Hey Karen,

When it comes to Privacy Policies (or anything legal) I'm pretty nervous to give any advice. I am definitely not the guy to ask as I barely understand it all myself. 

I will say that in more than a decade working online I have not heard of a single case of people getting in trouble for mistakes in a privacy policy, unless they were doing pretty egregious stuff. Still, it is a legal document, and does technically have consequences. 

My approach is to just answer very liberally. Not sure if you use cookies, answer yes. Etc.

You can also take language from the privacy policy and search it in quotes to find others using the policy and see what they do in areas you are not clear on.

For me, analysis tools would be clicky and Facebook. Internet advertising would be Facebook, Instagram, Twitter, and partner sites. Affiliate marketing would be 1shoppigcart. But again, the answers would be different for everyone. Just answer liberally, and your lawyer can steer you right. I'd expect him/her to tear the while thing down, tell you it's all wrong, then give you their template. Usually that's what they do no matter what. But I'd be curious what you get back.

As for Aweber's double opt in... According to the first random source I Googled "It is not a requirement in the GDPR legislation to have double opt-in. You do not NEED double opt-in for GDPR to ensure compliance and consent.". 

However, you are correct, over the last year I have been seeing my open rates going down on the welcome email with most clients. In almost every case when I turn on the double opt in my open rates sky rocket. And intuitively, my conversion costs and rate usually get better as well. 

I believe what has happened is that Facebook's algorithm has got so good that when we have it turned off we train Facebook to target people more likely to enter fake email addresses, or addresses they don't monitor, thus driving all stats down in time. Just remember that if you turn it on, you will want to create a new ad campaign, because they old one will already be trained on the old segment.

That make sense?

As a guy who teaches this stuff for a living there are some liabilities involved, should I give anyone any kind of legal advice. For that reason I sound very conservative in all of my answers so that my replies are as accurate as they can possibly be.

But my personal approach is very much in line withe Eyvindur's.

But-I-am-not-qualified-to-give-legal-advice-so-be-sure-to-check-with-a-lawyer-if-you-want-to-be-certain-you-are-compliant-with-the-law 🙂

My understanding is that the Pixel is a a small image file that is placed on your site that records user activity to certain extent, and that cookies are bits of code that actually get installed on the users computer, and the two are different (the the term "cookie" is thrown around pretty loosely to mean both. And I thought one could turn off cookies but still get pixeled (though I might be wrong), but I have also read that the Facebook Pixel drops a cookie. So I have no idea. Just say ye to everything. It'll work out 🙂

***My lawyer has advised me to stress that I am joking and that always saying yes to everything will probably not always work out. Say yes at your own risk.

For sure. I'm pretty sure they are different but connected. But I'm also an idiot when it comes to the tech side of things, so I could be wrong. At the end of the day, the privacy concerns are the same.

\m/

Thanks Karen. I was bracing myself to be told everything I have told you is wrong. Happy to see that we are all more or less in line with his advice. Far be it from me to challenge a lawyer, but I actually don't know that he is 100% about the double opt in requirement, or that it is quite as strict as he is stating.

This from Aweber (I have seen similar sentiments expressed in many places)...

Myth #3: “I need to use double opt-in to be compliant with the GDPR.”
Double opt-in (a.k.a confirmed opt-in) is when your subscribers sign up for something — like a newsletter — and then they’re asked to also confirm their subscription.

Some “experts” are stating that the GDPR requires double opt-in to prove consent.

This is incorrect.

As I mentioned in myth #1, the GDPR simply requires that you can prove the compliant consent. The act of entering personal information into a signup form and clicking “submit” can be considered an affirmative action, as long as the subscriber was clearly and directly informed of what they are accepting.

However, double opt-in is not necessarily a bad thing. There are lots of great reasons to use it, including better subscriber engagement and deliverability. You just don’t need to use it to be compliant with the GDPR.

But regardless, I am turning double opt in on, on just about everything lately. Everything just performs better when I do.

Thanks for sharing that Karen!

I am one of those people that deplores contracts and all things with legal consequences. GDPR is no fun. But as long as you are using ethical and established systems like Aweber and Paypal (or any reputable and secure shopping cart) and disclosing your use of cookies and pixels, I can't imagine there being much of an issue. But of course, I am not a lawyer and not qualified to give legal advice 🙂

Here is a list of all of the enforcement action taken so far: https://ico.org.uk/action-weve.....forcement/

You can click on each case to see what the company did and how much they were find. I only scanned t, but they all seem to be pretty huge companies doing things they shouldn't be. I see two smaller individuals. One was a doctor's office and one involved school children so obviously more egregious offenses). But even in those cases the fines were less than £1000.

If you really want to play it safe you can add a cookie plugin that requires a person to click accept. But I have not personally done that.