October 11, 2022

11 GDPR Marketing Mistakes and How to Fix Them

Although marketers always act in their customers' best interests, they may inadvertently compromise their customers' right to privacy when handling personal information. Below is a summary of the most common ones; if you find yourself doing any of them, this article will also give you ideas for how to fix your mistakes. 

Although marketers always act in their customers' best interests, they may inadvertently compromise their customers' right to privacy when handling personal information. 

Although marketers always act in their customers' best interests, they may inadvertently compromise their customers' right to privacy when handling personal information. 

If you do make a mistake, you're hardly to blame. After all, you're a marketer, not an attorney. However, in recent years, developments in data privacy legal regulations around the world have required marketers to learn a thing or two about that. That is what your users and data protection authorities demand from you. 

Yet several mistakes are consistently made by marketers. Below is a summary of the most common ones; if you find yourself doing any of them, this article will also give you ideas for how to fix your mistakes. 

1. Obtaining Uninformed Consent (Due to Non-Compliant Privacy Policy)

When you ask for a user's consent, you need to tell them what that consent is for. Most online businesses do this with a policy on privacy. It has everything users need to know about your privacy activities and lets users learn more about them. 

Some businesses, however, have privacy policies that are either misleading or lacking key details. Not all of them make clear what kinds of information are being handled. Others don't list every third party with whom they share information. Therefore, the user who has given consent for their data to be processed does not know what they are agreeing to. That means the consent is invalid and your use of the data is illegal. 

All of this was because of an inaccurate and incomplete privacy policy, or simply not showing any kind of privacy policy. 

To cut costs, many businesses just lift the privacy policies of their competitors or make their best attempt at writing them. Both often lead to noncompliance. 

Your privacy policy must be tailored for your business only and needs to be updated every time you change any of the following:

  • Types of personal data processed
  • Reasons for processing data
  • Third parties with whom you share data
  • How you process data.

If these changes aren't made on a regular basis, the consent given won't be informed and, therefore, won't be valid. Because of this, your actions amount to illegal processing.

2. Use Data for Wrong Purposes

When you collect personal data for one reason but use it for something else, you are abusing that information and violating the GDPR. Marketers typically mishandle their processing purposes in one of two ways: 

  • Uploading email addresses to Facebook business tools, and
  • Using Google Analytics data for remarketing on Google.

Having a clear goal in mind before beginning data processing is crucial. Additionally, you must explain to the user why you are collecting and using their personal data. 

Personal information collected for one purpose may be used solely for that one purpose. 

If you ask someone for their email address so you can send them a free PDF, you can only send them the free PDF. You need their permission for marketing purposes if you want to send them marketing materials or include them in your email campaigns. 

Some marketers also use Custom Audience or Lookalike Audience on Facebook, which requires them to upload an email list. You shouldn't give a user's email address to Facebook or any other advertising platform unless you have their explicit consent to do so. The GDPR expressly prohibits such behavior. If you get caught, Facebook will penalize you and compel you to delete all the email addresses of anyone who did not provide their consent to be added to your Facebook audience. 

Another mistake that marketers often make is using Google Analytics to keep track of people who visit their websites and then remarketing to them all over the internet. It is only allowed if the user has consented to both of the following purposes: one for analytics and one for marketing/advertising. If the only reason you got consent was for analytics, your remarketing campaign violates the GDPR. 

You can easily fix this by requesting their consent to use their personal data to advertise to them. Ask for permission to serve advertisements to the people whose email addresses you plan to upload to Facebook (a simple, unchecked checkbox will do), and only send advertising to those people. 

Visitors to your website should be separated into two groups: those who agree for their personal data to be used for Google Analytics, and those who agree for both Google Analytics and marketing purposes. That way, you'll be in compliance with the GDPR by only showing adverts to people who have explicitly consented to seeing them. 

3. Pre-Checked Consent Checkboxes

Your cookie banner's consent checkboxes or toggles must be unchecked by default. The law mandates that users take a clear and affirmative action when giving consent, therefore you can't start using cookies until they provide their consent. 

Until then, you shouldn't send cookies to the user's device, regardless of whether they've explicitly given consent or not. Create separate checkboxes for each intended use of data processing and respectfully request user consent for each one.

4. Obtaining Non-Specific Consent

User’s consent is valid only when specific. The user's permission is specific when it is given for a specific reason and only for that reason. 

You can't combine different reasons for processing under one consent. If you only have one reason for processing, you only need one consent. If you need to process data for three different reasons, you need three consents, and so on. 

Therefore, it is imperative to obtain separate consents for each processing purpose.

5. Bundling Terms and Conditions with Privacy Policy and Consent

Many marketers continue to be misled by the myth that once users accept privacy policies, then they're complied with the law. From a legal point of view, accepting privacy polices doesn't mean anything. But once you bundle T&Cs with consent, then you'll have violated the GDPR. 

The Terms and Conditions are a contract between you and your users. They can be used as a legal basis for processing personal data, but only the data needed to provide the goods or services. Accepting the terms and conditions does not mean that the user has agreed to receive your promotional newsletters or to have your cookies installed on their device. 

