All posts by Annabel Youens

Annabel Youens

About Annabel Youens

I'm a co-founder and CMO at AE. I believe that truly successful internet businesses have to connect people. {wave} When I'm not online I'm exploring beautiful Vancouver Island. Things I love: everything scifi, literary fiction, coffee, Google Music, my workhorse sewing machine and board games.


Anyone else still recovering from the GDPR (General Data Protection Regulation) inbox flood?

If you’re based in North America, you’ve probably also wondered to yourself if you’re even affected by GDPR. (Spoiler: you are!)

While centered on the European Union (EU), the GDPR will have a global impact.
While centered on the European Union (EU), the GDPR has a global impact.

The GDPR’s Global Impact

While centered on the European Union (EU), the GDPR has a global impact. Here’s why.

Even if you’re based in the US, Canada, or Mexico, if you handle any data from EU customers (there are 28 countries in the EU), you’ll be affected.

There are certain caveats to these rules:

  1. If the EU visitor/customer is not in the EU when you collect their data, the GDPR does not apply.
  2. Your visitor or customer does not need to purchase from your site for the GDPR to apply to your business.
  3. If you’re hosting a generic survey without directly targeting EU consumers, but a prospect from Britain fills it out, they are not covered under GDPR. However, if your study even mentions the EU, then the law kicks in.

But what about California?

The California Consumer Privacy Act of 2018 is another hot ticket item that could bring GDPR-like privacy rules to California– the heart of tech.

The California Consumer Privacy Act of 2018 could bring GDPR-like privacy rules to California.
The California Consumer Privacy Act of 2018 could bring GDPR-like privacy rules to California.

This could spell out a major change for businesses that collect and sell customer data. Customers will have to ask how their data is being used, and request to be removed (opt out). The GDPR focuses more on opt-in requirements, making the California regulations much more friendly to data collectors.

Customers who choose to opt out, cannot be punished or charged higher fees for services. And here’s the clincher: it allows public prosecutors and citizens to sue for data breaches or for the sale of personal data after someone has opted out. There’s no requirement that specific harm be proven before damages can be awarded.

Citizens can sue for data breaches and there’s no requirement that specific harm must be proven before damages can be awarded under California’s proposed Consumer Privacy Act.

This will make effective tracking and following through on opt-outs a top priority for companies that collect data in California.

What does this all mean for marketers in North America?

In a time where people are being asked for their data on a daily basis, and that data is being traded with other businesses, it’s about time customers gained some power. Historically, customers have had their data traded and sold without their knowledge, and with the rise in cybersecurity leaks, it’s well past time every internet user had rights.

As a marketer, it means you need to be prepared for a new age of data collection and transparency.

With these regulations moving from a possibility to a reality, we need to become proactive. Even if California’s privacy act does not pass, it’s inevitable that marketers will see a shift in data collection regulations.

Marketing strategies must shift from a cold transactional approach, to a warm, transparent and relationship-focused strategy.  

So, How Do You Build Trust as a Marketer?

It starts with upfront communication before you ask for any customer data.

When you collect data from customers, you need to clearly tell them how you plan on using that data. The context will matter when working within regulations like GDPR, because your stated context for collecting/using data is the only way you are legally allowed to use this data.

You can earn big points with consumers for providing the transparency they deserve.

From there, you need to give them explicit details on how you will use their data, and if you want to send them different information, you need to get permission.


Additional Resources

  • IDC Five Steps to GDPR
      • This white paper is basically a more in-depth version of the five-step guide above, so if you want more details, here’s the next stop.


This post is part of our series: Find Out Fast If Your Business is GDPR Ready. Our goal is to help businesses make sense of privacy and data. AE is your Babel Fish for Legalese ?

The flip side of the onerous GDPR regulations is the new opportunity they’ve created for brands to be leaders.

Marketers who adapt to these changes quickly will be able to build a new layer of trust for their brand, and emerge from this transition as industry leaders.

