GDPR & List Building: the Essential Guide

The General Data Protection Regulation (commonly, GDPR) came into effect in May 2018. It impacts all businesses and organizations, everywhere in the world, that collect and process data from EU citizens. Meaning, it impacts most of us. The philosophy is pretty great—to better protect data, security, and privacy.

GDPR makes organizations accountable to a range of digital policies covering disclosures, security, and data handling. For the most part, these things are good for everyone. However, two areas where specific GDPR requirements can hurt more than help is your web form conversion rates and list building strategy.

We’ll look at ways to minimize that harm. But first—let’s take a closer look at the problem.

GDPR conflicts with web usability in two ways

1. Form simplification conflict: GDPR forces users to actively check a box to indicate that they have read your privacy policy before they can submit their personal details anywhere on your site. This can turn a simple interaction into an incredibly arduous one. ‘Checkbox fatigue’ is the unintended consequence of this requirement. Most people are likely to either: check the box without reading your policy, or not check the box and abandon the form. This ‘high barrier’ will hurt conversion rates on action forms and donation forms.
2. List entry streamlining conflict: Our brains have a cognitive bias for default options. If we want to subtly encourage supporters to join our email list, it pays to pre-check opt in checkboxes. However, many organizations have interpreted GDPR requirements to mean that opt in checkboxes must be unchecked by default. This will negatively bias choice against joining your list and harm your list building efforts.

While well-intentioned, these measures can harm your conversion rates—which harms your campaign, list-building, and fundraising efforts—which harms animals.

You really have no choice but to serve GDPR-compliant web forms to supporters in the EU. However, it’s entirely up to you whether to extend these restrictions to everyone. Of course, a one-size-fits-all approach may be easiest to implement. But if many of your supporters live outside the EU, forcing all visitors to use GDPR-compliant forms can be costly to your mission.

Decision time: Global Standard or EU-Isolation Strategy?

When it comes to implementing GDPR, organizations have two choices: a global standard strategy, or an EU-specific (geo-isolation) strategy. There are pros and cons to geo-isolation.

Pros:

• Retain greater control over how to handle more of your data and web user experiences

Cons:

• A lot of work and double-handling
• It’s expected that other regions will adopt similar standards in future which will create more complexity

It’s hard to make a case for maintaining two entirely separate approaches to the management of personal data. Most of what GDPR requires—user data access rights and robust security measures—is universally positive, after all. However, if you are protective of conversion rates, it makes a lot of sense to consider a dual approach for web forms. Geo-fencing can allow you to keep your web forms compliant within the EU, whilst containing the harm that GDPR does to conversion and list building efforts elsewhere.

Geo-fencing your GDPR form elements

Geo-fencing is the practice of serving region-specific web content to visitors based on their location. This simple coding principle makes it easy to isolate where your GDPR forms appear. If you’re new to this technique, follow these steps to create a simple geo-fence.

With your EU geo-fence in place, here’s what the end of a form might look like to supporters within the EU:

And to everyone else:

Pro tip: keep the code re-usable and modular—use a single function to define your GDPR geo-boundary throughout your site. That way you can easily accommodate any future expansion of GDPR-style regulations in other jurisdictions.

Please appreciate that this is a simple coding principle—not legal advice. It’s worth noting that some organizations have interpreted the GDPR requirements slightly differently. If you’re unsure about how GDPR applies to you, it’s a good idea to seek legal advice.