We’re always trying to anticipate customer questions. But at the end of the day, it’s our customers’ actual questions and feedback that help us make MailerLite a better email marketing solution.
We received tons of insightful and unexpected questions from customers in our recent GDPR webinar. We curated the best questions and created this Q&A to help everyone make the most of their Email Marketing.
In addition to answering 99 questions, we created this video featuring the 17 most popular questions.
You can jump directly to different categories if you don't want to read all 99 questions. Feel free to share this Q&A with your colleagues so we can all get through this crazy GDPR transition together.
1. Does the EU have jurisdiction in the U.S. to enforce GDPR?
A company is subject to the GDPR if it processes personal data of an individual who is in the EU, regardless of whether the processing takes place in the EU or not.
2. Does GDPR apply for all EU citizens regardless of where they live?
The word "citizen" never appears in the GDPR. It's all about being "in the Union". Your nationality or permanent address does not matter. GDPR applies to people who are in the EU. If you are an EU citizen but live abroad, then GDPR doesn't apply to you. So the best tool for you is to sort your subscribers by location / IP address.
3. Does GDPR apply to me if all my clients are in the U.S.?
If you are based in the EU, then GDPR applies to you. You need to have the proof of your subscriber consent. Article 3 says: "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."
4. Do I need to send the GDPR confirmation email to Non-EU countries such as the USA?
If you are based outside the EU, you do not need to worry about subscribers outside the EU. However, GDPR applies to you if you are based in the EU.
5. Can I send a revalidation email after May 25th?
It is not clear what the Data Protection Authorities think about sending revalidation emails after the 25th of May, 2018. From our point of view, if you didn't get your subscribers' consent before that date, you shouldn’t contact them. Remember, you only need to revalidate subscribers that have not given you permission.
6. I have 5000 subscribers who did not revalidate. How do I ‘forget’ them?
You don't need to "Forget" them if they didn't ask to be forgotten. GDPR gives new powers to users and one of them is the "Right to be forgotten". But the user has to contact you by email/phone and ask to be forgotten. That said, you can’t send them emails without their consent.
7. How can we give users access to their personal data when requested?
You need to show all of the user's information that you process. It can be via PDF file or another format file that they can read. The main point is to show that person all of their data.
8. How does Brexit affect UK companies?
The GDPR will apply from the 25th of May 2018. The UK doesn’t leave the EU until April 2019, so GDPR will continue to apply in the UK. The relationship between the UK and the EU after Brexit is still uncertain, however, the GDPR will still be applicable to UK businesses that process the data of people in the EU.
9. What happens if people do not confirm they would like to stay on my list? Are they automatically removed from the system after the 25th or do I manually go and remove them?
The people who do not confirm their email address will remain on your existing email lists. You will need to manually remove them from your account.
10. How are small businesses likely to be affected? Also, I am not an EU or US citizen. How would anything be enforced against me anyway?
A company is subject to the GDPR if it processes personal data of an individual who is in the EU, no matter the size, industry or country of origin of the business. If you do marketing for EU subscribers, GDPR applies to you as well. Enforcement will be done with the aid of international law enforcement.
11. Do individuals (not associated with a company) need to follow GDPR?
No, GDPR applies to you if you process personal information and you are processing it as part of an enterprise. Article 4(18) defines an enterprise as ‘a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity’. So basically, it seems that if you are any kind of organization (public or private) and processing personal data, GDPR does apply to you.
12. Can businesses store prospect data? For example, I research and find the contact emails of my potential customers to send them sales emails.
GDPR is about protecting a person's data. If you would like to store local businesses' contact information, in this case, GDPR wouldn't apply to you because that contact information represents a legal entity.
13. I transferred emails from another service. Do I need to do anything to those emails (no IP addresses or other info was transferred) to be GDPR compliant?
According to GDPR, you have to be able to demonstrate that the person gave his/her consent. Try to contact your previous email provider and ask them to provide that information. If you gained your users' consent legally, you don't need to do so again. That said, you still need to prove it.
