GDPR: What Growth People Need To Know

Disclaimer: This is not legal advice for your company to use in complying with the GDPR. It simply provides our interpretations of how it will affect people working in growth. This information is not the same as legal advice. We insist you consult an attorney for advice on applying the law to your specific circumstances. You may not rely on this post as legal advice, nor as a recommendation of any particular legal understanding.

Too busy to read? Listen to the post instead. Just click the pink play button below.

With the General Data Protection Regulation (GDPR) coming into effect in just 6 weeks, are the days of growth at any cost coming to an end?

The law is designed to safeguard data privacy for EU citizens, and applies to any business with EU users or customers, regardless of whether the business is based in the European Union or not. The penalty for non-compliance is “up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.” 

After doing a lot of research and interviewing leaders managing GDPR compliance at top companies, we’ve come to this conclusion:

If you’re in growth, and not preparing for GDPR, you should be.

Currently, many growth teams are violating the General Data Protection Regulation in multiple ways. And though it was approved by the European Parliament in April 2016, they’re unprepared to comply when it comes into effect on May 25, 2018.

Does this apply to your team?

It does if you’re:

  • Tracking user behavior on your website or in your app for marketing and personalization
  • Collecting email addresses and other personally identifiable information (PII) for email marketing
  • Testing strategies to resurrect churned users

If you’re doing any of these things without explicit consent (defined below) from users, then it’s time to make some changes to your growth practices. 

In this post, we’ll talk about what you need to know to comply with GDPR across the 3 common growth activities mentioned above. 

Table of Contents

  1. Two Concepts Every Growth Person Must Understand about GDPR: "consent" and "legitimate interests"
  2. Three Key Growth Activities to Evaluate for GDPR: (1) tracking and analytics (2) email marketing, and (3) resurrecting churned users
  3. Next Steps for Growth Practitioners
  4. Glossary of GDPR Terms Growth People Need to Know
  5. GDPR Reading List

But first, let’s walk through a few of the foundational principles from GDPR that are most important for growth.

Two Concepts Every Growth Person Must Understand about GDPR

For growth and marketing activities, two of the most important principles of GDPR (which replaces the EU’s 1995 Data Protection Directive 95/46/EC) to understand when you’re collecting, processing, and storing people’s personal data are: 

  1. Consent
  2. Legitimate interests


Consent, as described in Article 4.11 of the GDPR is:

  • A “clear affirmative action” taken by the data subject (user)
  • Freely given by the data subject
  • Specific, informed, and unambiguous
  • Documented in detail by the data controller (the company that determines how the data will be processed)
  • Easily withdrawn
gdpr compliance

The “data subject” is your free or paid user, and their “personal data” is any information that can identify them in any way, such as:

  • Name
  • Email address
  • An identification number
  • Location data
  • IP address
  • An online identifier, such as a cookie

So, what does all of this mean?

It means that to collect, store, and process personal data from your EU users for marketing, in many cases, you need to clearly communicate how you plan to use their data and give them an explicit choice to opt in or opt out. For a user to opt into your marketing, they have to take a “clear affirmative action.” 

The days of relying on pre-ticked checkboxes, silence, or inactivity as implicit consent to track activities and send marketing communications are over. 

Not only that, but you’ll also need to offer users an easy and obvious way to withdraw previously given consent, and maintain documentation of the details of where, how and when you collected consent from your users. If GDPR governing bodies in EU member states or users ever bring a case against your company, you want to ensure the details of consent are documented, available, and defensible.

But consent isn’t the only option for marketers, growth people, and service providers. “Legitimate interests” is another option that may provide an alternative to consent in certain cases. 

