May 17

Getting GDPR consent from your email list, using Mailchimp

By Graham Hansell | GDPR & marketing

Read time: 3 mins 50 sec

Read our quick step by step guide on how to gain consent from your email database list before GDPR with

How to get your MailChimp email list GDPR Compliant

All marketers have until the 24th May 2018 before GDPR becomes law on 25th!

One of the most important actions is to gain consent from your current email list before you have to stop emailing them totally (and thus technically deleting them).

Here’s our plan of action and steps on how to get those people who want to stay in touch, agreeing to give consent.

  • Set up your list in MailChimp
  • Set up your GDPR permission form
  • Set up your GDPR email campaign
  • Create a Segment so follow up emails don’t “spam” those who have given consent

Even if you don’t use MailChimp for your regular emailing you can still import your current email list into it. You’ll need to set-up a new MailChimp account, download your current list as a CSV and then load it into your new MailChimp account, you can then gain consent through a send, once that’s done, export your compliant list back into your regular emailing platform.
Why? Because if your current ESP or CRM system isn’t ready to gain consent, it’s now or never, so time to get on with whatever works quickest.

A Quick Solution

MailChimp is one of the most popular email service providers and over the last few years become a complete marketing automation platform.
They have been busy preparing for GDPR and have produced their GDPR guidance and tools to help assist their customers to do just that.

At the beginning of May they released GDPR updates to their forms, which basically meant they had added ‘Fields’ which then allow you to enable your current subscribers to add their agreement to the following communication channels:

  • Email
  • Direct Mail
  • Personalised advertising

So, to switch GDPR fields on in your list, you need to go to your list and then select the following:

Mailchimp list settings

Select List > Settings then click ‘List name and campaign defaults‘ then click on the below

GDPR fields in MailChimp

Checkbox enables GDPR fields


Once that is done you need to review the legal descriptions of the usage of the person’s data.

Ensure this is either confirmed by your company’s communications policy or reviewed by your legal counsel, as this will now set the basis for your permission to contact them after GDPR comes in.

If you don’t have your GDPR legal support then please look at our partners LawBite who are providing very cost-effective support.

So the steps so far are:
+ Import, your list to MailChimp if your service provider, doesn’t support GDPR forms
+ Switch on GDPR fields

However this doesn’t make your list GDPR compliant in itself, you need to ask every one of the people on your list to agree with the way you are going to communicate to them.

So you need to email them, but what to say?

MailChimp provides a template email for you to use called the “GDPR Subscriber Alert” but to be honest, it is a horrible presentation (unless you want to scare your subscribers into consent).

But this template does include suggested language that you can edit or copy to your own.

I think you should build your consent campaign from scratch to stay within your Brand communications, but to do so you need to make sure you include an Update Profile link. This is HUGELY important as it is this link that allows your subscribers to update their preferences to receive emails, ads and mail from you.

It provides a landing page like this and pre-fills their email and name.

If you don’t like the default MailChimp GDPR Alert what then?

So some other options from some of the brands we have used:


Break up



My advice is if you have the time, to use a mix as certain versions will appeal to different people.

Don’t worry about frequency (one email per week etc) as you only have days left to talk to these people, once they the 24th is passed they will be legally out of contact (unless you have their consent).

One technique being used is a “countdown to deletion” or “last chance” email chain, so each person will get up to 7 emails in the last week.

So as you have only days left pick whatever is quickest to do, don’t let your brand design get in the way of consent, it’s too late!

Now you have their consent be polite!

One thing you should be doing is once someone has given their consent, stop emailing them! This will help to keep emails from your brand useful and not boring.

To do this use MailChimp’s segments to send follow up emails only to people who have NOT given consent to email

Make sure you select “Auto Update” so whenever people give consent they are removed from the segment.

If you want to get more sophisticated then you could design other campaigns to encourage consent to:

  • customised personal advertising
  • direct mail consent

To do this you would need to set up segments for those people who may have consented to email but not the other two, and change the email messaging accordingly.

However, this is potentially dangerous, as if you have a high frequency of emails to your newly consented, you might find they unsubscribe from all brand communications.