6. Using Cookie Walls

Cookies should only be used for good reasons, like making a website work better, learning about how people use it, and showing them relevant content. Still, you can't use cookies without the users' permission. 

Which is what cookie walls are for, but that's also a violation of the GDPR. 

A cookie wall is a cookie banner that blocks users from getting to the site's content if they don't agree to accept cookies. They have two choices: either accept cookies or leave the site. It's illegal to do that. 

If you want to market products and services in accordance with GDPR, you have to give users a cookie banner with buttons to accept, reject, and/or change their cookie settings. This banner should either: 

  • Let people get to the site's content without ever having to interact with it; or 
  • Users shouldn't be able to see the website's content without interacting with the banner, but they should be able to accept, reject, or change their cookie preferences. 

Cookie walls are forbidden. You have to let the user choose which cookies to use.

7. Not Enough Buttons on the Cookie Banner

Most marketers are confident that their cookie banner meets all relevant regulations. Despite this, many non-compliant cookie banners can be found published online. 

To have a cookie banner that complies with the requirements, you must, among other things, give website visitors buttons to accept or reject cookies, and maybe even let them choose how they want to handle cookies. 

EDPB guidelines dictate that the ACCEPT and DECLINE buttons have to be just as easy to see. You can't give one more attention than the other. Usually, there will be a big, colored "ACCEPT" button and a small, gray "DECLINE" button right next to each other. It's illegal to do that. Both the option to accept cookies and the option to turn them off should be easy to find and shouldn't use dark UX patterns. 

In summary, a cookie banner should prominently feature both an ACCEPT and DECLINE button.

8. Relying of Legitimate Interests for Advertising

Some marketers think that website analytics, marketing, and advertising are in the company's legitimate interests, so they can use all the cookies and pixels they want to track users. It's not like that at all. 

With the GDPR, "legitimate interests" are defined in a very broad way, which sometimes leads to wrong interpretations of the law. 

The GDPR asserts that it is not in your business' legitimate interest to put relevant ads in the social media feeds of your users. Neither is getting their IP addresses so you can track them on your website. This legal reason for processing data is only used to stop fraud and keep information safe. 

Cold outreach in marketing can only be based on legitimate interest, but only if you send personalized emails to people who haven't said they don't want to hear from you. 

You should not depend on legitimate interest for marketing purposes unless none of the other options apply.

9. Collecting Too Much Data

Data collection for the sake of "just in case" scenarios is prohibited by the GDPR. Marketers are eager to amass reams of data for potential future use, but doing so could lead to a lapse in compliance on your part. 

The GDPR requires you to follow the principle of data minimization. This means that you should only collect the minimum amount of data needed for your processing purposes. 

For example, if you ask people over 18 for their email address, you don't have to ask for their date of birth. All you have to do is ask them to check a box to show that they are no longer minors. That way, you can confirm that they are old enough for your campaign without having to process their date of birth. 

You can reduce the amount of data you need to collect by using the following framework: 

  1. Find out why you need to handle data. Assume it's for an email marketing campaign. 
  2. Find out what kinds of data you need for that goal. It's enough to know their email address and maybe their name for an email marketing campaign. You don't have to get their phone number or home address. 

All you need is just enough information to do what you want to do.

10. Storing Personal Data for Too Long

As mentioned earlier, collecting data "just in case" is prohibited. Storing data longer than necessary "just in case" is also prohibited by the GDPR. Most likely, you won't need that data anymore once you have fulfilled the purposes you declared in your privacy policy.

For each type of data you process, you must establish a data retention period. Consequently, if you process IP addresses for website analytics, email addresses for marketing purposes, and browsing behavior for marketing reasons, you must establish a data retention period for each of these data types. 

The length of time data is kept should be tied to why the data is being processed. It's time to delete those Black Friday campaign phone lists from your servers if you have no plans to use them. 

In addition to avoiding GDPR fines, you should get rid of any personal information you no longer need because it is a liability. It's vulnerable to breaches at any time, will get you into legal trouble, and won't provide any benefit. 

Here are some good ways to keep data from being stored for longer than necessary: 

  • Delete email addresses that do not open your emails for a certain period of time
  • Delete phone numbers that do not answer your calls for a certain period of time
  • Delete Google Analytics data from previous years (longer than 6-12 months)

11. Not Vetting Vendors

Data processors serve as your marketing tools. Assume that if they break the law while serving you, you are also breaking the law. 

The person or entity using the non-compliant marketing tools is liable for it. That's why it's crucial to thoroughly investigate any vendors. 

Every day, there are more and more helpful third-party tools made available, and the features of some of the most recent apps are really appealing. Some of the providers of these services, however, are very new and have not yet resolved issues with GDPR compliance. Since they are under your employ and you bear responsibility for their actions, it is exactly how they might lead you into noncompliance. 

Inquiring about their data processing agreements and data privacy and security procedures before beginning to work with them is a simple way to address this.