Legitimate Interests

According to Article 6.1 of the GDPR, legitimate interests can be used as grounds for collecting and processing users’ personal data when:

  • Data processing is necessary for the “legitimate interests” of the company
  • But not when the fundamental rights of the user override the legitimate interests of the company
gdpr compliance

For growth and marketing, legitimate interests are one of the most ambiguous concepts in the GDPR, and therefore, very open to interpretation. But understanding legitimate interests comes down to having a clear and defensible rubric for defining three key components:

  1. What “necessary” means when it comes to processing personal data
  2. The “legitimate interests” of the controller (your company) or third party (a data partner)
  3. The interests, fundamental rights, and freedoms of the data subject (your user)

To evaluate legitimate interests as a grounds for personal data collection, define these three components on a case by case basis. Ensure you’re balancing your company’s interests with those of its users, as legitimate interests cannot be used to override users’ interests and fundamental rights.

Must-Know Updates from Tech’s Growth Leaders

Get our weekly 5-min digest

gdpr compliance

To dig deeper into understanding legitimate interests and when to apply them, the Data Protection Network’s guidance on legitimate interests is a useful resource for service providers. But ultimately, this is something you’ll need to work with your legal and compliance team to interpret and apply for your company’s specific circumstances. 

Now that we’ve established a basic understanding of consent and legitimate interests, let’s walk through the role they’ll play in the three growth activities we mentioned earlier.

3 Key Growth Activities to Evaluate for the General Data Protection Regulation

As a reminder, those three growth activities are: 

  • Tracking user behavior for marketing and personalization
  • Collecting email and other personally identifiable information (PII) for email marketing
  • Resurrecting churned users

We’ll address each one individually below.

Will GDPR Impact Web Tracking and Analytics?

The short answer is, yes. 

But still, many companies have scripts on their sites tracking user behavior without consent. And most tracking tools contain personally identifiable information (PII).

It's no longer acceptable to bury tracking notices in the terms of service saying, ‘If you use our service, we will be tracking your behavior.’ When PII is being stored, you need to ask for explicit consent at the time you want to start collecting customer data.

According to Recital 30 of the GDPR, even online identifiers (including cookies) and location data such as IP address are considered personal data. And any kind of personal data requires consent to be collected, processed and stored.

To learn how other companies are approaching consent for tracking, I spoke with Andrew Michael, Experience Team Lead at Hotjar. Hotjar is an analytics and feedback service offering heatmaps, visitor recordings, and other feedback tools. Andrew currently manages GDPR compliance for marketing. 

He explained,

“Our team is building new consent features to be ready for GDPR. For example, we have tools such as Heatmaps and Recordings that allow us to gather data about user behaviour on a website—but we introduced features that allow our users to suppress any PII from them. This means that Heatmaps and Recordings can still be used to understand visitor behavior, but there is no need to request consent because individual visitors are not being tracked. 

The only time when we do need consent is when we want to link recordings to a feedback tool: and for this, we have created a clear consent request when a user provides feedback through one of the tools.”

Data analytics vendors (data processors), like Hotjar and many others, are leading the charge to become GDPR compliant, as the stakes are especially high for them.

This doesn’t mean that you’re off the hook, though. It’s still your responsibility as the data controller to:

  • Collect only necessary data
  • Offer a clearly communicated process that allows users to opt-in or opt-out and easily access and control their data at any time

What growth teams need to focus on now is not whether they will ask for cookie permissions and other forms of tracking consent, but how they will ask. 

If you’re collecting any personally identifiable data via cookies or scripts from analytics vendors like Hotjar, Mixpanel, Google Analytics and others, you will need to show a consent box when new users visit your site. 

No more soft opt-ins allowed, which means those cookie pop-ups that say something like “By using this site, you accept cookies,” or bundling cookie consents into your terms, will no longer cut it. 

gdpr compliance

A non-GDPR compliant cookie notice from Facebook

What GDPR Compliant Tracking Consent Looks Like

There weren’t many GDPR compliant examples out in the wild yet (I bet that will change after May 25th), but below are a few examples I was able to dig up.

