Setting Up Newsletters for GDPR Compliance

Last updated on 01 July 2022 by Legal Research Team at TermsFeed

Setting Up Newsletters for GDPR Compliance

If you send out email newsletters and have subscribers who reside in the EU, you need to be aware of how the GDPR affects you.

Thankfully, there are only a few simple requirements when it comes to this.

Keep reading, and we'll break down what you need to do to engage in GDPR-compliant email marketing.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.
  2. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  3. Answer some questions about your website or app.
  4. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  5. Answer some questions about your business.
  6. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  7. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



Do You Need to Comply with the GDPR?

If you collect email addresses, you are collecting personal data. If you collect personal data from residents of the EU, the GDPR applies to you.

It's simple. If you comply, you're free to continue operating as normal. However, fail to update your data standards and you could see a fine of up to 4% of your gross annual turnover - not profit.

The fines are capped at 20 million Euro, which is a hefty sum even for the big fish.

The European Commission spent several years worrying about personal data and the way it was used, and it's hard to blame them for that.

Companies went rogue with private, personal details provided in good faith (and taken without consent). Other organizations gathered virtual mountains of data without making their data gathering practices clear. Even more companies did all this with lax security practices that made personally identifiable data vulnerable to theft.

Europe's government looked at the infringement on privacy for profit and said: "No more."

Now, if you want to collect the personal data of a European resident or citizen - or anyone with an EU IP address - you may have to ask and get consent.

Consent now involves both choice and control. The person who owns the data is in charge - not your data controller. If the individual must hand over their data to use your site, then their consent isn't freely given.

It might sound strange, but it's also good business. When individuals control their data, you're delivered an opportunity to burnish your reputation and build trust with your customers.

An Email Marketing Example

You send out a newsletter that's highly tailored to your target audience. Sometimes, your newsletter receives sponsorship from brand partners. A new partner asks you to hand over your email list as part of your agreement.

Under the GDPR's definition of consent, you cannot do that unless you update your Privacy Policy to disclose this, and specifically request consent from your subscribers to share the information.

Why?

Because sharing their data isn't necessary for them to get a newsletter that you're sending out.

You can ask customers to consent to your handing out their data, but they must have two clear choices and their choice to opt-out must not impact their current subscription.

If you want the option to sell your email list in the future, you need to add that condition to your newsletter Privacy Policy. You can't bundle the options. Users must be able to sign up for your newsletter and opt out of the sharing of their data at the same time.

What Consent Requires

Explicit consent requires several things:

  • A positive opt-in
  • Clear and specific statements of consent
  • Granular consent - separate for different things: cookies, Privacy Policy, etc.
  • Separate consent requests from other Terms agreements
  • Refreshed consent upon changes to Terms
  • Avoiding consent as a precondition to service
  • Opportunities to withdraw consent

Newsletter Consent Checklist

It's more than you may be used to, but obtaining GDPR-compliant consent isn't so hard.

Ask yourself these questions about your current consent or opt-in practices to see if you need to change your newsletter sign-up mechanism:

  1. Do you have a lawful basis for processing data? (If you're sending a newsletter, then the answer should be yes.)
  2. Have you made the consent request for your newsletter separate from other things like your Privacy Policy, Cookies Policy or Terms and Conditions agreement?
  3. Did you ask new subscribers to positively opt in?
  4. Is your opt-in written in easy language that most people could easily understand?
  5. Are you specific about what emails you'll send? If you're sending more than a newsletter, do you have an option to opt in or out of other emails?
  6. Will any third parties have access to the data? Have you shared that in your consent form?
  7. Is it easy for individuals to withdraw their consent?
  8. Will withdrawing consent have no impact on the user's relationship with your service?
  9. Do you have age-verification measures, if applicable?

If you answer 'yes' to all nine of these questions, then you're ready to send GDPR-compliant newsletters and recruit new sign ups.

Any 'no' answers mean you still likely have some work to do.

Single Opt-In vs Double Opt-In

Single Opt-In vs Double Opt-In

When setting up your newsletter, you have two options for obtaining consent: the single and double opt-in.

Single Opt-In

A single opt-in is a data capture mechanism featuring a space for an email address, a consent form, and a submit button. As long as the mechanism meets the guidelines outlined above, then a single opt-in form is compliant with GDPR.

Here's an example of how you can use a single opt-in form when asking for email addresses.

Here you see two notices. This first one promises to respect your privacy and not to spam you with a small notice under the red Subscribe button:

Altucher Confidential email subscribe form with click here button

The second asks for your email address. It's simple, honest, and positive. Given the site owner upholds their other data obligations, it meets GDPR standards:

Altucher Confidential email subscribe form with submit button

For the Interested also runs a newsletter service with a single opt-in method. Its page promises to never share your data:

For The Interested email newsletter sign-up form with Shared Information section highlighted

It's recommended to add a checkbox that users can click to confirm that they consent to being contacted via email.

Here's an example of this from Timberland:

Timberland subscribe to email newsletter form with checkbox and Privacy Policy link highlighted

Pros of Single Opt-In

Cons of Single Opt-In

  • Complicated forms due to new requirements
  • Potential for broken, spam, or fake emails

Double Opt-In

Some marketers add an extra step for a double opt-in.

The double opt-in includes the same form found in the single opt-in. Then, your email system sends a test email that welcomes your new subscriber and requests a second act of consent: clicking a link.

A double opt-in is also referred to as a confirmed opt-in. You only get a new subscriber when the owner of the address clicks the confirmation link in the confirmation email.

Double opt-ins aren't mandatory, but they're good practice. They make it easier to be GDPR compliant.

Here's an example of a double opt-in email from FreshMail:

FreshMail: Confirm signing up for email list

The email requires a second confirmation click and hits all those GDPR requirements. It has informed consent and an easy way to unsubscribe from future emails.

Pros of Double Opt-In

Cons of Double Opt-in

Whether you choose a single or double opt-in mechanism is up to you and your audience.

If you cater to an audience who might find email confirmation confusing, do your best with a single opt-in.

Working with a web savvy group committed to getting your emails? Use double opt-in for easier optimization.

Make Unsubscribing Easy

Make Unsubscribing Easy

Under the GDPR, complying with consent rules means you need to make it as easy as possible to unsubscribe from your emails.

One option is to add an Unsubscribe link to the footer of all of your emails. Newsletter services like MailChimp offer this as an added option within its templates.

Here's an example of such a link in an email from Frontier Airlines:

Screenshot of Frontier Airlines email showing unsubscribe link in footer

Don't forget to make your Unsubscribe feature granular. You'll save more subscribers from leaving completely while also giving customers more of what they want.

The leisure site Jetsetter does a good job of creating granular email preferences:

Jetsetter email preferences page with granular options for unsubscribing

You'll see options to unsubscribe from all the emails or to edit subscriptions to ensure you're only getting the emails you want when you want.

Plus, there's a big 'unsubscribe from all' button at the bottom to make it simple and GDPR-friendly.

Conclusion

If you're collecting personal data (i.e. email addresses) from the EU market, you must comply with the GDPR.

Creating GDPR-friendly newsletters is simple and relies on creating a consensual relationship that allows customers to see exactly what they're signing up for and gives them an opportunity to unsubscribe if they don't like what they see.

Many of these features are already available with email marketing services and form generators.

Just remember that consent for email marketing activities is only one part of the whole GDPR puzzle. What you do with that data matters just as much as how you got it.

Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.

Get started today ⇢

Legal Research Team at TermsFeed

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.