This post is part 2 of a 5-part series on GDPR readiness. In this previous post, I compared GDPR preparedness to a football game and the importance of both a solid offense and defense to win the game. To tackle the processing requirements of GDPR compliance, your defensive strategy involves operational adjustments and a well-documented game plan. Now, it’s time to turn our focus to the offense and strategies to help your marketing practices thrive in a GDPR world.

Many Marketo clients are asking questions about using marketing automation and lead scoring features given GDPR’s strict permission-based requirements to collect and store personal data. My answer is marketing operations and GDPR can coexist, with adjustments to our current methods. I believe GDPR will force us to improve our core marketing skills, and our GDPR playbook should include leveraging the benefits of our offering and easing customer anxiety associated with data collection.

To further illustrate this thought, I’ll share The MECLABS Conversion Sequence Heuristic, which is perfect for this GDPR discussion:

C = 4m + 3v + 2(i-f) – 2a

If you are not familiar with the formula, the translation of it is:

Conversion = 4x the motivation + 3x value proposition + 2x (incentive less friction) – 2x the anxiety.

To state it another way, for your target customer to take the desired action, ample customer motivation, a solid value proposition, and an incentive to complete the action must be present, plus, operational friction and customer anxiety mitigated. Let’s take a look at how this can apply to real-life scenarios in a GDPR environment.

Consent for Data Collection

Scenario: You are offering a free white paper or informational guide and you are collecting the customer’s name, email address, and phone number as a prerequisite to downloading. Behind the scenes, you are appending additional data to the record, including income and location as well as tracking online browsing behavior to score the lead.

Challenge: Under GDPR, brands must now have an individual’s consent before you may track and store personal data. Opt-out or implied consent forms do not comply with GDPR; further, you must also declare how you will use the data and for how long, including if you are appending information or scoring based on it. Therefore, the challenge is being GDPR compliant without introducing too much friction or anxiety with your form.

GDPR adjustment: Strengthen your landing page value proposition and incentive to increase customer motivation. Also add an unchecked opt-in checkbox to the bottom of your data collection form, including a link to your privacy policy. (Note: privacy policies must now be much more robust in detailing data usage.)

To implement: On a recent internet search, I found one suggestion to use this copy in your data collection form:

We’re collecting your name, phone number and email address so that we may follow-up with you further on this topic and provide additional assistance. We may also match profiling data from a third party with your registration information, to learn more about you and measure your product interests. Please check our privacy policy (insert link here) for details on how your information will be protected and managed.” (followed by a checkbox providing consent to collect this information)

This solution appears to be GDPR compliant and covers your bases…but it is lengthy and may “weigh down” your form. And, referring back to The MECLABS Conversion Sequence Heuristic, we may have also unnecessarily opened the door on customer anxiety. According to The Chartered Institute of Marketing, (September 2016), 57% of Europeans do not trust brands to use their data responsibly. Highlighting their concern will only increase apprehension. Thus, adding this verbiage to your form could reduce your conversion rate.

A common misconception, GDPR doesn’t mandate declaring everything on your form. You can state how you will use data, (including information to be appended and lead scoring practices) in your privacy policy—just don’t forget (or it will cost you big!)

A sample of a GDPR-compliant privacy policy regarding the opt-in checkbox on a form reads like this:

“The information set out in this form is registered in an electronic database for the purpose of [commercial prospection, HR…]. This information is intended to be communicated to [internal service of the company, commercial partners…] and retained for [the relationship, xxx months…]. In accordance with the applicable regulation, your rights to access and update your data, withdraw your consent or lodge complaint where applicable can be exercised by following this link [contact of the service, person or authority in charge…]

Just keep in mind a couple of things with your opt-in checkbox:

  • The opt-in checkbox cannot be a required field. Consent is an independent action from the marketing form action. In other words, if the form in question promotes a white paper, the user can download the white paper without opting in to further communication.
  • Consent language should make it clear that the checkbox is not needed to submit the form. (IE “Want MORE on this topic?) and should definitely link to your privacy policy. To step up your game, add a little note at the bottom of the form reminding them they can download your white paper without it. 

Moving legal language to your privacy policy would enable you to use shorter, simpler, GDPR compliant copy on your form:

“I’d like to receive more information on this topic, and understand and agree to the privacy policy. <insert link here>”

Unchecked checkbox

Short, sweet, to the point…on with the conversion. And the next example.

Cookie Tracking

Scenario: You are using reverse IP lookup and cookies (AKA Munchkin Code) on your site to identify repeat visitors and customize the user’s experience.

GDPR challenge: You must have consent to track visitor behavior. “By using this site, you agree to cookies” messages implying approval upon closure do not meet GDPR compliance. This is a departure from Do Not Track legislation.

GDPR adjustment: Use a banner across the top of your website notifying first-time users of cookie usage, capturing user consent. Then work with your developer to load Munchkin code with the proper settings.

To implement: We found one example with this verbiage:

Websites are now required by law to gain your consent before applying cookies. We use cookies to improve your browsing experience. Parts of the website may not work as expected without them. By closing or ignoring this message, you are consenting.”

There are few issues with this message: 1. It’s not very friendly. And 2. It’s not GDPR compliant. The user must have consented to enable cookies; presumed consent from ignoring your message doesn’t count.

On with our search. We found another banner with this copy:

“This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using our site, you agree to the placement of these cookies. If you do not agree, do not use our site. Read our privacy statement (insert link here) to learn more.” (checkbox to agree and x to Close)

This example is better. Your legal team would probably give you the thumbs up as you have declared what GDPR requires and collected the appropriate consent. But, we’re also only looking at the legal aspects and missing the human element.

Let’s try presenting the cookies as a customer benefit and utilizing a friendlier format:

Activate a site takeover screen that appears within 5-10 seconds of entering your website: “We’re glad you’re here! Help us customize your site experience by enabling cookies so we can understand your interests and recommend related information. Should you choose not to enable them, you may still use our website; however, we can’t tailor your experience to your interests or location.”

(button for consent “Yes, customize my browsing experience.” And a button for denying consent: “No thanks. I’ll take my chances.”)

In closing, nobody signs up to get on a sales list. Customers DO subscribe or request to receive valuable, meaningful, and relevant information, and are willing to provide their personal information (and consent) in exchange for it. To enhance your success, leverage your benefits, be authentic in your approach and proactively anticipate anxieties your customer may have. Remember, the game isn’t won by merely complying with GDPR requirements. We are victorious when we earn the trust of our customers, which in my opinion, is the very essence of GDPR.


Obviously, these examples are just the beginning. I’ve seen many more questions within the Marketo community about privacy policies, whitelisting campaigns, data consent centers, and more. You have questions; we have a team of Marketo Certified Solutions Architects ready to develop custom solutions and Consultants prepared to make your team look like GDPR marketing rock stars. (That’s my shameless plug to contact us).

*Note: While we’re darn good marketers, we are not attorneys, nor do we even play them on TV–which means that this post isn’t intended to constitute legal advice. Be smart and cover your bases; make sure you enlist your real legal team to review and approve all policies and procedures related to GDPR.