Mock Ups of Tracking Consent Forms

gdpr compliance

Tracking consent form from PageFair

gdpr compliance

Consent form from PageFair to share browsing data with a 3rd party

A Cookie Consent Form in the Wild

gdpr compliance

A cookie consent form live on the Cookiebot website

gdpr compliance

An expanded view of Cookiebot’s cookie consent form

Consent requirements like these will also have an impact downstream on our ability to personalize experiences for our users.

So, What Does GDPR Mean for Personalization?

When GDPR comes into effect, personalizing content without consent will be a no-no.

According to Aurélie Pols, a former Data Governance and Privacy Engineer at Salesforce,

“It’s no longer an option to personalize content by default. Permission to do so should be retractable and based on consent terms in line with the GDPR. Opting in for content personalization will become part of the standard user options you would expect from a data controller.”

According to this interpretation, companies that do user profiling, as described in Article 4.4 of the GDPR, will be required to ask for consent. This will impact the “big fish” most acutely - the ones who’ve pioneered and scaled personalization for growth - think Netflix, Amazon, Spotify, and Pinterest. Whether they actually do ask for consent, and how the Supervisory Authorities enforce the new privacy laws, remains to be seen.

So, what do we do if consumers don’t opt in?

We’ll be forced to get more creative with finding insights in anonymized or pseudonymized data. (For a deep dive into the differences between anonymization and pseudonymization and how they relate to GDPR read this primer.)

Andrew Michael explains how Hotjar is applying anonymization:

“We have planned 3 levels of suppression to make sure customers can use Hotjar in a GDPR-compliant manner:

First, we have an automatic suppression layer, that suppresses any form field, plus any number on a page greater than 9 digits (which may resemble a credit card or phone number), on any site that has Hotjar’s script installed. The data is suppressed on the end user’s side, so it never hits our servers.

Second, we give customers the option to activate automatic on-page suppression of any number or email address found on any page of their website or app. 

Third, customers can tag specific elements they want to suppress, to make sure they aren’t sending personally identifiable information to our servers without consent. 

With this, it is impossible to link identifiable information back to an individual user’s session recording and heatmap data. Hotjar customers can still show surveys and polls to solicit feedback from visitors to their website or app, but they won’t be able to leverage the data for automation or other marketing activities—unless explicit and clear consent has been given through our feedback tools.

The key to growth is delivering consistent and constant value to your users. You can still get smart with the way you use data to personalize approaches and fuel your growth experiments backlog, but you don’t need to know who a specific individual is and what they are doing. To get actionable insights, it is enough to look at how people use your website or app as a whole.”

In addition to tracking, analytics and personalization, the new rules of the GDPR will change how we approach email acquisition for marketing.

Must-Know Updates from Tech’s Growth Leaders

Get our weekly 5-min digest

Where Email Marketing Goes Wrong With GDPR

When it comes to collecting and using email for marketing, again, consent is going to be the key to GDPR compliance. But many email marketers aren’t asking users for consent prior to collecting their email and other personal identifiable information and sensitive data. 

Below is a list of common email marketing activities teams engage in that don’t work with GDPR:

  • Automatically subscribing new users who create an account to marketing communications
  • Acquiring leads with gated content and sending them nurture email drip campaigns
  • Using pre-ticked boxes to automatically subscribe people to marketing emails
  • Automatically subscribing referrals to a marketing email list
  • Bundling consent to email marketing in with other terms and conditions
  • Gaining consent for a specific type of emailing marketing and sending a different type

Do any of these sound a little too close to home? If so...

Here’s What To Do Instead

There are three key things email marketers can do to comply with GDPR come May:

  1. Incorporate “Privacy By Design” into your email acquisition program
  2. Audit your existing subscribers for consent
  3. Build an email preference center
  4. Revamp your referral program

Let’s walk through each individually.

1. Incorporate “Privacy By Design” into Your Email Acquisition Program

Taking a user centric approach to email marketing is the best way to build trust with users, enhance data security, and survive in a post GDPR world. To do this bring privacy and consent forward into the strategy and design phase of your email acquisition program.

