This is a rare blog for me. It will include me giving out some credentials. But never mind my credentials, because I must also add the obligatory: Do Your Own Due Diligence. This matters to everyone reading this.

Yes, that was a bit of lawyer-like language, but you don’t want to get into trouble when this new set of regulations start on May 25th, 2018. Wherever you are in the world, you are affected by this new set of rules known as the GDPR; The General Data Protection Regulation.

Meet the Mother-of-All-Things-Anti-Spam-And-Privacy-Rules!

When it comes to email marketing, as most of you know, I am a wee bit of an expert. Among my qualifications, I am a Certified Solution Provider with Constant Contact and attend specialized training with them on a regular basis.

While the GDPR covers everything including the famous and ubiquitous surveillance cameras found indoors and out, public and private throughout Europe (and the world), I am concentrating on its effects on email marketing.

For many years, I have been teaching the principles of email effectiveness and best practices. As a member of a national team of public speakers, I have coached groups and worked with hundreds of people. But don’t take my words as the last words. Do your own fact-finding, too.

Because here’s the deal: No matter what email method you are using to “market” your products or services commercially to others, and no matter where you live, you are now responsible to understand the GDPR. You have no way of knowing if someone lands on your site from one of the 28 countries who is protected by these rules. And the fines are HEAVY!

Using lead magnets? Watch out!

If you are, if you have landing pages or pop-ups that tease offers (Lead Magnets) in exchange for email addresses, the number one thing you need to look at is “consent”.

What is it, how do you get it, and how do you use it. There has always been a right way, a better way, and a wrong way to use Lead Magnets. This new law is cracking down on the wrong ways.

For years, I have seen it used the wrong way – deceptively gaining people’s email addresses. I reported on this “spammy” practice many moons ago in April 2016. Here’s the link to refresh your memory from the article I titled, “Are You Accidentally Being Spammy?

(This is a must read actually. I just re-read it for the first time since publishing it and it was/is very prescient!)

To avoid being spammy and to be in compliance, this new set of regulations makes three things very clear.

  1. If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis. (Read that at least two more times.)
  2. AND (and this is a biggie), pre-ticked boxes are no longer allowed. If you are getting any contact information – say from a lead magnet – and you have a checkbox below the email field that says something like, “Yes, put me on your mailing list!” and it is already checked by default, that is illegal.
  3. If you ask for an email with the intention of putting someone on your list, but don’t make it clear that you are putting them on a list and what to expect from being on that list, that is a misuse of “personal data” and subject to fines.

In a nutshell: do not deceive or be opaque when you are trying to get someone’s email address. If you want them to join your list, make that clear. It’s not that hard and it’s the right thing to do.

Next, you need to be clear as to what you are going to do with that data. I have been teaching this for a number of years: Tell the prospective subscriber what they should expect from you then deliver that in the time frame you have promised. Your “offer” might look something like this:

Join my list and I will send monthly emails with news from my studio, and occasionally additional alerts about new work, special offers, and other noteworthy announcements. You can unsubscribe at any time.

Whatever you are “marketing” to that list is what they are giving you permission to receive. You do not send them something that is not in that description. For example, if you teach classes, you might treat that as a separate interest. Or, if you teach yoga on the weekends, don’t suddenly announce the next scheduled class to people who only know you as an artist. And vice versa!

The bottom line is: Don’t promise you will send A and then try to push B into their inboxes. That’s not only bad marketing, it’s now considered spam or misuse of the original consent. Avoid vague or broad promises. Spell it out and follow-through.

The Official Caveat

Despite all my knowledge, I can only recommend that you read more details and pay close attention to your current methods of marketing online. If you are following the CASL (Canadian Anti-Spam Laws) which are stricter than CAN-SPAM act (US laws) regarding email best practices, you are likely to be in pretty good shape already. If this is the first you have heard of CASL, then these new GDPR regulations are your new rules and a priority to employ. Today. Don’t wait for the 25th of May if you are not even using CASL standards. Again, you may have someone on your list who is in Canada.