So now the steps are:

  1. Import your list to MailChimp
  2. Switch on GDPR fields
  3. Set up your emails
  4. Set up segments so people who consented
  5. Once you have these parts in place it time to fire off the first round of emails.

Preview and test your email campaign as you normally would, and send it to your complete list. After you send your consent campaign, use the campaign URL to share it on your social channels.


  • Import your list to MailChimp
  • Switch on GDPR fields
  • set up your emails
  • set up a segment so people who haven’t consented


Now is your last chance to get consent from the people on your email list and if you don’t delay you will enter the new data private world of 25th May and beyond with contacts still to talk to.
Don’t delay make this happen today!

Apr 16

Major Chrome SSL certificate issue – Could your site now be insecure?

By Graham Hansell | Trust & Technology


Chrome is not accepting Symantec SSL certificates from the 17th April 2018. Check and update your certificate ASAP.

Reading time: 3 mins 40 sec

As from the 17th April 2018, your website might just be about to go insecure with all Chrome users – Google Chrome will no longer be accepting the Symantec SSL certificate.
To put this into context, this could affect ‘one out of every two’ of your customers – as powerful as that sounds Google Chrome is used by over 50% of the worlds Mobile, Tablet and Desktop web browsers, now I’ve got your attention best you read on…

Here’s the story so far, Google has fallen out with a company called Symantec over the leaking of private keys of secure domain certificates.
You probably never noticed or even +heard of it, but this particular spat has had a butterfly effect that we will all feel from today.
You could see this as another example of how the Web has fallen into the powerful hands of just a few companies (Facebook, Google, etc.) but it seems to be in this case that Google has been right in not trusting Symantec. 

Google Chrome developers have decided to ignore all secure certificates from the following issuing authorities:

  • Thawte
  • VeriSign
  • Equifax
  • GeoTrust
  • RapidSSL

This means if your website has a secure certificate issued by one of these companies it will become useless to your website for all Chrome users.
The result will look something like below when they go to your domain using the Chrome browser (by any means not just search!).

SSL certificate distrusted by Google Chrome and other major browsers

This doesn’t look like the start of a happy visit, does it?

To give you some context, Chrome makes up over 50% of the worlds Mobile, Tablet and Desktop web browsers, so having this happen in Chrome is a big deal.

Google Chrome is the most popular browser worldwide

Chrome Rules the World

Yes, Google Chrome is represented by Green in this World Map from 2017. In addition to the coming of GDPR, secure websites are even more important as anytime any personally identifiable information (PII) is being handled by a company it needs to be secure. Therefore any enquiry form should be secure, not just e-commerce sites.
The timeline for this has been-

  • 15 March 2018
    • On or around March 15, 2018, a Chrome 66 beta release will distrust all Symantec SSL/TLS certificates issued before June 1, 2016.
  • 17 April 2018
    • Google plans to release the public version
  • September 13, 2018
    • a Chrome 70 beta release will distrust all Symantec SSL/TLS certificates issued after June 1, 2016.
    • Google plans to release the public version mid-October 2018.

To get a size of the problem a test was done in February showed of the Top Alexa sites one million websites, 11,510 are going to go insecure in April, with another 91,627 on going to be hit in October. You can see a quick test of those that were using Symantec SSL all have updated since.
Those included:


Testing the traffic impact

In Google Analytics you can test your traffic to see if the new Chrome 66 version browser is getting impacted quickly with a custom segment.

  1. Go to Google Analytics and login
  2. Select the Audience Overview Report
  3. Google Analytics Audience Overview
  4. Create a customer segment for Google Chrome Users
    Custom Chrome Users Segment Analytics

    Just add a Custom Segment for Google Chrome and even try Version 66

Once you have done this look at the daily Chrome Browser traffic for today by the hour compared to the previous day, is there a change? Then compare to the same day the previous week, again any change?

If you are seeing a constant drop hour on hour this could be the insight that your SSL certificate is scaring people using Chrome away.

Your next action is to prove it is your SSL certificate causing the problem.

Is your SSL Certificate affected?

This is technical and if you have a web developer/agency or site support team it is best to talk to them first but you can test free of charge yourself using the links below.

First step is to test if your certificate is at risk.

There are a few options and it is worth testing on a couple of services as they are all free of charge.