Let’s walk through a few examples of different email capture forms to see what Privacy by Design is, and what it isn’t, in the world of email acquisition.

Example: Sky

This email marketing subscribe example from Sky is the antithesis of Privacy by Design.

gdpr compliance

A non-compliant email capture form from Sky

Note that the:

  • First tick box prompts the user to click to agree
  • Second tick box switches the logic, asking the user to click if they don’t agree

This was clearly designed to trick the user into “subscribing” to marketing emails, and it’s obviously not GDPR compliant.

Example: Data Protection Network

In contrast, below is a screenshot of the new account creation form used by the Data Protection Network (DPN).

gdpr compliance

A compliant email marketing consent form from the DPN

Note the:

  • Straightforward language
  • Detailed copy explaining the types of emails that will be sent
  • The process for unsubscribing
  • The red to green slider that allows the user to actively choose to subscribe or not

This form is a great example of Privacy by Design in action, applied to email acquisition. 

2. Audit Your Existing Subscribers for Consent

Your existing email list won’t be grandfathered in under GDPR. Come May 25th, you must be able to show proof of consent from each subscriber. 

If you already have proof of consent that is compliant with GDPR, you will not need to re-permission your subscribers. If you do not have evidence of consent from subscribers, you may need to scrub them from your list. Sending an email to ask for permission to send marketing emails is considered marketing, and may result in fines if you don't have evidence of consent.

If you do have evidence of consent, you may want to send an email campaign asking existing subscribers to re-opt in. At Reforge, we periodically send re-permission campaigns to keep our email lists clean, make sure we’re sending to engaged subscribers who want to receive our content, and to protect email deliverability

gdpr compliance

Reforge’s re-permission email

3. Build an Email Preference Center

Email preference centers will be key to staying within the confines of the GDPR. They give users an easy access way to understand and control the communications they receive from your company. 

Will Gregorian, Chief Information and Security Officer at Iterable, a personalization platform for growth marketers, explains,

“Email marketing without consent is considered spam per CAN-SPAM and Canada's Anti-Spam Law (CASL), to name a few. Marketers must obtain permission and provide a subscription center with concise directions on how to opt-out will reduce liability. Not only does a subscription center offer a wide-range of options to the data subjects (individuals) to decide on their interests, it can increase segmentation and communication accuracy versus a "bulldozer" approach of one-size-fits-all outreach.”  

Litmus does a great job with their email preference center and makes it very easy and obvious for people to withdraw consent.

gdpr compliance

The Litmus Preference Center makes it easy to choose communications and opt out

4. Revamp Your Referral Program 

This is a common question we’ve been hearing lately:

Is GDPR going to kill my referral program?

Many fear that referral programs could be on their way out because there’s no way to get upfront consent from the people being referred. 

Fortunately, it may be possible to manage referrals in a compliant way. But it may require some changes to how you manage your referral data. 

Will Gregorian, Chief Information and Security Officer at Iterable, explains, 

“Under GDPR, technically, the referral notification is not considered a promotional message. Meaning, if someone were to refer me to a product using a referral program, I would be notified and required to confirm the opt-in, which is mechanically considered to be GDPR compliant.”

Historically, one of the biggest problems with refer-a-friend programs has been that companies abuse them by creating a profile for the friend, storing their personal information, and sending marketing emails without approval. For obvious reasons, this is not GDPR compliant. 

To stay compliant, only send one referral message to the friend on the referrer’s behalf. Do this without storing any of the friend’s personal information or data, unless they’ve clearly consented to participate in the referral program. Do not create a profile for the friend or send any marketing messages to them. In the referral notification, let them know you will not store their data or market to them unless they choose to opt-in.