Today’s Three Big Takeaways

  1. Relax. If you are acting in a reasonable, helpful, useful, honest and caring fashion in all that you present to the public, the chances that someone will “report” you as abusing their privacy or consent is very unlikely.
  2. Level UP & Get a Professional Service. If you have been avoiding using an email service provider, you should rethink your strategy. Companies, like Constant Contact, MailChimp, Emma, and others, “should” require you to use certain protocols in order to use their services. While I cannot vouch for any other than Constant Contact, I would be surprised if any of the “stand-alone” companies would let you collect information without all the proper legal notices. Their financial success depends on them doing it right!
  3. Check your current methods. Some of you might be using a proprietary service that comes with your website or other SaaS (Software As A Service) companies. An example would be using the email system that comes built into Wix, Weebly, or even a merchant sales processor, like SquareUp or QuickBooks. With the latter two examples, use their “native” system to generate an invoice, sure. But not as your “marketing” tool. SquareUp will let you generate mass marketing emails! Don’t do it! Instead, download your customer’s info and connect with them through regular ESP.

Stay Tuned for Part Two

In Part Two, I will drill down to what you should consider doing to be pro-active with your current email list. Email marketing remains the strongest single method for growing your business and sales. With the recent and continuing fall-out within the Social Media world, it’s never been a more important tool.

So stay tuned for my next bi-weekly article posting on May 2, 2018. I will share with you the steps I am taking in my own business to ensure compliance with the GDPR. In other words, I will be sharing the newest “best practices” to keep your email marketing effective. I will likely touch on website tips, too.

I am also putting together a separate PDF white paper and will distribute that to my list in the near future or include a link in the next blog.

Meanwhile, if you have any questions, I will try to address them in the comments below. At the very least, please comment and let me know what you might be most concerned about so I can gather those concerns and address them in my next article or my upcoming white paper.


Want an example of how to sign up “properly” using an ESP?

Example of a GDPR compliant sign up form!

Pay close attention to the attention that Constant Contact pays in their legal statement under the sign-up box. And then, check out the actual “privacy” link! Wow. Can you duplicate that in your Gmail world? Time for an ESP!

And please be sure to give me some feedback and questions, below.


  1. Joanne Barsanti

    “If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis. (Read that at least two more times.)”
    I read that several times and still don’t understand what you are saying. It sounds like you can ask for consent to be on your mailing list and still run afoul of the law.

    Another question:
    I have a relatively small email list (under 500) and use Mail Chimp. So far, I am sending emails to let people know where I am, what I am doing, (e.g. Art Fairs and Exhibits) and something about my latest work. I am not really doing calls to action at this point, but now I am concerned. I look forward to your next email and information on how to stay out of GDPR “jail”

    • McKenna

      Thanks for your comment!
      Actually Joanne, the very fact that you don’t understand is a GOOD thing! LOL. This is the concept many marketers have used to force you to fill in an email in order for you to get information. Imagine walking into a retail shop and being told you can’t get the 50% discount unless you give consent to collect your data. “I want to pay cash. You don’t need my name.” As for an online example: you want a free download on how to save “big” amounts of money on your groceries, but you must give them an email address in order to get the link to the download the PDF.
      There is nothing wrong with the concept per se, but the “right” way to dangle an offer is to have a solid CTA for someone to join your list. “I will do this, and that, and send this and that, with this frequency.” If you then want to suggest that subscribers get special VIP treatment and access to unique offers because they are on the first-to-know alert list, that would be rational. If you said ONLY those on my email list learn about new work, that would be coercive and is no longer accepted. Think of the phrase, “No Purchase Necessary”.
      In part two, I will delve into this concept a bit deeper. Again… thanks for your comment!

  2. Greta Corens

    Thank you for this important information and your study of it.

    • McKenna

      Thanks for your kind words, Greta.