Hopefully, you find everything is up to date (normally using Digicert or Comodo) but if not your team will have to fix it ASAP!

How to fix your SSL certificate for Google Chrome

Options are to move to upgrade with the new company who owns the Symantec SSL business (DigiCert) or move to another provider for free.

Or you can use the free upgrade from Comodo

Or replace your certificate for free with this open source service (backed by Google Chrome)

Once you have updated your certificate then it might be interesting to test others, check your competitors, see if they’re secure or are they going insecure for Chrome browser uses? If they are what tactics could you use to capitalise on it, it if you’re feeling friendly how about telling them? Remember – Knowledge is power


  • From 17th April 2018 Google Chrome stops accepting some Symantec SSL certificates
  • October 2018 all Symantec SSL certificates will be ignored
  • eCommerce sites and any sites using lead generation forms will need to be secured (GDPR requirement)
  • Check your site’s certificate is going to be secure
  • Check your competitors

Confused? Concerned? Not getting the help you need?

Apr 12

Google Analytics & GDPR – how to be compliant?

By Graham Hansell | GDPR & marketing

Is GDPR going to kill your company’s Google Analytics?

Reading Time: 6 mins 6 sec

OK, I get asked by a lot by clients when I’m training “will  still be legal after ?”.

With the follow up question “do I need all users to opt-in so you can track them?”.

These are two good questions so I’ve put together a review of the current understanding and what needs to be done.

Please note this is not legal advice and you need to talk to your own counsel to understand your company’s position depending on your set up.

If you need help with preparing your company for GDPR then SLX has partnered with LawBite’s low-cost GDPR documentation and review service.

GDPR is not a problem for Google Analytics, however E-privacy changes in 2019 will be.

To clarify, the law that will impact Google Analytics in most installation cases will not be GDPR, because GA stores very limited   – personally identifiable information and GDPR is designed to protect PII . In most Google Analytics installations PII is only stored in certain specific circumstances. You still have to check that your version of GA is GDPR compliant but it is not going to kill its use.

Coming soon – ePrivacy Regulations

However, the law that will impact Google Analytics will be ePrivacy regulation but that isn’t ready yet (it was going to launch with GDPR but has been delayed due to negotiations).

We will be covering more on the development of ePrivacy Regulations later so stay in touch with SLX on our social media spaces where we’ll notify you through our future newsletters.

Ok, so when does GDPR impact Google Analytics?

We need to start with what GDPR is focused on – personally identifiable information. And that means any data you can identify a real natural person. IP addresses and unique ID’s can all be combined to identify the real person and so have to be considered as PII.

A standard installation of Google Analytics doesn’t expose these in the standard report, instead it reports on volumes of site sessions, pages viewed and has data thresholds in place to stop drilling down to an individual visitors behaviour.

However there are ways where Google Analytics can trip you up with GDPR.

For full compliance, your company needs to be able to audit/confirm that Google Analytics is not storing PII.

Let’s start with what PII can be stored in Google Analytics.

The circumstance for PII in GA vary from the hidden (IP) to the obvious (Customer ID) but can be boiled down to:

  • IP addresses – visitors IP address are collected
  • Form URLs – this can have PII data shown in URLs
  • Tracking Users with User IDs – could be seen as PII
  • Customer data – is obviously PII if you have their details in there

In each of these cases, you need to check, then document and remedy your installation of GA to stop this tracking without consent by 25th May to stay comfortably legal or seek authority from users to continue this kind of tracking through your privacy policy.

PII in IP addresses.

These are tracked automatically by GA but aren’t exposed via any of the reports or through the API, so we are safe, aren’t we?
No, it turns out legally we may not be if you are a special category data controller processing this type of information:

  • race
  • ethnic origin
  • politics
  • religion
  • trade union membership
  • genetics
  • biometrics (where used for ID purposes)
  • health
  • sex life
  • sexual orientation

As a company, you are a Data Controller, and Google is a Data Processor. In this special category relationship, the Data Controller must protect the data subject from the Processor’s risks.

As Google states in its new Data Processing Amendment

7.1.2. Security Compliance by Google Staff. Google will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 

The risk is that users IP addresses could be accessed by a Google employee and that is used to track users (this is an outlier risk as it would take a rogue employee to be part of the GA team).