Why Activation and Retention Will Be Even More Important Under GDPR

One of the most talked about changes coming into force with GDPR is people’s “right to erasure.” Also called the “right to be forgotten,” this privacy requirement allows people to ask companies to erase all personal data they’ve collected on them “without undue delay,” and the companies have to be ready to comply. (Read more in Article 17 of the GDPR.)

When asked about the implications of this part of the new data protection law, Andrew Michael of Hotjar contends, 

“Resurrection is one of the areas most impacted by the GDPR. Currently, a lot of companies ask churning customers why they’re leaving - maybe they have a budget issue, or a project has finished. Then, based on their answers, the company will test resurrection strategies to win them back a few months later.

Now, with GDPR, if someone cancels their account, you don't have a legitimate business reason to store any of their information, which makes pretty much every reactivation initiative obsolete. This even applies to retargeting churned customers with ads.”

As growth practitioners, what are we supposed to do when an entire growth strategy is wiped out?

In this case, we need to turn back to activation and retention. They’ve always been the foundation for growth, but the “right to be forgotten” makes nailing both all the more critical. This means figuring out how to get users to actually create ingrained habits with our products during onboarding. It also means building churn prediction models and running re-engagement tests at the right time to intercept users before they quit our products for good.

Why? Because once a user churns, it becomes much harder, if not impossible, to hold on to their data and re-engage them later under GDPR.

Next Steps for Growth Practitioners

At the end of my discussion with both Michael and Gregorian I asked them each the same question:

What advice do you have for growth practitioners on next steps for GDPR compliance?

Combining insights from both, I’ve distilled the learnings into 3 key next steps:

  1. De-silo your growth and legal teams so they can work together to:
    • Define your company’s tolerance for risk when it comes to GDPR
    • Mitigate risk while still supporting growth initiatives
    • Create team-wide policies for GDPR governance and compliance
    • Guide the team in policy implementation
  2. Conduct an audit of each tool to decide:
    • Which data is necessary to collect and which is not
    • Whether you will rely on consent or legitimate interests to justify data collection, storage, and processing activities
    • How you will collect, process and store different types of data in a compliant way
  3. Create processes for educating your team on GDPR compliance to:
    • Help them understand the risks of non-compliance
    • Prevent them from inadvertently running non-compliant growth experiments
    • Empower them to execute growth strategies and tests in a GDPR compliant way

We’ve put together a few resources below to help you navigate the process - a glossary of the key terms relevant for growth and a reading list of articles to learn more about the new data protection rules. 

Since there’s so little known yet about how the Supervisory Authorities will enforce GDPR, there’s no formula out there for becoming GDPR compliant. This post has probably brought up a lot of questions, but I hope that it has prompted you to ask more informed questions as you work closely with your legal and compliance teams to update how you approach data privacy and data security for your users. 

Good luck on your GDPR journey!


Glossary of GDPR Terms Growth People Need to Know

Below are the definitions and principles of GDPR that are most important for growth and marketing - any emphasis is mine. And here is a complete list of definitions.

Personal data

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Online Identifier (as explained in Recital 30)

Natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.


‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data controller

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; 

Data processor

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.


‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Legitimate interests (as referenced in Article 6.1)

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.


‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.


‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Personal Data Breach

A breach of security leading to the accidental or unlawful access to, destruction, misuse, etc. of personal data.

Data Protection Officer (DPO) (as referenced in Article 37)

A data controller or processor must designate a data protection officer in any case where their core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

GDPR Reading List:

The Basics:

GDPR and Marketing:

Consent and Legitimate Interests:

Tracking and Analytics:

The Right to Be Forgotten:

Must-Know Updates from Tech’s Growth Leaders

Get our weekly 5-min digest

About the Author


Lauren Bass is a growth marketer at Reforge, a company that provides masterclasses in frontier skill sets for mid-career tech professionals. Previously, she worked on growth marketing at NerdWallet and prior to that she was the Founder and CEO of LolaBee's Harvest, an online farmers market acquired by Good Eggs in 2013