Last updated on 01 July 2022 by Legal Research Team at TermsFeed
If you send out email newsletters and have subscribers who reside in the EU, you need to be aware of how the GDPR affects you.
Thankfully, there are only a few simple requirements when it comes to this.
Keep reading, and we'll break down what you need to do to engage in GDPR-compliant email marketing.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
If you collect email addresses, you are collecting personal data. If you collect personal data from residents of the EU, the GDPR applies to you.
It's simple. If you comply, you're free to continue operating as normal. However, fail to update your data standards and you could see a fine of up to 4% of your gross annual turnover - not profit.
The fines are capped at 20 million Euro, which is a hefty sum even for the big fish.
The European Commission spent several years worrying about personal data and the way it was used, and it's hard to blame them for that.
Companies went rogue with private, personal details provided in good faith (and taken without consent). Other organizations gathered virtual mountains of data without making their data gathering practices clear. Even more companies did all this with lax security practices that made personally identifiable data vulnerable to theft.
Europe's government looked at the infringement on privacy for profit and said: "No more."
Now, if you want to collect the personal data of a European resident or citizen - or anyone with an EU IP address - you may have to ask and get consent.
Consent now involves both choice and control. The person who owns the data is in charge - not your data controller. If the individual must hand over their data to use your site, then their consent isn't freely given.
It might sound strange, but it's also good business. When individuals control their data, you're delivered an opportunity to burnish your reputation and build trust with your customers.
You send out a newsletter that's highly tailored to your target audience. Sometimes, your newsletter receives sponsorship from brand partners. A new partner asks you to hand over your email list as part of your agreement.
Under the GDPR's definition of consent, you cannot do that unless you update your Privacy Policy to disclose this, and specifically request consent from your subscribers to share the information.
Why?
Because sharing their data isn't necessary for them to get a newsletter that you're sending out.
You can ask customers to consent to your handing out their data, but they must have two clear choices and their choice to opt-out must not impact their current subscription.
If you want the option to sell your email list in the future, you need to add that condition to your newsletter Privacy Policy. You can't bundle the options. Users must be able to sign up for your newsletter and opt out of the sharing of their data at the same time.
Explicit consent requires several things:
It's more than you may be used to, but obtaining GDPR-compliant consent isn't so hard.
Ask yourself these questions about your current consent or opt-in practices to see if you need to change your newsletter sign-up mechanism:
If you answer 'yes' to all nine of these questions, then you're ready to send GDPR-compliant newsletters and recruit new sign ups.
Any 'no' answers mean you still likely have some work to do.
When setting up your newsletter, you have two options for obtaining consent: the single and double opt-in.
A single opt-in is a data capture mechanism featuring a space for an email address, a consent form, and a submit button. As long as the mechanism meets the guidelines outlined above, then a single opt-in form is compliant with GDPR.
Here's an example of how you can use a single opt-in form when asking for email addresses.
Here you see two notices. This first one promises to respect your privacy and not to spam you with a small notice under the red Subscribe button:
The second asks for your email address. It's simple, honest, and positive. Given the site owner upholds their other data obligations, it meets GDPR standards:
For the Interested also runs a newsletter service with a single opt-in method. Its page promises to never share your data:
It's recommended to add a checkbox that users can click to confirm that they consent to being contacted via email.
Here's an example of this from Timberland:
Some marketers add an extra step for a double opt-in.
The double opt-in includes the same form found in the single opt-in. Then, your email system sends a test email that welcomes your new subscriber and requests a second act of consent: clicking a link.
A double opt-in is also referred to as a confirmed opt-in. You only get a new subscriber when the owner of the address clicks the confirmation link in the confirmation email.
Double opt-ins aren't mandatory, but they're good practice. They make it easier to be GDPR compliant.
Here's an example of a double opt-in email from FreshMail:
The email requires a second confirmation click and hits all those GDPR requirements. It has informed consent and an easy way to unsubscribe from future emails.
Whether you choose a single or double opt-in mechanism is up to you and your audience.
If you cater to an audience who might find email confirmation confusing, do your best with a single opt-in.
Working with a web savvy group committed to getting your emails? Use double opt-in for easier optimization.
Under the GDPR, complying with consent rules means you need to make it as easy as possible to unsubscribe from your emails.
One option is to add an Unsubscribe link to the footer of all of your emails. Newsletter services like MailChimp offer this as an added option within its templates.
Here's an example of such a link in an email from Frontier Airlines:
Don't forget to make your Unsubscribe feature granular. You'll save more subscribers from leaving completely while also giving customers more of what they want.
The leisure site Jetsetter does a good job of creating granular email preferences:
You'll see options to unsubscribe from all the emails or to edit subscriptions to ensure you're only getting the emails you want when you want.
Plus, there's a big 'unsubscribe from all' button at the bottom to make it simple and GDPR-friendly.
If you're collecting personal data (i.e. email addresses) from the EU market, you must comply with the GDPR.
Creating GDPR-friendly newsletters is simple and relies on creating a consensual relationship that allows customers to see exactly what they're signing up for and gives them an opportunity to unsubscribe if they don't like what they see.
Many of these features are already available with email marketing services and form generators.
Just remember that consent for email marketing activities is only one part of the whole GDPR puzzle. What you do with that data matters just as much as how you got it.
Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022