With the added transparency of GDPR, marketers are being called to deliver on their promises, and provide real value in exchange for connecting with customers.

This means, as a marketer, you’re going to have to get more creative with how you capture opt-ins, collect data, and use that data. These new pressures are also an opportunity for your brand to become a leader and actually increase engagement from your customers.

A big reason for these regulations is the increase in unwanted emails we all receive every day. People were being messaged endlessly, through all channels, with content that they unknowingly “opted in” to.

People were being messaged constantly through all channels with content they had unknowingly "opted in" for.
The deluge of unwanted content was becoming unbearable!

With the removal of some offers, the noise may die down, but there will be a new opportunity to be seen, if you’re prepared to offer something remarkable.

Thoughts on Leveraging Data in the the Age of Transparency

Customer data collected through a Spotify Pre-Save campaign can only be used for that campaign, under the new GDPR.
Let’s use a Spotify Pre-Save campaign as an example.

When it comes to collecting customer data, there are a few options at hand. Say you’ve created a curated Spotify Playlist and used a Pre-Save campaign to generate thousands of signups. Because of the opt-in context, you’re only allowed to use your customers’ data for this Spotify campaign. You cannot send them additional information that they did not consent to.

So, how do you leverage the customer data you’ve been given, within the context you’re allotted? This involves digging into your data a little deeper.

Here’s the data you get when you use AE’s Spotify social login:

Here's the data you get when you use AE's Spotify social login.
Here’s what you’ll see of users’ activities with AE’s Spotify social login.

Use this data and take the opportunity to give value back to your customer. For instance, send them a message about the track they’ve listened to, and ask if they’d like more music from similar artists.

Take the time to create a more personal relationship, acquire more data to segment your customers with, and message with content they actually care about.

This level of communication is vastly different from what marketers have been doing recently. They overlooked building genuine relationships because it takes more time, and opted for a more transactional strategy: sending emails to push a purchase.

In the age of data transparency, pushing a sale must come secondary to building the relationship. You need to use the data at your fingertips and work within the context of your opt-in process. By doing this, you’ll build more meaningful relationships with visitors, and slowly gather the information needed to upsell, cross sell, and offer a sale, when it’s time.

In the age of data transparency, pushing a sale must come secondary to building the relationship.
Focus on building meaningful relationships with your customers, rather than trying to push a sale.

The difference: you’re now focusing on the long game, rather than the short one.

Adapt Early and Customers Will Love You

As this approach becomes more popular and customers understand the various levels of data consent, they’ll become more sensitive to how their information is being used.

Marketers who take a cautious and considerate approach (i.e. asking permission to contact for reason X), will gain more trust for their brand.

This new wave of marketing is all about taking the data you have and using it to form relationships with individuals before sending them sales-driven content — not pushing your message out to as many people as you can.

This will be an adjustment for many marketers. But the payoff may be a better relationship with a more invested audience.  Better to make these changes as an early adopter and industry leader, rather than just trying to keep up with the pack.


This post is part of our series: Find Out Fast If Your Business is GDPR Ready. Our goal is to help businesses make sense of privacy and data. AE is your Babel Fish for Legalese ?

What Explicit Consent Means

Clearly, telling your customers what you’re going to do with their data makes good business sense. Trust is essential, especially these days.

Email marketing has taken a clear approach to email sign-ups for many years, thanks to changes like Canada’s anti-spam legislation (CASL) and other countries that have followed suit. This clear understanding between an email customer and a business follows this simple pattern: You sign up for an email newsletter, and the business tells you how often they’ll email you, what kind of content you’ll receive and how to unsubscribe. Excellent!

This concept of clearly spelling out how customer data is to be used is now being spread across every part of your customer data thanks to the GDPR. At AE we think this is  good thing. Being more transparent and honest is good for everyone.

How To Implement Explicit Consent

You need to be able to tell a customer what you’ll be doing with the data you ask them for. This is especially important during customer registration.

