible.  

We are in the home stretch, guys. I want Bobby to tell us a little bit about the role of the privacy policy related to the GDPR because your privacy policy, which you should all have, has to change. Bobby, will you break it down for us? 

BOBBY: Everyone should have a privacy policy because there’s been a California law on the books since 2002 or 2003, I think. It basically says that if you collect any information from anyone from California you need to disclose certain things. 

You should have a privacy policy already. But the GDPR puts some added responsibilities. Part of what the GDPR says is when you are going to collect data from people that falls under this standard you have to inform them at that point of certain things. 

The privacy policy is how you’re going to do that. If you think about it, if you tried to write all of that information on your opt-in page your opt-in pages would become long-form sales letters with a bunch of legal gobbledy gook and nobody wants that. 

Instead, you have a privacy policy. You make sure it complies with all of the GDPR requirements and you can then use that as the way to make sure you are informing people at every point where you’re collecting information from them. 

AMY: What do I need to include in the privacy policy? 

BOBBY: In the privacy policy I can give you highlights. There are a lot of little things. You have to give them the contact information for all of the relevant people. This includes you or your company. There are some other people under the GDPR that probably don’t apply or might not apply. 

One is called the GDPR representative and one’s called the data protection officer. I talk about those in the training if those apply to you. If they do and you have those you need to identify them and give their contact information. 

The first category is contact information, for you, and if you have either of these people, them.  

The next category is what information you are collecting and why you are collecting it. What is it that you’re collecting from them? What’s your basis for doing it? In this one thing you need to keep in mind is that this is the stuff you are getting because they voluntarily give it to you but also the things that you are automatically collecting like Google Analytics, and things like that. You have to disclose that. 

Again, you should have already been disclosing that anyway but you need to disclose it. You also need to explain why you are collecting those things and the legal basis. Again, that would be consent. You are going to explain these, for example, that you use analytics data to improve data to improve the performance of your website. I think that’s the standard language most people have been using. 

Then you need to talk about what you do with the data. This is where, for example, you need to tell them, “If you consent I am going to send you emails,” and they will include promotions and things like that. 

You also need to tell them if you are going to share the information with others. You might think you’re not going to share with other people but you are. Most likely you are not the one who actually holds your data.  

My data is held by Kartra. Luckily I now don’t use a lot of integrations. But if you use Zaps that are transferring data from your email service provider to somewhere else or if you’re using any other complicated systems you are, in fact, sharing the data with a bunch of vendors. 

Luckily, you don’t have to identify them all by name. You either have to identify the recipients or the categories of recipients. You have to tell them if you’re doing those kinds of things of sharing with outside vendors. 

The final area is that there are certain rights under the GDPR that you have to list. These are kind of specific. They are put on a list as things like the right of erasure, the right to withdraw consent. There is just a list and that is pretty straightforward. 

On my template forms I have for people I have literally just added a section near the end that lists these eight things you have to include. 

AMY: Just so everyone is on the same page, where do you put the privacy policy? 

BOBBY: You should have a stand-alone page on your website where you basically literally just paste the privacy policy. You should do the same thing with all of your other legal policies on your website. 

I actually do want to talk about this. One thing that’s come up recently, a couple of people that don’t yet have a website have asked me. They are just starting to collect emails so they set something up in LeadPages and one was talking about Launch Rocket. 

If you use one of those services you just have to create an additional page within whatever provider you’re using where you put the privacy policy. Then you can pull a link to that page. 

The standard way we do this, on your website you would have links to your privacy policy in your footer navigation bar. Nobody puts it in the top navigation but they can get to it from your footer. 

You do the same thing with any outside service. If you use LeadPages, or I use Kartra, or whatever it is. You are going to include it in there on the footer there as well. 

The last place you need to put a link, you need to put a link anytime you are collecting. On your opt-in forms now you need to have a line that essentially says you are going to treat the information consistent with your privacy policy and put a hyperlink on the privacy policy. 

Anyone who wants to can then get access to your privacy policy. That would apply not just to downloads but also purchases or anything like that where anyone is giving you data. Make sure you have a link to your privacy policy. 

AMY: We’ve reached the end of our mini workshop for GDPR. Bobby, I cannot thank you enough for your time and generosity in helping us understand this little bit of a monster situation. 

I can’t sugar coat it. You know it’s not my favorite topic but I feel really confident that I understand it now. Hopefully my listeners feel the same way. Thank you for that. 

BOBBY: Thank you for having me on. Don’t be too afraid of the GDPR. Once you understand it you just start having to take some action. But, if you take action you can take care of it and you don’t have to worry about it too much. 

AMY: I agree. And, for all of my newbies out there, you’re just getting started so you are in a perfect place to get it all locked in and then just be done with it. You can get it on automation as you move forward. 

I’m breaking my rules a bit right now because you all know I’ve had a policy for the last year that I do not send podcast listeners to somebody else’s opt in. I’ve talked about that strategy and why I do that on the show. 

However, this information is so important and I want you to protect yourself so I’m making an exception. I want to encourage you to check out Bobby’s mini training. It is totally free and dives into everything you need to know about GDPR. 

The video series will go over what we went over here but at a deeper level with a lot of examples that we didn’t cover because there’s only so much time. The goal of Bobby’s mini training is not only to make sure you, as an online entrepreneur, understand the legal requirements but also to give you the tools and practical advice (that’s what I love about it most) you need to thrive in a GDPR world. 

Go to to get your hands on this free mini training. I’ll link to it in my show notes as well so that you have all of the details. 

Bobby, thanks again for being here. 

BOBBY: Thanks for having me. It was my pleasure. 

AMY: You guys have a great day and good luck in putting everything you need to do for GDPR together. Bye for now. 




Follow Me On The Gram