  3. Renee Phillips

    Dear McKenna,
    Thank you for your factual and easy to understand post on this important topic about the rules governing GDPR. Up to now the articles I’ve seen on the subject have been sparse and confusing. I look forward to reading part 2. Not only will I share this article on social media, I will also encourage my clients to subscribe to your email newsletter. With appreciation, Renee

    • McKenna

      Honored to have your endorsement, Renee! Thanks so much. I am also looking forward to part 2! I may even do a webinar on this subject. The subject of data/privacy/consent is magnifying issues I have been trying to address for years.

    • McKenna

      THANKS for the pat on the back. This was the most exhausting (still at it today for Part Two) research project ever.

  4. Rebecca Vincent

    Thanks so much for tackling this topic which has been stressing me these last few weeks as I’ve become aware that a lot of businesses are “cleansing” their list by sending an opt-in email. To cleanse or not to cleanse…that is the question we are all asking! When I look at my list I can see that is is 75% explicit permission. What should I do about the other 25%? I dread sending an opt in message in case I lose a lot of people…

    • McKenna

      Don’t stress, Rebecca! You are fine. No need for an opt-in email. I will cover this in more detail in part two, but for now, just relax. Your list is legitimate because of the historical context. And the only way that you would be in the bright lights of scrutiny, no matter what the case, is if someone on your list filed an actual complaint. It’s quite a formal procedure actually.

      If you were to do anything “pro-actively”, I would suggest that you have a disclaimer at the top of your emails telling people why they are on your list and reminding them that they can unsubscribe. (Again, this and more will be in part two.)

      I am on no less than 100 email lists from bloggers, journalists, newspapers, marketing firms, and so forth, most of whom are global or at least handling six-figure lists. Very large businesses with many hundreds of thousands of dollars in sales. While most are doing some articles on the subject of GDPR, not one has asked me to resubscribe. There is no need. I am also on several financial and health-related lists. Again, not a single request. If you, living in the UK, are seeing a panic-button response, this could be a localized “the-sky-is-falling” response that is gaining its own unnecessary steam.

      There is no one on your current list that is not there because they have “legitimate interest”. Emphasis on the word legitimate! Relax and put on the kettle!

    • Rebecca Vincent

      Hi Mckenna – that’s very reassuring thank you.The phrase “sky-is-falling-in” is very apt for the epidemic of opt in emails that are circulating in the UK from large and small businesses. Artists are panicking and sending them out because they see other people doing it. They may consider that they didn’t follow all the rules when compiling their list in the first place – eg loading up all their contacts from their email address book. I’ve had several emails – I’ll forward one for you to see.

    • McKenna

      Yes, it is a very sad thing to see anyone be misguided and to see any examples of the frenzy. Reminds me a bit of the doomsday projections of the new millennial. Remember the rumors of the world collapsing because all “computers” would not accept the change from 1999 to 2000 and would stop working? Even our cars were supposed to just stop running!

      I just looked at the email you forwarded and it’s just plain sad to see. You say large businesses, too, but I have zero examples of “large” operations doing anything other than sending out an email (got one from SquareUp) letting it’s customers know that they are fortifying there data collection and storage to comply with the GDPR. Amazon, Etsy, and for that matter all the social media sites are examples of very large businesses that use email to communicate and none of them is issuing a demand for confirming opt-in.

      And that alone is all the proof anyone needs. The issue of small shops or studio artists who have had people sign up on a piece of paper is not even an issue because that is still an example of them having a “legitimate interest” in your business.

      The focus of the new regulations skews more towards data protection. It creates new standards for the collection and safeguarding of personal information from a citizen. Especially info that is “sensitive”. Getting the first name and an email address is not “sensitive”.

      Consider sending a link to this post to this person or anyone else you are seeing sending out these suicidal requests. They can undo this! The SHOULD undo this. Send them to me and I will try to set them straight.