When you implement your policy or terms and conditions you need a check box that isn’t pre-checked. This box must be checked by the user to indicate that they are agreeing. This is the foundation of explicit consent.

For GDPR compliance, you need to provide a checkbox that the user must check themselves, providing exlipict consent..
Explicit consent: The user must check the box themselves to agree.

Deleting Your Customers, The Right To Be Forgotten

The second cornerstone of the GDPR changes is that every one of your customers has the right to be forgotten. When a customer sends a request asking to have their account deleted, you must do it. Pretty simple and you most likely do this right now. However, you might just be deleting the main customer account, but other information like billing, or an mailing address, or old emails in your support system would be left. With the GDPR it all has to go.

If your business has multiple systems that contain customer data it all needs to go. There are a few instances where some customer data will remain, for example electronic invoices that contain customer data can be kept on file for taxes and accounting, but in most cases you’ll need to remove everything and then notify the customer when it’s been completed.

Under GDPR laws, if a customer wants their account deleted, you must delete all the information you have about them.
If a customer wants their account deleted, you have to delete all the data you have on that person.

GDPR Cornerstones

Good luck setting up explicit consent and reviewing how you delete your customers. These two cornerstones for being GDPR ready can seem difficult to implement and understand but hopefully this helps you get started.

Get more information on anti-spam legislation in the countries where you have customers:

United States of America: CAN-SPAM Act

Argentina: Personal Data Protection Act

Australia: Spam Act 2003

Austria: Austrian Telecommunications Act

Belgium: Belgium Law March 11, 2003

Brazil: Movimento Brasileiro de Combate ao Spam

Canada: CASL

Cyprus: Regulation of Electronic Communications and Postal Services Law 2004

Czech Republic: Act No. 480/2004 Coll. on Certain Information Society Services

European Union: Directive on Privacy and Electronic Communications

Finland: Act on Data Protection in Electronic Communication

France: Law of June 21 2004 for Confidence in the Digital Economy

Germany: Federal Data Protection Act

Hong Kong: Unsolicited Electronic Messages Ordinance

Indonesia: Law Concerning Electronic Information and Transactions

Ireland: European Communities Electronic Communications Networks and Services Data Protection and Privacy Regulations of 2003

Israel: 2008 Amendment to the Communication Telecommunications and Broadcasting Law of 1982

Italy: Italian Personal Data Protection Code

Japan: Act on Regulation of the Transmission of Specified Electronic Mail

Malaysia: Communications and Multimedia Act of 1998

Malta: Data Protection Act

Netherlands: Dutch Telecommunications Act

New Zealand: Unsolicited Electronic Messages Act 2007

Singapore: Spam Control Act 2007

South Africa: Electronic Communications and Transactions Act 2002

South Korea: Act on Promotion of Information and Communication Network Utilization and Information Protection

Spain: Information Society Services and Electronic Commerce Act

Sweden: Swedish Marketing Act

United Kingdom: Privacy and Electronic Communications (EC Directive) Regulations 2003


This post is part of our series: Find Out Fast If Your Business is GDPR Ready. Our goal is to help businesses make sense of privacy and data. AE is your Babel Fish for Legalese ?

Why should you use Double Opt-In?

Double opt-in is an important way to get your customer to explicitly agree to joining your newsletter. If you’re focusing on being GDPR compliant, you’ll need to get your customers to say yes not once, but twice. Yep, they really want your newsletter and that is a great thing for you.

What is Double Opt-In?

The process of double opt-in

“Double opt-in” is when a user:

  1. Signs up to receive your emails
  2. Receives a confirmation email from you
  3. Clicks a link to verify their email and reaffirm that they wish to receive your e-newsletter.

Double opt-in is great because it ensures that everyone receiving your emails is actually interested in reading them!