14. What are the consequences of a GDPR violation? Will there be a warning?
It depends. The Data Protection Authorities say they will address potential violations on a case by case basis. There could be fines or other non-financial reprimands like a temporary or permanent ban on data processing or a suspension of data flows to a third-party country. Warnings are possible too.
15. Is there a possibility of attorneys using GDPR to collect settlements or are violations handled solely through the Data Protection Authority?
As far as we know, you can make a complaint directly to your national data protection authority or you can also choose to file a case directly in court against a company. So attorneys most likely can collect settlements on behalf of their clients.
16. I heard the fines are only to be applied in two years. Is it safe to assume that the next two years will be a period of adaptation to the law?
We wouldn't be so sure. The GDPR doesn't need to be implemented in national law, and it came into force after giving you many months to prepare.
17. If there is a data breach or my website is hacked, who exactly do we report this to and how?
GDPR says (Article 33): In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
18. What happens if my company is not compliant by May 25, 2018?
From our point of view, it will be acceptable for businesses to show meaningful progress towards compliance, but keep in mind that GDPR doesn’t state that this will protect from prosecution.
19. If recipients are based in Norway or other non-EU European countries, does this new GDPR apply?
Norway is a member of the European Economic Area (EEA) and requires a different procedure. The process of implementing the GDPR in Norwegian law is currently under scrutiny. What is true in Norway, like the other EU and EEA states, is they must secure a "consistent and homogenous application" of the GDPR so that the rules on the processing of personal data are equivalent in all the EU and EEA states.
20. If I have consent, do I still need to include an unsubscribe link on every marketing email?
GDPR states that all email marketing messages must clearly communicate how a recipient can remove his/her data from your list. An unsubscribe link is a best practice to achieve this.
21. What is the biggest difference between GDPR and the old rules?
There needs to be much more detail in your opt-in forms with explanations of why the data is being collected, what it’s going to be used for and who might have access to it. Consent now needs to be explicit and unambiguous, No implied opt-ins or pre-ticked consent boxes.
22. Do we need to appoint a Data Protection Officer for our company?
Under the GDPR, you must appoint a Data Protection Officer if:
23. Can I still put automation triggers on my blog and website that send my subscribers emails?
Yes, as long as those people on your list have given consent to receive emails from you. Once you have consent, you can use all of your email marketing best practices.
24. Do I need to implement double opt-in for GDPR compliance?
No, the GDPR doesn’t make it mandatory, however, as the regulation has such high standards for consent, it is a good option to ensure you are compliant.
25. Can I still personalize my email marketing with the subscriber’s real name and other personal info?
If you have proof of consent for emails, you are still allowed to send personalized emails.
26. What does the proof of consent need to include?
While there is a lot of vagueness regarding specific proof of consent, GDPR says that the burden of proof is on you to provide documentation proving that a subscriber agreed to share their data. That said, it doesn't specify any particular points. From our point of view, you should have:
When you use MailerLite signup forms to acquire subscribers, we capture IP address, location, date, time, and the source of the consent form. This information will solidify your documentation of where, when and at what time your subscribers consented.
27. Is consent the only legal ground for GDPR?
You must have legal ground to send emails to your subscribers, but that can be through consent, contract, legal obligation, vital interests, public task, or legitimate interests. For email marketing, consent is the most common legal ground, but not the only one.
28. What exactly is ‘legitimate interests’?
Consent isn’t your only legal ground. Legitimate interests could be a good option. It basically means that you have a right to carry out commercial activities such as direct marketing. The requirements of using this legal basis are that you have a relationship with the consumer and that they would reasonably expect you to carry out the specific kinds of data processing you are employing.
29. I have opt-in dates for all my subscribers, but not IP addresses and certainly not screenshots of the opt-in form. Can you clarify if these are legally required by GDPR for all past subscribers?
There are no clear legal requirements for proof of consent. The only thing GDPR says is "The burden of proof is on you to provide the documentation proving that a subscriber agreed to share their data". From what we see in the market and based on what is technically possible, we recommend having a timestamp, IP, source and the screenshot of the form.
You have to be able to demonstrate that each person gave their consent., If you have proof of consent, then you do not need to revalidate. But there is another legal ground. If subscribers are considered your clients, then you don't need to ask for consent. You may process your subscribers’ data on the legal basis of legitimate interest.