If you are processing special category data through Google Analytics you may consider “hiding” the IP of visitors from the system

There is a tool provided by Google (yep who knew) but thanks to the German privacy requirements this has been created and is available here.

This tool stops the IP being fully recorded to disk in the Google Analytics Collection Network and instead removes the last digits from being stored.

Its use could cause less accuracy at country and city level reporting but its a small penalty.

The other downside is many companies filter their reports by IP to remove visits and activity from their internal users. By using the German tool it will remove your ability to remove users at an IP level which will change the numbers in your reports,  Therefore if your reports are relying on removing internal IP addresses from reports do this in a test view and filter before adding it to your main view.

PII in Form URLs.

Now, this is definitely a rogue CMS issue rather than a direct intentional PII data collection.

When users complete sign up forms or sign into an authorised area, some CMS systems pass PII within the URL, that URL will be passed to GA and recorded in your reports.

This is bad practice, it breaks GA service level agreement (no PII to be stored in GA duh!) but has historically been ignored as webmasters just saw it as junk data.

However, come GDPR this will make your GA illegal!

So to check your Google Analytics do this:

  • GA – behaviour-all pages
  • Now there is no hard and fast rule (as CMS’s will behave differently) but test Filtering on:
  • Email sign – @
  • Common names – Sarah, Karen, Jane, Rebecca, John, Richard, David, Paul
  • Is there a form posting – form, post, get

Please note this list is for starters please share any thing you find that matched in the comments box below please so I can update this post and help everyone out.

So is anything coming up?

  • No – great another GDPR box ticked off
  • Yes – you will need to create a new view which filters or fix alternatively contact your developers to correct the CMS, quick!

To correct this problem contact the website developer and ask them for a solution to prevent this happening.

A further note on this, we are investigating if it is necessary to remove old data prior to 25th May 2018. If it is then you may need to start a new Profile! More to follow on this….

UTM tagged campaigns.

We all track campaigns in Google Analytics, and you might have specialist tags for specific Source, Medium, Keyword, Campaign, Content. Check that these don’t contain PII especially an email address or name.

To do that look at your campaign report, you can ignore Google Adwords campaigns unless your naming scheme is particularly specific (people level!)

More PII in Google Analytics.

Google Analytics User tracking and PII.

When “Users” have been turned on in settings, Each User will have a unique ID generated by GA and this can be seen by this report:
Google Analytics Audience > User Explorer Report

User Report - Google Analytics

If you want to see a report that shows tracking a real person – this looks like it to me!

Obviously, if you are covered by consent or legitimate interest then you can continue but otherwise, it could be seen as a GDPR risk.

To disable this you will need to stop tracking users, which is done by:

  • Admin > Profile
  • Property Settings
  • Scroll down to User Analysis and make sure it is off

This will have the added benefit of stopping the use of a couple of cookies (_ga/_gid), technically there two but most people don’t tend to use the other one.

Update – Google Analytics has recently released a new tool to allow for user and event data to have a “lifetime” in Google Analytics of between 14 months and just over 4 years. If you are going to continue with the user function you should strongly consider this as it will demonstrate that you are no holding data for  “no longer than is necessary” part of GDPR.

Injecting data into Google Analytics

And finally if your company activity stores customer data in GA by injecting data from other sources which could be any of these:

  • CMS
  • CRM
  • Customer Dimensions / Metrics
  • Customer ID

This will normally be handled by a bespoke development that will have been an IT / Developer project and therefore it should be known what it is doing, how it works and how to fix it.

You will need to go talk amongst your marketing, legal and developers on the legal coverage for using this data and if it needs to stop.

Google Analytics and GDPR Summary:

These are the key points to take out of this post, but as I said before, your company needs to make its own decisions and most importantly document them.

  • Google Analytics in its standard set up is pretty GDPR / PII compliant
  • Risks vary from low to high depending on how customised your installation of Google Analytics is
  • To improve the standard set up look at:
    • Anonymising IPs
    • Check and remove PII in URLs
    • Turn on Data retention limits for User and Event data
  • Check if PII is intentionally being stored and consider that this breaks GA Service Level Agreement and what legal right (consent / legitimate interest) you may have to hold that data

If you have a custom GA setup using known PII then you have 4 options

  1. Get users to give consent to use it
  2. Build a legitimate interest case for it
  3. Remove it
  4. Anonymise it

Also, remember you could be breaking the Google Analytics Service level agreement by storing PII in there!

