A Guide to GDPR Lead Generation: How Have Things Changed and What Should You Do?

This article discusses the impact of GDPR on lead generation and provides answers to common questions businesses have about compliance.

By Will Blunt ・8 min read
Best Practices
Business & Marketing Strategy
Email Marketing

Disclaimer: This article is not legal advice. To ensure your business and website is GDPR compliant we recommend you speak with a qualified legal professional.GDPR is here and everyone is frantic...

For most businesses, there is still some confusion about where they stand, what they need to do, and if the steps they have taken up until now will satisfy the new regulation.It’s frightening when you’re left in the dark about something that could have a significant impact on your business and livelihood.But don’t panic. While on the surface the GDPR looks like an overly complex restriction on the way you conduct business in an online world, we believe it is a step in the right direction.So, if you capture, manage, and use the personal data of people in the European Union (EU) I bet you have a ton of questions on your mind about what GDPR means for lead generation.This article will answer the most common (and important) questions that businesses have about GDPR and lead generation.

I’m not based in the EU, does GDPR affect me?

The short answer is yes… but it’s complicated.If you own a burger shop in the heart of New Zealand, and your only means of capturing a customer’s personal information is by entering it manually at the point-of-sale, then you’re probably good. GDPR won’t have much of an effect on you.However, if you run a website that tracks or captures any personal information from residents of the 28 EU countries, then you need to make sure you are compliant. This data capture may be as simple as having a Google Analytics tracking code installed on your website. So, yeah, it affects a LOT of businesses.

What type of data does the GDPR cover?

The GDPR is specifically focused on governing “personal data”.Here is what the European Commission defines personal data as:

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.”

Examples of personal data include:

  • a name and surname;
  • a home address;
  • an email address such as;
  • an identification card number;
  • location data (for example, the location data function on a mobile phone);
  • an IP address;
  • a cookie ID;
  • the advertising identifier on your phone;
  • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

Note: Company information is not considered “personal”, such as registration numbers and generic company emails.

How does GDPR affect lead capture?

Perhaps the most affected parties when it comes to GDPR are those businesses who capture leads online; be that via their website, on social media, or through other channels.Say, for example, you have an opt-in form on your website for a weekly newsletter. Or perhaps you collect email addresses and contact information in exchange for a free resource, such as a white paper. These lead capture forms will now be governed under new regulations for any website visitors who reside in the EU.The method for capturing leads, be it a landing page, quiz, contest, popup, calculator, or something else, doesn’t matter. If you are collecting personal information about people then you need to follow the rules.Here are some things to be aware of when it comes to obtaining someone’s consent for lead capture and use.Consent to opt-in to your lead capture forms needs to be:

  • Active and ‘freely given’ - Your forms should include an unchecked box that people manually select, alongside a description of how you will use the data you are collecting. See what this looks like below from sales software Membrain:
GDPR lead generation Membrain

An example of active and 'freely given' consent on a lead capture form.

  • Explicit - The way you are going to use people’s data should be explicit and obvious at the point of consent. As well as a short description of how you will use people’s data you should include a link to your Privacy Policy on lead capture forms.
  • Separate and granular - Your description of how you use the data you collect can’t be generic and bundled into one checkbox. This is not considered an active choice. People must consent to each separate use of their data. Below is an example of this in action as “Communication Preferences” from
GDPR Lead Generation - Close io

An example of separate and granular choice for email marketing preferences.

  • Non-discriminatory - People shouldn’t be penalized or disadvantaged if they choose not to consent.

One thing is for certain, for any business that collects, manages, and uses personal data in the EU, GDPR will change the way you capture leads. But you don’t have to view it as a negative thing. After all, you are capturing leads that will hopefully become customers, so giving your customers a choice about how you use their data is a good thing. It builds trust and, in many cases, improves the quality of the leads you collect.

What do we need to do with our Privacy Policy and Website Terms?

Even if you have a Privacy Policy and Website Terms of Use available on your site, you will likely need to adapt it to ensure it is GDPR compliant. Here are two things for you to consider about your Privacy Policy and Website Terms of Use:


The key differences between a general Privacy Policy and a GDPR compliant one, are the following:

  • A GDPR compliant Privacy Policy includes details about how you store, secure, and transfer data, with specific reference to any transfer of personal data to third-parties outside the EU.
  • A GDPR compliant Privacy Policy outlines third-party organizations that personal data is shared with, for example, Google Analytics.
  • A GDPR compliant Privacy Policy explicitly outlines an individual's rights to control their consent to share personal data with your business.