31. Is a written consent on a piece of paper a valid proof of consent?
Yes, signing a consent statement on paper is a valid proof of consent.
32. What if I received verbal consent to add a name to my list. How do I deal with this?
In this case, you probably won't have a proof of consent. Keep in mind, if your subscribers are your clients, you don't need a consent. You may rely on legitimate interests. That said, the individual should reasonably expect you to use their data in that way.
33. What if someone signs up at a trade show on a newsletter and marketing campaign list?Signing a consent statement on a paper form or an iPad is valid proof of consent. You don't need to ask for it again. According to GDPR, you have to be able to demonstrate that the person gave his or her consent.
34. Can I send out an email asking people to unsubscribe instead of asking them to consent? If they don’t unsubscribe, then they are consenting.
Under GDPR, you have to get an active consent. This approach is not appropriate.
35. If a subscriber doesn't respond to the GDPR revalidation email, BUT I have proof they subscribed — can I continue to send them emails?
Yes, you can continue to send emails. If you have proof of consent, there is no need to send them revalidation emails.
36. Can I email subscribers from several old lists that are no longer active for their consent after May 25th?
We don't know what Data Protection Authorities think about sending revalidation emails after the deadline, May 25th. From our point of view, if you didn't get your subscribers' consent before the deadline, you won't be able to contact them.
37. How do I find out where my subscribers are from if I imported my list from a different provider? I don’t want to unsubscribe a whole bunch of people if they’re not in the EU.
GDPR says that you need to have a proof of your subscriber’s consent. If you don't have it, you can't contact them. Try to contact your previous company and ask them to provide the information that wasn't transferred.
38. Does subscriber consent have an expiration?
No. There is no official timeframe within which consent will expire. As long as you have a clear way for users to unsubscribe, consent is indefinite until the subscriber requests otherwise.
According to privacy laws, you have to clearly describe how you plan to use your subscribers’ data, including for your use of third parties like MailerLite. We recommend stating each data processor separately and clearly explain how and why they are using the data.
You can find it in our blog post here.
There is still a lot of vagueness in this realm, but we think that you could use a link to your and our privacy policies.
45. Do I need to change all of my subscription forms with GDPR language?
You only have to make changes if you use your subscriber data for more than one thing. If you are using data beyond email such as SMS, Facebook ads, retargeting, etc., you need to be explicit and allow for active consent.
46. Do I need to use checkboxes if my newsletters sometimes contain advertising messages or promotions?
No. If you are only sending newsletters and they include special offers, it is still considered a newsletter. You can’t use their data for other purposes, such as targeted advertising, SMS, Facebook ads, etc.
47. Do we need to have a checkbox to get permission for Facebook ads?
Yes, according to GDPR you have to give the individual the option to tell you that they are happy to receive marketing from specific channels like Facebook.
48. I have a couple of opt-in forms on my blog. I only collect first name and email. Do I have to include the marketing permissions on the confirmation subscription page?
You don't need those additional Marketing Permissions if you only collect subscriber data for one purpose, such as sending them email campaigns. Make sure your subscribe form clearly states what they will be getting with consent.
49. Do we need to add a checkbox "I am 16 years or older" on all forms? If not, in which occasions do we have to add it?
There is still a lot of vagueness about this. We believe EU authorities will develop further specific guidance on child privacy. If companies market to minors, then we think they should consider adding age verification or parental consent options to their forms.
50. When I request emails via iPad, the IP address is not from my customers. Is it still compliant?
It is not necessary to ask your customers to provide their information from their own IP address. If you use the MailerLite iPad subscriber app, their information is automatically uploaded to your MailerLite account.
51. Is there an advantage of having double opt-ins?
While it’s up to you, there are advantages to using double opt-in for your email lists. Double opt-in gives you a stronger paper trail of proof of consent.
52. If someone doesn’t tick the checkbox for ‘marketing permissions’, does that mean I can’t offer a lead magnet? But I can’t email them to promote?
