How to Run a GDPR Compliant Competition

Management 9 minute read 19 January 2021

When the GDPR was introduced on May 25th, 2018, it instantly became a massive talking point for everyone from agency marketers to small business owners.

What impact will it have on day-to-day operations? How at risk is the business from the highly publicised, company-killing fines? What new processes, rules and customer requests are going to rear their heads?

Once most businesses finally got their affairs in order, those questions gradually disappeared. Email lists were rebuilt, new privacy policies put in place and website sign-up forms reconfigured to make opt-in explicit.

But what about now? What if you want to run a competition for your customers (and would-be customers), and grow your email list?

Nearly three years after the GDPR arrived, there are plenty of tried-and-tested methods for GDPR-compliant competitions which will keep you safe from the fines and within the minds of your customers.


5 GDPR facts you need to know

To date, there have been over 400 GDPR fines issued, totalling a whopping €177,959,174.

The largest fine was, predictably, levied against one the largest household names in the business - Google (€177,959,174, to be exact).

However, no business is safe from GDPR fines, and, regardless, the heart of the GDPR is actually entirely customer centric. It regulates the capture, storage and processing of personal data because this stuff matters to us all.

Here are five GDPR facts you need to be aware of before heading into any kind of competition design.

1. The GDPR impacts every country

It’s an EU mandate, but there isn’t a corner of the globe to which the GDPR doesn’t apply. Even if you’re based in the United States, you’ll need to comply, because you will almost certainly deal with EU goods or customers one way or another.

2. The GDPR applies to pretty much all personal data

If you collect any kind of data that could be used to identify someone, it’ll fall under the GDPR’s watch.

There’s a great list of the data which specifically applies here, but it’s always better to err on the side of caution and assume that all identity, health, biometric, racial and political data (to name but a few) you deal with requires GDPR compliance.

3. There are eight basic rights for data owners

The following rights apply to all owners of personal data and those who are storing and processing it:

As you’ll note, individuals have significant power over their data; far more power than you, in fact. And it’s vital you honour these rights during any kind of competition.

4. The penalties are hefty

You may not be fined as heavily as Google, but the GDPR’s penalties remain the same for everyone: a maximum of 4% of global turnover or €20million - whichever is greater.

Never assume that you’re small enough to creep under the GDPR radar.

5. Opt-in is essential

If you were previously pre-filling the ‘opt-in’ marketing check box for people when they entered competitions or signed up to your mailing list, that’s against the GDPR’s rules.

Instead, you have to switch entirely to opt-in and make it explicitly clear what you intend to do with personal data if they agree to hand it over to you.

Competition consent: There’s no such thing as a free lunch any more… Before the GDPR, giveaways could be entered into without explicit consent to receive promotional emails being handed over.

This isn’t the case anymore; you can no longer imply consent just because someone enters your competition by handing over their email address.

Article 7, paragraph 4 of the GDPR details this change to the rules by confirming that the data subject’s (i.e. the competition entrant’s) consent must be “freely given”. You can’t force it or trick them into handing it over in any other way.

So, even if you’re offering the chance of a free giveaway as a result of them handing over their email address, you have to ask that they’re happy to receive email marketing from you - or request their acceptance to some form of data processing if they don’t want to receive marketing emails. There’s no such thing as a free lunch anymore! Data is currency, after all.


How to create your GDPR compliant competition

There’s no doubting that running any kind of contest or competition in this post-GDPR world is trickier than it once was.

However, it has become more transparent as a result, and that can only be a good thing both for your brand image and your customers.

There are two essential first steps to take for your GDPR-compliant competitions:

Data capture and consent: make sure there is a clear, unambiguous action (such as a tick box) which forces the entrant to hand over their consent. If they don’t click it, they can’t enter the competition - it’s that simple.

Terms and conditions: create a separate web page which details every term and condition involved in the competition. Leave no stone unturned (no matter how much brainstorming it takes), and ensure the entrant has to accept the terms before continuing.

That’s about as transparent as it gets, but there are two ways to run a competition, both of which are fully GDPR-friendly.

A transparent tie-in.

This is where the precondition for competition entry is an email subscription to your mailing list. This is, legally, a contract, which is why you need to make the entry cost part of the contractual agreement - explicitly.

Uncoupled from the data.

It might sound daft, but the other option is to allow people to enter the competition without handing over their consent to receive your marketing emails. In that instance, they simply need to agree to your terms and conditions and GDPR-compliant data privacy policy.

The latter option might sound like marketing suicide but remember that you can still include a separate tick-box for opting into your mailing list, or make it appear after they’ve entered the draw. It’s one less hurdle or barrier to entry and will help with the all-important trust factor.


It might be a little harder to run competitions under the GDPR’s strict rules, but if you follow the advice above, you’ll be on the right path. The GDPR is a huge area, though, which is why you should also check out our free GDPR checklist for ultimate peace of mind!

Beambox guide: How To Be GDPR Compliant (Checklist Included)

Related posts

Join the Town Square

Weekly tips, advice and guides on everything hospitality, straight to your inbox.

    We won't send you spam. Unsubscribe at any time.