Again, this is a general overview of some of the most important changes you need to make to your Privacy Policy. For a full breakdown, we recommend consulting a legal professional.


As well as changing the content of your Privacy Policy and Website Terms you need to make sure these documents are easily accessible to website visitors.In the past, website owners would hide these documents deep in the hierarchy of their site menu structure.To be compliant, the visibility of these documents needs to be clear and prominent whenever you are collecting personal user data.

What does GDPR mean for pixels, cookies, and tracking codes?

If you’re running lead gen campaigns on your website then it’s extremely likely you will have a range of different tracking codes installed to help improve your performance. All of these codes use “Cookies” to remember information about website visitors.The Google Analytics tracking code, Facebook Pixel, Google Remarketing code, and heat mapping software, are all examples of code snippets that track personal user data through the use of cookies and pass it onto third-parties. So if you have any of these things installed on your website then you need to be proactive in gaining consent from website visitors that you can both; use, and pass their information on.The easiest, and most cost-effective, way of capturing consent for this is to use a tool called “Cookie Consent”. It’s a free tool that lets you build an on-brand banner for your website.Here are the builder and an example of what the banner looks like:

GDPR Lead Generation - Cookie Consent

An example of a 'Cookie Consent' website banner.

How do these changes affect our email marketing strategy?

On top of capturing cookie information on your website, the GDPR governs the way you collect, manage, store, and delete personal information in your CRM or email marketing software.Here are three important things to be aware of when it comes to your email marketing strategy:

  • You need to gain active consent from current contacts in the EU (Note: This should have been done prior to the May 25 deadline, but it’s better late than never!). As well as gaining consent from future subscribers, the GDPR requires that businesses gain active consent from their current EU subscribers too. The easiest way to do this is to segment your subscriber list by geography and send a GDPR consent email to those that reside in the EU. Below is an example of an email for this purpose from the SEO tool Mangools:
GDPR lead generation for active consent

An example of gaining active consent from EU email subscribers.

  • You need to keep a record of the active consent of all EU subscribers to your list. This is one area where a “double opt-in” can be helpful. While it’s not considered mandatory under the GDPR, sending a confirmation opt-in email to all new subscribers with a link that obtains their active consent to receive messages from your business will ensure you are compliant with the need to record the consent of individuals. It’s also effective for cleaning up your list and improving the quality of your subscribers.
  • You need to understand how to delete personal data for users if they request it. Under the GDPR, if an individual from the EU contacts you and asks for their personal data to be deleted from your system, then you need to comply. This isn’t always a simple process, depending on your CRM or email software. So make sure you are aware of how to do this if the situation ever arises.

Does GDPR affect outbound lead generation?

At its core, GDPR is trying to deter companies from misusing the personal information of individuals, as well as giving those individuals more choice with regards to the use of their personal information.Many people believe these changes will spell the beginning of the end for outbound lead generation in the EU - such as cold emails, selling of distribution lists, and other outbound lead generation tactics. (All tactics we don’t recommend at ShortStack anyway!)Because contacts haven’t actively consented to receive information from you, traditional outbound strategies become a bit of a grey area. And it becomes hard for businesses to scale outbound campaigns while still being compliant.We believe that these changes will reinforce the importance of inbound lead generation tactics such as content marketing and social media. So if your business is reliant on outbound tactics for growth then it might be time to re-think your approach.

What should we do about GDPR?

If you haven’t already, you need to take steps in order to ensure your business is GDPR compliant.Here is a summary of the steps you could take:

  • Audit your Privacy Policy and Website Terms of Use, and then update them to be compliant with the new regulation.
  • Update all lead capture forms on your website or other platforms so that they include an active consent checkbox, link to your Privacy Policy, and a description of how you plan on using the personal data collected.
  • Install the “Cookie Consent” code snippet on all of your website pages.
  • Put a system in place for recording the consent of your contacts, and become familiar with the process for deleting user information from your software of choice.

Are you all set for GDPR so that it won’t affect your lead generation efforts? Disclaimer: This article is not legal advice. To ensure your business and website is GDPR compliant we recommend you speak with a qualified legal professional.

Try making a free contest or promotion to gather leads from your social media.

Get Started Today. No credit card required. Risk-free.

About the author

By Will Blunt ・8 min read

Will Blunt is the founder of Sidekick Digital by Will Blunt - B2B Marketing Expert - Sidekick Digital, a publishing business that launches, manages, and grows brands with content marketing.

Get marketing tips straight to your inbox

Thank you!
Your submission has been received!
Oops! Something went wrong while submitting the form.
We’ll email you 1-3 times per week—and never share your info.