GDPR Compliance for Online Businesses Selling Courses and Memberships

GDPR compliance online businesses

The new General Data Protection Regulation (GDPR) regulations go into effect May 25, 2018… and the penalties for non-compliance are steep.

This is a huge deal for the entire online sphere, since it “applies to all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location” (emphasis added).

And that makes sense.

After all, the purpose of the GDPR is “to protect all EU citizens from privacy and data breaches in an increasingly data-driven world” (source)… no matter where this data is stored.

The GDPR data protection goes far beyond basic SSL certificate and credit card numbers.

It applies to every single interaction you have with your EU clients.

This means that every system you're using, from membership platform to automation marketing tool or CRM, needs to be in full compliance before the end of May.

As you check to ensure your business is ready to go, here are a few things to consider from the membership and online course side of things.

**Disclaimer**
This information is NOT legal advice or a legal explanation of the new GDPR guidelines. It is meant to be a practical look at some of the areas where personal data is collected and processed for online courses and membership site models. For legal advice, please consult a lawyer.

Did you know? Every Type of Data Matters

The new regulations include all types of data you may collect or process in your business, from first names and email addresses to obvious things like credit card numbers.

Some of the more common data processed when selling online courses or memberships includes:

  • Name
  • Email address
  • Credit card number
  • Billing address
  • Mailing address
  • IP Address
  • Phone number
  • Password

All of these (and more) fall under the data protection requirements of the GDPR… so if you're not familiar with what information is stored where, now is the time to become familiar with your tech tools.

Example: Although AccessAlly includes order forms and easy management, it does NOT store the credit card info of your clients. That information is saved in your Stripe account.

After looking through the new guidelines, there are a few other areas that stand out in the online courses and membership world.

These include:

1. The Ability To Opt Out on a Granular Level

If a client subscribes to your monthly membership program, how many lists do you automatically add them to?

The weekly newsletter? Product updates? Marketing promotions? Billing reminders?

With GDPR, you're not only obliged to clearly inform your client which “lists” you're adding them to, but you're also required to make it easy for them to opt out on a granular level… one list at a time.

In GDPR language, this is known as the “Right to object“.

If you’ve been lumping all your contacts into a single list… it's definitely time to clean house and make sure this granular opt-out process is possible.

2. Be Clear With Your Privacy Terms

Now is a great time to talk with your lawyer and review the legal information you're required to have on your website.

What do you do with your subscribers' information when they sign up for access to a free course?

Do you use their email addresses for retargeting ads? Put them into a pre-sale funnel for your paid products?

The GPDR requires that any opt-in “[c]onsent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language […]” (source)

In other words: if you've been using sneaky email capture methods, it's time to be more transparent.

Be honest about what you're going to do with their information… and then give them the opportunity to say no.

I was personally curious to see how many marketers are currently complying with this method… so I opted into 15 different email lists over the past couple days.

Out of 15 opt-ins, only 2 used a double opt-in to indicate that I would be added to their marketing newsletter list.

The rest did not ask. But I received marketing emails from all of them.

As of May 25, that's not gonna fly.

AccessAlly Clients: Use the Checkbox!

To help our clients comply with the GDPR regulations, we've created a checkbox for you to add to your order forms built with AccessAlly. Use this checkbox to receive any express permission required from your clients.

gdpr compliance membership sites

(Learn how to set it up here.)

A similar checkbox feature was also added to PopupAlly Pro, just in time for these laws to go into effect.

With PopupAlly Pro you can also store the checkbox “state” into your email marketing platform. So you can keep track of who checked the box and who didn't.

GDPR Checkbox example for email opt-in boxes

3. Is Your Software Compliant?

“I don’t keep my users’ data… my CRM does!”

Yep, and both of you are liable. (50% of a 20 million dollar fine is still a lotta dolla.)

Take the time to become familiar with how your clients' information is processed and stored. Find out if encryption is used for sensitive data – or if you should be moving to a different, more secure system.

Be proactive and learn how your software systems work together to ensure compliance.

If you have a membership site or online course, a few tools to check for compliance are:

  • Your website server
  • CRM / Marketing Automation System
  • Payment Processor (Stripe or PayPal)
  • Website Plugins
A note to AccessAlly users:

We’ve been taking special precaution to help our clients become more GDPR compliant, by making it easier to give the user access to their password without having to store it in an unencrypted field in the CRM. Learn how here.

4. Clean Up Your CRM Email Lists

Marketing Automation Tools like Ontraport make it much easier to segment your email lists.

You have until May 25, 2018 to become compliant… which means that the cleanup process starts now.

If you’ve been engaging in shady practices (maybe you automatically subscribed someone to your marketing sequences without telling them after they opted in for a PDF?), don’t panic.

You have three basic choices:

  • Delete your entire mailing list and start from scratch
  • Segregate EU email addresses from non-EU addresses, and go from there
  • Run a re-engagement sequence to the entire list, asking them to re-opt-in and get those permissions, and keep the wording on file in case there’s an audit.

The route you take is totally up to you, your marketing team, and a lawyer.

Remember that the GDPR requires proof of opt-in consent.

5. When in doubt, consult legal advice

Nothing can take the place of good, solid legal advice from a legal expert.

If you're confused about the terms of the GDPR and what it means for your business, be proactive about discussing it with a lawyer.

A Good Wake Up Call for Online Businesses that Sell Courses and Memberships

 
Click to get the 6 membership site models and case studies
 

In America, we're just beginning to catch a glimpse of the far-reaching consequences of privacy and data breaches, from the Equifax breach of last year (that keeps getting worse!) to Facebook making headlines.

This gives a better understanding of the urgency for regulations that protect the end consumer.

Sure, the marketing side of us might love using bots and tracking cookies to show up in front of our audience as many times as possible… and get them to hand over their email address. “Whatever it takes?!”

But all of us are consumers, and can understand the outrage of hidden, obscure legalese that takes advantage of tech vulnerability.

The GDPR is one giant indication that enough is enough. It’s literally laying the law down on sneaky email collection practices (“just gimme your email address so I can send you this one PDF… wink wink“) and sneaky uses of personal data.

This is a great wakeup call to treat our prospects and customers with the same respect we demand for ourselves.

Sell your online courses and memberships without the sneak… and your customers will thank you for it.

7 Comments

  1. […] CANSPAM/CASL. If there is any chance your subscribers are based there, it affects you, too. This article provides a great overview, but my takeaway is: your subscriber must be aware of every list you place them on and must […]



  2. […] Compliance for Online Businesses Selling Courses and Memberships https://ambitionally.com/online-business-tools/gdpr-compliance-online-businesses Find out some answers to these […]



  3. […] For example, a huge regulation just passed in the European Union that affects anyone who has an email list. There are now specific rules to follow when dealing with EU citizens. And if you’re not following them, you definitely can get in trouble (by the way, here’s a nice little guide on GDPR Compliance for Online Businesses Selling Courses and Memberships). […]



  4. Mindie Kniss on May 13, 2018 at 12:03 am

    A quick note of thanks for this.
    Super helpful. :)



    • ambitionally on May 14, 2018 at 9:23 am

      So glad to hear it!



  5. Cassie on May 14, 2018 at 2:32 pm

    Really appreciate this. Thanks for clear terms. You guys do such a stellar job of this.



    • ambitionally on May 14, 2018 at 2:51 pm

      Thanks so much Cassie, I’m glad this was helpful for you!



© 2014- Nathalie Lussier Media Inc. dba AccessAlly™. All rights reserved.