How to Set Up Double-Opt-In

You can set up double opt-in using any email newsletter provider. We really like MailChimp. Here’s what they have to say about double opt-in and how to set it up using their service.

If you’d rather explore other options, here’s a list of some more providers you can try out:


This post is part of our series: Find Out Fast If Your Business is GDPR Ready. Our goal is to help businesses make sense of privacy and data. AE is your Babel Fish for Legalese ?

To fully understand what’s happening in the world of GDPR and customer data, you’ll want to have a grasp of what web beacons and cookies are and how they work. Here’s our quick breakdown.

Web beacons and cookies are part of customer data collection and are important to understanding GDPR.
Beacons and cookies and web, oh my!

Web Beacons

Web beacons are often referred to as pixels that get tracked. They are small transparent gifs that live on websites.

When you visit a webpage that has a beacon, you download the pixel. Now the site with that beacon knows things like your IP address and your country.


The information gathered by the web beacon is usually paired with a cookie, so now the business knows you visited and they can re-target you specifically with ads. We all know those annoying ads you see over and over. I looked at that luggage website for 5 seconds and now all I see is ads for rolling suitcases.

Cookies are usually used to help your browser remember you’ve been there before by storing your account information. For example: you log into Gmail in the morning, around lunch you close your browser, you come back to your Gmail page in the afternoon and you’re already logged in. Cookies don’t normally store any personal information about you, so you can’t be identified by it.


This post is part of our series: Find Out Fast If Your Business is GDPR Ready. Our goal is to help businesses make sense of privacy and data. AE is your Babel Fish for Legalese ?

What is a Privacy Policy?

Simply put, a Privacy Policy is a document that tells your customer what data you’re going to collect from them, how you’ll use it and who you’ll share it with.

Why You Need a Privacy Policy

If you have a business website, you should have a Privacy Policy. It’s important that your business models best practice, plus it’s likely that you’ll need one to meet your online legal requirements.

Take heart.? It doesn’t have to include swaths of pages of legalese. In fact, the more straightforward and simple you can make your Privacy Policy, the more your customers will trust you.

Great Examples of Privacy Policies

Writing a Privacy Policy can be awfully dry. We’ve collected a few examples of companies who have added personality to their boring documents, and managed to make them more interesting — even friendly. Almost as though you’re talking to their best customer service reps.  

Xero has a great privacy policy.

We’re huge fans of Xero and their Privacy Policy is clear and to-the-point. Marvel in its readability!

Typeform has a great privacy policy.

Typeform have, of course, used a form to display their Privacy Policy as well as their terms and conditions. Do check out their plain English version. It rocks.

MailChimp has a great privacy policy.

MailChimp has done a pretty good job as well on their Privacy Policy. They deal with a lot of customer data and have clearly marked out how they use it.

HelpDocs has a great privacy policy.

We love the fellas at and we use their service. They also break down the complex world of privacy well.

We think AE's Privacy Promise is a pretty great example of a privacy policy too.

We’re pretty proud of the work we’ve done on our own Privacy Promise.

Some Helpful Resources For Writing a Privacy Policy

The DMA (Data and Marketing Association), based in New York describes the outline your Privacy Policy should follow in their post How To Construct Your Privacy Policy.

Here’s what they recommend including:

  1. Contact Information
  2. The personal data you collect and use
  3. Whether you use cookies
  4. What kind of information will be shared with 3rd parties
  5. Marketing Preferences
  6. Review and Changes
  7. Notifications
  8. Security
  9. Enforcement
  10. Changes
  11. Effective Date

There are even several privacy policy generators available online. These can be helpful to get you started, but always get actual legal advice so you know you are covered.

Here are a few privacy policy generators you can check out if you’re interested:

How to Explain AE’s Service in Your Privacy Policy

To help you construct your own policy when you’re using AE Connect, it’s important to know several things:

What Data Does AE Collect?

The short answer is, it’s different depending on the service your customer registers with. We’ve broken down the information AE collects by service to help you fill in your Privacy Policy more easily.