Please remember none of this is legal advice, do your own research and if you need help SLX can do a full GA GDPR (email and other systems) audit for your company.

Sep 06

SaaS acquisition – “I’m a SaaSy Pirate, AARRR!”

By Graham Hansell | SaaS marketing

Software as a service, or  marketing, is highly competitive with many companies in most verticals. To succeed you might just have to act like a pirate to get your treasure chest of riches.

So to help plan for success here is a tried and tested for growing your customers.

Let’s walk the plank and dive right in…

AARRR the (SAAS) pirates code


cquisition – getting them interested

You have to give people something to get their interest. So to move them to sign up you want people to register for a Free Trial.

In case you have micro-conversions (e.g. Newsletter sign up), you can breakdown in different chunks measuring each of your conversion (micro & macro).

Your funnel is only as good as the user you’ll acquire at the first step. If you convert very bad leads at the top of the funnel, you’ll get very few customers.

The best here is to work on Traffic Acquisition to ensure that you can bring a lot of qualified lead to your website. On the other hand, you can also work on Conversion Rate Optimization (CRO).

Planners Note – you don’t need huge volume to acquire customers. If you only have a few hundred of very targeted visitors every month, it’s perfectly fine!


ctivation – getting them to “use the thing”

Having someone to sign up on your website is only the first step. Many people will just sign up and never use your product.

People who Activated, are using your product. They logged in and started to use your product.

The goal here is to work on your onboarding so that people who log into your product can quickly understand your value proposition and realise how your product might be able to help them in their job.

You can send email to people who never log on or try to call directly these “cold” prospects are to remind them of your offering and make them come back.


etention – keeping them onboard

Now that people started using your product, you want them to come back regularly to use your product. They’ll input more data and truly realise your Value Proposition. At that point, they’ll consider buying it.

Many people will only use your product once and will never come back. The problem with them is that you waste a ton of money trying to get them to use your product just to never see them again.

measurement will vary between different apps. People will not use Facebook as much as they use their accounting app. Some apps may only expect 2 logins each month.

If you fail to retain people, try to stay in touch with them in order to keep showing the value of your product and to let them know you still exist.


eferral – getting them to recruit others

If you can easily get people to talk about your product and to refer some of their peers, it’s a big win.

The aim of this part is to count the number of people who are talking about your product and invite their friends. It’s the perfect step to drive organic growth.

Startups that can drive organic growth generally win big. They acquire users who are going to become advocates and talk to other people. Once they get the wheel going, the company will grow very quickly…


evenue – finding the treasure chest

finding the SAAS treasure chest

Although the number of customers you have is primary, they’re not representative of your business’ health. Counting your number of customers is not enough and you should also rely on other more advanced metrics. People are now using your product, they fully understand the value and pay for it. This is basically counting the number of customers that you have.

To do so, you should have a look at metrics like

  • Monthly Recurring Revenue (MRR)
  • Average Revenue per User (ARPU)
  • Lifetime Value (LTV)

Here is a quick intro video from 2007 with the creator of this framework, Dave McClure.

Mar 02

Free training in the new Ads Next interface

By Graham Hansell | Training

Google’s Ads Next is live for most advertisers and offers a lot of changes and chances for your campaign workflow.

If you have put off the changeover, then let SLX paid media team steer you through the main changes you need to learn with our  Ads video course.

What will I learn?

Video 1 - Interface

  • Cleaner navigation (no really, it is once you learn it)
  • Consolidated targeting across campaign
  • Ads tool consolidation

Video 2 - Reporting

  • Overview reports
  • New reporting features
  • Dashboards
  • Landing pages report

Video 3 - Targeting and Bidding

  • New features
  • Household income targeting
  • Advanced bid adjustments for call extensions

SLX will run you through all these points in our videos and answer the questions you need to have answered.

Please sign up and we will promise to never abuse, sell or share your email address with anyone else.