It depends on the wording. If you offer a lead magnet in exchange for their email, add a checkbox underneath asking people to consent to receive emails. They won’t get the lead magnet without consenting. Or you can explicitly state, "To receive this (lead magnet), please subscribe to my newsletter". In this case, then there's no need to add a checkbox because you make explicitly clear that the lead magnet is being offered in return for joining the email list.
53. Will the GDPR checkboxes in my MailerLite opt-in form be visible only to EU visitors or to everyone?
Checkboxes will be shown to all visitors.
54. I collect email addresses to send people updates about my blog posts and shop. Do I still need to have the checkbox in my sign up forms?
No, you don’t need the additional checkbox.
55. So users can subscribe just by entering an email without a checkbox, and that's OK with GDPR?
Yes. As long as you are asking them to consent to one thing, such as receiving your newsletter.
56. I have consent for email, but in the future I plan to extend my marketing channels. Can I email my subscribers to ask them for permission for other marketing channels, such as advertising or social media?
Yes, that is the proper way to do. It is important to understand that you need specific consent for processing user’s data for other purposes.
57. Regarding cookies, do we need to give people the option to opt out or will the "accept" button work?
Both options are appropriate. Consent must be given through a clear affirmative action. Simply visiting a site doesn’t count as consent. Keep in mind that after getting valid consent, websites must always provide people the option to change their mind.
58. What happens to subscribers that are currently in the middle of an autoresponder series who didn’t reconfirm their consent?
If you don’t have proof of their consent and did not receive revalidation before May 25, 2018, you won’t be able to contact them. You should remove them from your email list. Keep in mind, it’s not necessary to delete all their data unless they specifically request to be forgotten.
59. We don’t have proof of consent for many subscribers, but they open more than 70% of our emails. Do we still need to ask them for confirmation?
According to GDPR, you need to be able to provide proof of consent. Open rate is not sufficient proof of explicit and active consent.
That's a great way to get all the needed permissions. We don't know for sure what the Data Protection Authorities would say, but we think that you could use links to the privacy policies instead of checkboxes.
61. We have email addresses from people who contacted us asking for product information. We want to send them our newsletters. Do we need any consent from them?
If your newsletter provides product information then we believe you can rely on legitimate interest as legal ground. The individuals reasonably expect you to use his/her data in that way so you don't need to get additional consent.
62. Is it necessary to send the revalidation request by the 25th of May, or do I have a few weeks to get it?
The Data Protection Authorities have not been clear, but Google and Facebook both received violations on the first day after the deadline. From our point of view, you are no longer allowed to contact your subscribers without proof of consent.
63. I send emails to people who bought something from my store. In every email, I state, ‘You receive this message because you have registered on our website or made purchases from us.’ Am I allowed to continue sending them emails?
Under GDPR, you need to have at least one legal ground for that. GDPR provides 6 possible grounds: consent, contract, legal obligation, vital interests, public task, legitimate interests.
If your subscribers are your clients, you don't need a consent based on legitimate interests. The individual should reasonably expect you to use their data in that way. According to the information you provided, we think that you are safe.
64. We collect emails from journalists and other industry contacts. This data is openly available (newspaper websites, organization websites, company websites). Are we allowed to have these emails or do we need to ask permission to have them?
From our point of view, you don't need their consent if you are processing their personal data for purposes that are directly connected to why the data was made public.
65. If someone opts in to get a lead magnet and I plan to send them emails promoting other products in the future, can I simply state it on the opt-in form?
It is not enough just to state it. You have to get a consent for every extra data processing purpose.
66. Can I send newsletters to all my customers who bought something in my webshop?
If your subscribers are your clients, you may rely on legitimate interests. But the individual should reasonably expect you to use their data in that way.
67. Can I send cold emails to people under GDPR?
Yes, you can send cold emails to people at companies under GDPR. They need to be B2B emails that meet requirements establishing a legal basis. By having a strong reason to claim that the company the person works at will benefit from your offer. That said, unrequested marketing materials cannot just be sent out to random email addresses. There needs to be a logical connection.
68. Do I need to include something in my Terms and Conditions if I plan to use my customers’ email addresses to send them newsletters?
