Last updated on 01 July 2022 by Jaclyn Kilani (Legal writer at TermsFeed)
The General Data Protection Regulation (GDPR) has changed how businesses manage their email marketing programs.
Luckily, compliance is not difficult to achieve.
This article will help you make sure your marketing communications are compliant with the GDPR requirements and take you through everything you need to know in order to get there.
The GDPR applies to any organization that collects personal information from EU residents.
For these purposes, personal information refers to "any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
In other words, anything from name or gender to geolocation data is considered personal data according to the GDPR.
Even if your business is not located in the EU, if your website or mobile application is collecting any such data or email addresses from EU residents, the GDPR applies to you. This regulation can apply to and be enforced upon almost any business in the world. Failure to comply could result in heavy fines.
The idea of obtaining user consent for email marketing is no new concept. Although anti-spam laws vary from nation to nation, most companies currently employ a soft opt-in, providing users with a pre-checked box that prompts them to accept marketing communications.
This is the method that Starbucks currently uses for its signup forms:
Another common method is to include a note that says something similar to "By submitting this form you accept future offers from us."
You can see an example of this method below from Etsy:
Neither of these methods for adding emails to your marketing list will be considered compliant under the GDPR.
According to the GDPR, consent will be defined as:
"Any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed."
In regard to soft opt-ins, the document goes on to say that "silence, pre-ticked boxes or inactivity should therefore not constitute consent."
That's pretty specific. According to the above edicts, the following examples are NOT compliant with the GDPR's definition of valid user consent.
Land Rover provides consumers with choices regarding marketing communication, but since the boxes are all pre-checked, they are not compliant with GDPR:
McDonalds' Create Profile form assumes user consent upon submitting the form. This is not considered clear and unambiguous consent:
It's not overly complicated to obtain user consent according to the GDPR's requirements. Here are a few ways to create compliant email signup forms.
The double opt-in: After users register an account or sign up to receive email offers, send a confirmation email. Once they click the confirmation link, you'll have a clear record of their explicit consent.
This confirmation email from Lufthansa is a good example:
Check yes or no: When users are filling out a contact or other form, give them two choices. These choices would consist of "Yes, I want to receive special offers via email" or "No, I do NOT want to receive special offers via email." Require them to choose one before submission.
Here's an example of this tactic from Selfridges:
Give more options: Provide users with a choice of how they'd like to be contacted for marketing purposes. Depending on your company's capabilities, you might offer them a choice of email, text message, phone, regular mail, or to opt-out of marketing communications altogether.
Woolworth's provides users with a choice of text or email, but neither of the boxes is pre-checked:
One important point to note about the GDPR is that it requires marketers to prove the consent of each and every user they hold information on. This goes for email lists as well.
With this in mind, it's your responsibility to perform a review of your customer database. You'll need to ask yourself the following questions regarding the personal data you have on file:
If the answer to these questions is yes, then you have nothing to worry about regarding your list.
If the answer to one or both of these questions is no, then you'll need to perform a re-permission campaign - a communication that goes out to all opted-in contacts on your marketing list to explicitly reaffirm their consent.
This is an example of a re-permission email from Chipotle:
This can be achieved in several ways. In many cases, companies will identify their EU customers first, since the GDPR does not apply to those living outside of the EU. Whether you re-permission your entire list or just the EU residents, here are some possible methods to employ:
Whatever method you choose to repermission customers, remember never to contact users that have previously opted-out of your marketing communications. Communicating with individuals who have expressly unsubscribed from your email database could result in a fine.
Although you may create a message that is as compelling and persuasive as possible, re-permission campaigns will always result in a smaller list, since those who ignore the message will need to be deleted as well as those who deny their consent.
However, this practice will ensure that your list is current, compliant, and free of liability in the future.
Most importantly, keep a clear record of these and all future user consent affirmations in order to satisfy GDPR requirements.
Another stipulation of the GDPR is that you must be transparent and inform users of their choices regarding the processing of their personal data and marketing communications.
Politico gives users different newsletter subject matter to choose from:
Easy-to-understand instructions or a dedicated email address for opting-out is also sufficient.
Of course, anti-spam laws as well as the GDPR also require a clear unsubscribe link in all marketing emails, but you likely already knew that. Also be sure to supply a valid return email address in case consumers prefer to opt-out by replying to an email message.
This marketing email from Etsy shows both a direct unsubscribe link and a valid return address:
Swiss food giant Nestlé exhibits the proper consent and compliance for email marketing on all points. Their email marketing signup form requires each user to type in contact information manually as well as check the appropriate box to choose their preferred communications.
Note that none of the checkboxes are pre-ticked. Visitors must take a clear, affirmative action to choose their preferred marketing emails.
Nestlé's email messages include a clear unsubscribe link and a disclosure about third-party email services. Although the third-party disclosure is not necessarily required, transparency is always encouraged by the ICO:
All of this helps with GDPR compliance.
Lufthansa also presents visitors with a double opt-in procedure for registering on the website or subscribing to their newsletter. Visitors must manually type in an email address and tick the checkbox to accept marketing emails:
Inside their account interface, Lufthansa gives users several options for managing their communication preferences:
An interface like this makes it easy for your users to adjust their communication preferences, and easy for you to stay compliant.
UK's BBC network implements the 'check yes or no' method for subscribing to email communications during their registration process:
Make sure your marketing communications are GDPR-compliant by:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022