    • Rebecca Vincent

      As well as a few small businesses, I’ve had opt-in emails from 3 major charities including Amnesty International and Tear Fund. They must have received legal advice about this – maybe their procedures for collecting emails were not robust. I’m still not really clear about what one should do about people on your list who were added without consent – maybe a customer or from an address book. They haven’t taken any positive step to opt in in the first place but have had plenty of opportunities to unsubscribe which is more passive. Under the new rules, the argument is that those people need to opt in or be deleted. That’s what people are saying and my own reading of summaries of the document would seem to support this. I’m definitely with your interpretation on this one but I can see why this data cleansing is taking place.

    • McKenna

      Per your comment, “Under the new rules, the argument is that those people need to opt in or be deleted. That’s what people are saying and my own reading of summaries of the document would seem to support this.” I don’t understand the “argument”. I would love for you to provide your sources and examples of summaries. I have combed hundreds of pages and see nothing of this sort in the regulations.

      Frankly, IF this were actually true, then Constant Contact, as the third party who is holding our agreements in place, would require – for their own protection – that an email is sent. That is not happening. They have complied with the legal requirements for an email to land in someone’s inbox already. However, they do have an email template available (similar to the one they created when the CASL rules were put in place), but there is no requirement by them that the template is used. AND there is no warning that people who don’t use the template will be thrown off of Constant Contact. In fact, it’s hard to even find the template.

      And with regards to Amnesty International and others, if a company feels there has been any exposure and they have hundreds of thousands on their list, this may be the prudent extra step to take. I would love it if you would send me an example of the AI or Tear Fund requests. And… Oh by the way…Just to add to the complexity, non-profits have a slightly different status in the GDPR.
      I will not be able to comment on every situation, but I can repeat myself and say again that if you have the “historical context” (a list you have been sending to that meets all the qualifications of privacy and proper collection and storage of data – i.e. a program like Constant Contact) and have used the proper legal protections/advisements of clear intent and provide the “right to be forgotten” (unsubscribe button in the case of emails), you have no reason to gut your list.
      The “argument” is not fact-based, it’s fear-based overkill. For very large companies with financial assets at risk, they may decide it’s overkill but worth the good night’s sleep. For me and most of those reading this, it’s simply not an issue. No one will “look into your account” (LOL – privacy issues, right) and have any way of “checking” for your compliance. The only way anyone knows that anyone has gone afoul of the regulations will be if a citizen of the EU files a formal complaint. Do you see that scenario in your future? I sure don’t.
      LOL… at this point, I have a lot of fodder for Part Two mixed into my answers! So thanks for helping me put together some responses!
      Lastly: this is directly copied from the regulation:
      Recital 171:​
      “Where processing is based on consent pursuant to Directive​ 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation.”​
      I hope that finally puts this issue to rest.

  5. Hannah Dorman

    Oh this is good to read…I am starting to fret about what to do!!

    • McKenna

      Be sure to read the previous post, too Hannah. And as you are in the UK, you are likely inundated with scary stories about the big bad regulations. Take a deep breath and go find more homes for your amazing art! You are using Constant Contact and that alone has serious protections built into your email marketing. At your studio, just make sure that people who sign-up in person (and don’t leave your “guestbook” sitting out in the open) to be on your list are sent an email to confirm they want to join your list. Or better yet, just use an electronic system to gather people’s emails on the spot.

    • Hannah Dorman

      Thank you Mckenna!…It seems so many are doing the opt in email…I won’t be. Everyone on my list has chosen to sign up. That’s a good idea about the guest book….I will look at a different system for that. I will share this on my groups. 🙂

    • McKenna

      Since you are in the UK, you are probably seeing much more activity, but I have seen plenty of examples also. If those who are doing re-permission emails were being less than proper, like using pre-ticked boxes or vague language, then they need to get proper “consent”. You are using Constant Contact, so the big “no-no’s” are rarely in existence. LOL… you would need to hack their templates to become UN-compliant!


  1. Sixteen Cents a Day | My Golden Words - […] to bring you into compliance or least increase your understanding of what compliance means when the GDPR takes effect…

Submit a Comment

Your email address will not be published. Required fields are marked *