According to GDPR, you need to have a legal basis for personal data processing. In your case, if your customers made a purchase from you then you can rely on legitimate interests. You are allowed to send them direct marketing emails. But keep in mind, this rule applies only in case data subjects bought something from you. It doesn't apply to passive users. In your Terms and Conditions, you could indicate that if a customer makes a purchase then they will receive direct marketing emails. You should also state that the person is able to unsubscribe from your emails any time.
69. If an EU citizen unsubscribes from a mailing list, am I allowed to send an unsubscribe confirmation email at the point of unsubscribing?
Well, it’s tricky. When a person unsubscribes, he/she is confirming that they don’t want to receive any emails. But on the other hand, an unsubscribe email is confirmation. A safe option is to not send emails. It would be better to lead the person to a landing page that confirms their action.
70. What are we supposed to do with the Data Processing Agreement? Is it for my records or do I need to post it on my website?
You need to sign it, but it does not need to be posted on your website. You can find and sign our agreement here: MailerLite Data Processing Agreement
71. Do we have to send back the signed Agreement? If so, by mail or email or fax?
No, you don't need to send it back to us. Our system captures the signature.
72. When we receive consent from users on our website, should we inform MailerLite?
You don't need to inform us. The burden of proof is on you. If you use MailerLite opt-in forms, you will be able to secure more proof, such as location data.
73. Is there a way to discover location based solely on an email address?
Typically, an email address is not enough information to discover a location. If a user subscribes with a MailerLite form, their location is automatically tracked. This is not the case if you import your own list.
74. How can MailerLite establish whether subscribers are EU citizens or not?
GDPR is not about EU citizens. It’s about people in the EU. If subscribers sign up with a MailerLite form, our location tracking capabilities can determine if the person is signing up from an EU country. We can then segment them into a special GDPR group.
75. I transferred all my emails to MailerLite and do not have location data. Do I need to revalidate my list because I don’t know who is in the EU?
First, you must have proof of consent from those subscribers. From our point of view, it is safest to treat all of those subscribers as if they were in the EU. For future subscribers, you can use MailerLite opt-in forms to get location data.
76. Does MailerLite have a Privacy Shield Certification?
One advantage of being based in the EU is that we are able to stay ahead of new European developments, and we’re not required to apply for a Privacy Shield Certification. We already adhere to higher standards because we are an EU company.
77. Where are MailerLite´s servers situated?
Our servers are based in the EU and are GDPR compliant.
78. When tracking MailerLite campaigns with Google analytics, do you anonymize the IP addresses?
No, we don't anonymize anything. When a subscriber clicks any link in the campaign, MailerLite redirects the subscriber to the link destination. Services like Google Analytics collect the data from subscriber browser.
79. What’s the max data retention for customers in an email list?
All data is saved until it's deleted. In other words, we don't delete any data unless it's requested.
80. Does the MailerLite GDPR form automatically create a new list?
Yes, you should have a new "GDPR compliance" segment in your mailing list.
81. I would like the option to remove multiple subscribers at once. Will this feature come soon?
If you are in the subscriber list, you can choose to bulk delete. If you are in a group, you can bulk remove or delete subscribers too. Just tick some emails and press the action button to see how it works.
82. Can you segment those people who check the different options on that form?
Yes, you can segment using our subscriber management tool. Create a segment using a condition like “Custom field marketing permissions contains [your options].” You can find more details about segmentation here.
83. I sent out a GDPR revalidation email to every subscriber. I want to send a reminder. How can I tell which subscriber clicked the opt-in so I can exclude them from the reminder email?
When selecting recipients for your campaign exclude the GDPR Compliance group from it.
84. Many of my subscribers didn’t respond to the GDPR revalidation email, BUT I have proof they subscribed via a MailerLite signup form. Can I continue to send them emails?
Yes, you can continue to send emails. If you have used MailerLite signup forms to acquire subscribers, then you will have a record of consent. You didn't need to send the revalidation email to those subscribers.
85. What is the difference between Delete and Forget?
When you use the Delete function in the subscriber section, the information is not entirely removed. If that person later subscribes again, his/her history is still there so you don’t have to rebuild their profile. The Forget option completely wipes a person’s data from our system in order to comply with GDPR’s right to be forgotten.
