Third-Party Lead Generation and GDPR Compliance

lead generation and gdprThe EU’s General Data Protection Regulation (GDPR) is here and mandates major changes to the modern marketer’s B2B lead generation efforts.

Most marketers are (or should be) well on their way to GDPR compliance when it comes to website and landing-page form language, data transfer procedures, and documentation.

Less understood, though, are the ways in which the GDPR affects B2B marketers’ third-party lead generation campaigns. So, in today’s blog post, we break down the basics for you.

Important background information about the GDPR

GDPR states both marketers and the third-party lead vendors who fulfill paid campaigns must get written consent for each purpose of lead use. Further, organizations must maintain documentation that lists:

  • The personal information it collects and processes
  • The location of that information
  • The purpose of processing that data
  • Records of consent received from prospects
  • Documented processes followed for the protection of personal data

So, what can B2B marketers do to help ensure their third-party lead gen campaigns are GDPR-compliant? Read on for our top recommendations:

1.     Take inventory of third-party lead gen partners and data sources.

The first step is to understand which third-party channels you use are impacted by the GDPR. Create a list of all channels capturing leads or prospect data on behalf of your company outside your owned media. Although these sources may not be affiliated with your organization,  your company will still be held responsible for it all.

You likely use multiple sources to generate your leads. Break down each lead source in a logical way to ensure you don’t overlook a source or lead collection form. Next, gather a list of the various companies you partner with. Send this list to other team members to double- and even triple-check that you didn’t miss anything. Diligence will prove the difference between organizations that are and are not compliant.

Once you have your partner list in hand, it’s time to get down to the real work. Start to ask the hard questions of your contacts at these third-party media companies. There’s no trick or hack here. Stay organized, be vigilant and, most of all, start this process as soon as possible.

To organize your inventory efforts, create a simple table with columns for the following information:

Column One: Sources & Partners

Sources/partners – Any source or partner that captures personal data among individuals in the EU, Switzerland and/or the UK. The UK will likely be governed by GDPR rules for a while.

Column Two: Contact Information

Basic information for your contacts within these companies and sources.

Column Three: Consent Compliance

Compliance with consent language and processes rules. Use this column to mark the source as “Y” for currently compliant or “N” for not yet compliant.

Column Four: Cross-Border Data Transfer Compliance

Compliance with cross-border data transfer rules. As with the previous column, you’ll mark each source as “Y” for currently compliant or “N” for not yet compliant.

Column Five: Compliance Date

Date scheduled for compliance to be fully implemented. Don’t run campaigns through a channel or source until it’s fully compliant.

For partners that haven’t made all necessary changes, inquire about their timeline. Then mark that date in the column and check back when that date arrives.

Also, keep in mind that you must Immediately require all new third-party sources and partners to agree to GDPR compliance before you allow them to run any lead generation campaigns for your organization.

2.     Create and centralize opt-in language for easy, consistent distribution.

Step two is to tackle opt-in language. holds a strict definition of prospect consent and, in order to remain compliant, marketers must ensure every lead data source uses language and processes that adhere to this definition. According to

“The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.”

What does this really mean? We’ll break it down for you. Your opt-in language must be:


A sign of consent must involve a clear affirmative action.


Consent must be separate from other terms and conditions. Third-party partners must ensure opt-in boxes are distinct from “Terms and Conditions”, side boxes, and copy. Furthermore, your opt-in cannot be a precondition of signing up for a service unless it’s a necessary component of that service.

Active opt-in:

GDPR bans pre-ticked opt-in boxes. Keep all opt-in boxes unchecked.


The language used on third-party landing pages and lead forms must provide granular options to consent separately for different types of processing wherever appropriate.


Your organization (and any additional parties who will be relying on consent) must be specifically named on each landing page/lead form.

Easy to withdraw:

Prospects have the right to withdraw consent. The language used by your lead gen partners must clearly inform prospects about their right to withdraw and provide them with easy ways to withdraw consent at any time.

Don’t leave the language up to your various partners. Remember, compliance is your responsibility. Instead, we recommend you create a central repository of GDPR-compliant consent language and send it to all applicable partners. This will ensure consistency and coverage across all third-party vendors and sources.

3.     Check and document language on third-party landing pages, forms.

By now, you’ve distributed prewritten GDPR-compliant opt-in language to your various partners. The next step is to review all assets used for each campaign before they are launched.  This includes forms, landing pages, etc. – to ensure they use the right consent language and adhere to your brand guidelines.

Furthermore, the GDPR specifies that organizations must maintain clear records to prove compliance. We recommend you capture and timestamp any offers on your partner landing pages that contain forms. Clearly document the language used and processes required for prospects to opt in.

4.     Set up compliant data transfer processes.

The final step toward compliance is to set up the appropriate data transfer processes. Essentially this means you always transfer prospect data in a manner that keeps private data secure. Lead lists in unencrypted email attachments are not acceptable.

Again, ensure all third-parties follow cross-border data transfer regulations as prescribed by GDPR. Setting up APIs for direct prospect data injection into your marketing database is a good idea, but it’s critical that you first ensure third-party sources are compliant with GDPR’s language and process consent rules. Otherwise, these sources will inject non-compliant data into your database, which may result in liabilities down the road.

Key takeaways about GDPR compliance

On a final note, the GDPR presents major hurdles to B2B marketers. But, keep in mind that each of these challenges only serves to make us better, more customer-focused marketers. And this is something we should strive for with or without regulations.

For more general information about GDPR, check out our recent article:  Your Guide to the GDPR: An FAQ.

About the Author:  David Crane directs content and thought-leadership efforts at Integrate, a demand orchestration software provider. With nearly 10 years of marketing experience and a background in economics, historical research and writing, David focuses on creating educational, engaging content for B2B marketers. You can read more from David on the Integrate blog.