Does AE Use Cookies?

The short answer is yes. Check out our Web Beacons and Cookie Guide.

AE’s Privacy Promise

We deal in customer data every day. We know the companies who work with us trust us to keep their data secure and private. This is a huge deal to us and we don’t take the job lightly.

We have a Privacy Promise that outlines how we collect data and what we do with it. It’ll probably give you some ideas for your own.

Best of luck writing your own Privacy Policy. Of course, we always recommend you have the Privacy Policy you come up with reviewed by a smart and trustworthy lawyer.


My brother’s left Facebook. My dad is getting ready to leave the blue F. I feel pressure to leave it as well. Why? Because I know Facebook is making money off my data and I don’t feel like I get a lot of value from the platform. Plus I’m crazily annoyed by the “sponsored posts” thrown into my feed. Facebook has turned into 80s TV programming. The shows you want to watch are surrounded by loud ads and other ridiculous shows that you have to sit through, to get the content you care about.

I care deeply about technology’s effect on our world. I may be a marketer — but first, I’m a person. I have a complicated relationship with online data.

Here’s a look at data from this marketer’s point of view: the dark side, the light side, and the potential for a better future together.

Why I Still Use Facebook

There are two sewing groups on Facebook that I’m incredibly involved in. These communities live inside Facebook and are filled with kindred spirits that help me figure out how to sew a french seam (leveling up!) and give me fitting advice. I love the value I get from these two groups. They just happen to be on Facebook.

I also have a young daughter. Our family and friends are spread out around the globe. And yes, Facebook is an easy sharing platform for photos.

As a marketer, I also need to stay on Facebook to see how companies are building communities, promoting their products and learn about the new tools Facebook offers for advertising.

When I take a high level view of my Facebook use, I basically use it for photo sharing and forums.

Why I Value Google

The other side of my digital coin is my complete and absolute surrender to Google. I use Google for almost everything: email, documents, photos and music. Why? Because Google makes my life easier and presents me with useful information, like when I should leave for a meeting or if my flight has been delayed. And all my services are synchronized so that I’m not logging out and logging into different apps and services all the time.

Having most of my digital content integrated with Google means I can view the photo album I have shared with my husband, plus it’s easily shared with other family members on Google… But they’re not all there and that’s the crux of any sharing platform.

We even have a Google Home mini in our kitchen that gives me news in the morning and makes it Google-easy to start a new podcast while I’m baking. No more flour all over my phone!

The Dark Side and the Light Side of Data

Recently when I tell people that I co-founded an insights company that uses customer data to deliver better experiences their reactions have changed. At the moment I get eye-rolls ? and scrunched up foreheads. Fair enough. Data is seen as the dark side of the internet at the moment.

But like every industry there are companies that have bad practices and ones that have good practices. I started thinking about the Empire of Data and the Jedi Order of Data when the lovely Manoush Zomorodi (she is my podcast BFF) and her team at Note To Self released an episode called “Deep-Dark-Data-Driven Politics”. It was the first time I heard the words Cambridge Analytica and I learned about the personal data they’d collected from Facebook.

Over on the Dark Side you have data companies scrapping the internet, gathering all the customer data access points they can and then selling this data to other companies. Boo!!

On the Light Side you have data companies that get specific opt-in from customers and clearly tell them what they’re going to use their data for. Opt-in is like a digital handshake that lets the customer say, “Hey, here’s some of my data” and the company says “Thanks. We’ll keep it safe and use it to make your life better.

That’s what I feel like I’ve done with Google. My life is made better by their service and in return I give them access to my data.

As for Facebook I’m not convinced we’ve had that digital handshake. And with all their customers realizing how their data is being used on that platform it’s going to have to evolve or die. These mammoth social services look too big too fail, but they all come and go. Remember your first friend Tom on this social network that used to be the go-to social networking site? You might not.