86. Can the Forget feature be automated the same way Unsubscribe is through a link in an email?
No, it's only manual. We also include a second confirmation to avoid mistakes. The Forget option completely wipes user data forever. You should only use the Forget feature when a subscriber asks to be forgotten.
87. How do I find IP address and location information on existing subscribers?
MailerLite displays this information in your subscriber profiles. It is important to note that you can only get this data from users who subscribe through MailerLite forms. The good news is that this data is available for both your new and old subscribers.
88. How confident is MailerLite that the subscriber location details are correct?
We get location data from the subscriber IP address when subscribers opt-in through our form or confirm through a double opt-in email. The location data is a highly probably prediction. There is always a chance that a subscriber is using a VPN which shows a different country than it is.
89. How do we unsubscribe hundreds of subscribers at a time who have not re-opted in?
There is no need to unsubscribe hundreds of subscribers who have not re-opted in if you collected them in the proper way and have proof of consent. But if you have to unsubscribe them, you can use our Filters to change the status of subscribers.
90. I'd like to change from single opt-in to double opt-in. How can I do that?
It depends on where you want to change it. For the forms created in MailerLite, there is a button for it in the form. If you use forms through integrations, then you need to press on your profile icon and check subscriber settings.
91. How do you add an opt-in checkbox to landing pages?
Checkboxes are available in newly created landing pages only and can be added when editing “Signup Form” or “Pop-up Form” blocks.
92. Can we translate the MailerLite compliance text in the opt-in forms?
The easiest way to do this is to delete the English text and add the translated version.
93. We use a Privy pop-up to get new subscribers, which is automatically integrated to MailerLite. But I only see the date of subscription and how the person subscribed. What about location?
We capture IP address, location, date, time, and the source of the consent form ONLY when you use MailerLite signup forms to acquire subscribers.
94. If I have a subscribe button on my website that links to MailerLite, does MailerLite still gather the location info? Should I add a place on my website for subscribers to enter their location?
If you use a MailerLite signup form to acquire subscribers, we capture IP address, location, date, time, and the source of the consent form. In this case, you don’t have to ask for location info. We recommend just asking for name and email to avoid form fatigue.
95. Do I need to use the MailerLite signup form on my website? Where do I find the right form on MailerLite?
You are not required to use MailerLite forms, but our forms give you the added proof points of consent like location, time and source of consent. You can find the GDPR options in our forms settings. Check out this blog for detailed instructions.
96. Is the GDPR option with checkboxes mandatory for pop-ups and landing pages?
It depends on the situation. If you are asking someone to give consent to one thing, you can use a few sentences instead of checkboxes. Checkboxes are required when you are offering more than one thing. For example, if you ask the user to receive your newsletter and also use their data for targeted advertising, you need two clear options for consent. In this case, checkboxes should be used.
97. I just added the GDPR options to my forms. Will there be something recorded in MailerLite to prove that the new subscribers have opted in?
When you use MailerLite signup forms to acquire subscribers, we capture IP address, location, date, time, and the source of the consent form. This information will solidify your documentation of where, when and at what time your subscribers consented. MailerLite displays this information in your subscriber profiles. Keep in mind that you can only get this valuable proof from users who subscribe through MailerLite forms.
98. How can I automatically segment my GDPR subscribers in MailerLite?
It depends on the situation. If you are using MailerLite subscribe forms, you can segment them by location to get EU subscribers. If you are using different forms, you can add subscribers to different groups or use custom fields (including Hidden field) to segment them.
99. Is there a way to set up different opt-in forms for people in the EU vs. outside of the EU?
The short answer is no. We can help you create opt-in forms for your website, blog or social media pages, but we can’t create forms that dynamically change based on where the visitors are coming from.
I'm Jonas, Content Manager at MailerLite. I’m not the 4th Jonas Brother, but I do write content (which is similar to being a teen heartthrob). After writing for a bunch of companies over the years, I discovered my professional passion—helping add some humanity to B2B marketing. Email is the perfect place to start!