Last updated on 18 January 2021 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
If your company operates within the EU, the way you send email to your customers is regulated by the General Data Protection Regulation (GDPR).
There are two basic types of automated emails that most businesses send:
To comply with the GDPR, your transactional emails need to be limited in their purpose.
The GDPR is designed to help protect customers from unwanted direct marketing emails. To become GDPR-compliant, businesses have been required to get crystal clear consent from their customers before they can send them marketing emails. The days of pre-ticked boxes and presumed consent are over.
But what about transactional emails? These are emails that you need to send, right? Surely a sales receipt or notification of changes to your terms of service can't be considered spam? Well, from the customer's point of view - they might feel like spam. And from the perspective of the GDPR, they might be pretty close to it.
Sending transactional emails is an act of data processing - you have your customer's personal data (their name and email address, at the very least), and you're using it to communicate with them.
All processing of personal data in the EU must conform to the principles of the GDPR. These are set out at Art. 5 (1) of the GDPR.
Two principles of the GDPR are particularly relevant to transactional emails are:
So, how can you make sure you are sending transactional emails in a legally compliant way?
Like any act of data processing under GDPR, you need to establish a lawful basis for processing your customers' personal data.
There are six lawful bases under the GDPR, set out at Art. 6 (1). These two are most relevant to sending emails:
As mentioned above, the GDPR is big on consent. While it is possible, under very specific circumstances, to send marketing emails without consent and still remain GDPR-compliant, gaining clear consent is by far the safest option for any business engaging in direct marketing.
Consent is defined at Art. 7 of the GDPR. It must be:
So there's a problem with using consent as your legal basis for sending transactional emails. These are emails you need to send - they contain important information, and sometimes you'll be legally obligated to send them. Your customer can't meaningfully consent to receiving them.
The solution is to establish legitimate interests as your lawful basis for sending transactional emails. This is a slightly tricky concept, defined in Recital 47 of the GDPR.
A good way to understand what "legitimate interests" means is as follows: EU citizens have the right not to have their personal data unlawfully processed. If they wish to receive a service or product from your company, they might reasonably expect you to send them transactional emails. So long as these emails are a necessary and proportionate means of communicating important information with your customers, it's in your legitimate interests to send them.
For every type of transactional email your company sends, ask yourself:
This email footer from RealSelf is a great example of how to explain the nature of transactional emails to your customers:
Art. 21 (2) of the GDPR says this about email marketing:
"Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time"
This is why you see unsubscribe options on marketing emails, such as this one from Audible:
Because your customers can't usually unsubscribe from transactional emails - but must be allowed to unsubscribe from marketing emails - you need to make sure that your transactional emails don't contain marketing.
Let's see what can happen if your transactional emails look more like marketing emails.
UK supermarket Morrisons sent an email to over 250,000 of their customers, supposedly with the intention of prompting them to update their account details. The email incentivized customers to change their subscription options by offering coupons. These customers had previously opted out of receiving direct marketing emails.
Unfortunately for Morrisons, one of these customers took exception to the email. He reported Morrisons to the UK's data protection authority, and Morrisons was fined £10,500. Morrisons said that they were only trying to provide "helpful information" and were "disappointed" that it was considered direct marketing.
The moral of the story? Be extremely careful about what you send your customers.
Because you can't give the customer an opt-out of password reset emails, you can't include anything resembling marketing material in your password reminders.
Art. 34 (1) of the GDPR requires you to inform your customers of any potential data breaches:
"[...] the controller shall communicate the personal data breach to the data subject without undue delay."
Plus, Recital 47 of the GDPR states:
"The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned."
From the customer's perspective, there's no getting around this one. If you're a Google user, you may have felt a pang of irritation at Google's insistence on sending push notifications and emails every time you log in on a new device. But if there's any danger of fraudulent activity on your account, you need to know about it.
Let's look at how Pinterest handles this. Here's an example of the alert that UK-based Pinterest users receive when a login occurs from an unknown device:
You'll notice at the bottom of the email that the user is invited to "unsubscribe." However, here's what happens when you click it:
It's a bluff! This is an effective way to explain to a customer why you're sending this type of transactional email.
In any case, you will need to give your customers the option to review the new information so that they can decide whether or not to opt out (per Art. 21 (1) of the GDPR). You may have received a lot of these sorts of emails in the run-up to the GDPR as businesses updated their Privacy Policies to ensure compliance.
There are a few ways to handle this sort of transactional email.
Where your customers have consented to your terms or policies and the changes to your terms or policies mean that your agreement with your customers no longer applies, you need to:
The Information Commissioner's Office (the UK's data protection authority) says:
"You should keep your consents under review. You will need to refresh them if anything changes - for example, if your processing operations or purposes evolve, the original consent may not be specific or informed enough."
You may choose to email your customers about the changes to your existing terms or policies, but not ask them to refresh their consent. This might be appropriate in the following situations:
You can actively inform your customers of the changes by emailing them and asking them to read through the new terms or policies.
If the changes to your terms and policies are not very significant, and you don't rely on the consent of your customers, you might not need to send out an email at all. You can simply let your customers know about the changes by putting a notice on your website.
Think carefully before you decide to passively inform your customers of changes to your terms or policies. This may be inconsistent with the GDPR's principle of transparency if the changes are deemed too significant.
Welcome emails are a grey area. They're transactional emails in the sense that they are triggered by a customer's interaction with your website. But they are a little different from shipping notifications, password resets, security alerts, etc., because they arguably aren't necessary.
So do you need your customer's consent to send them a welcome email? Or can you rely on legitimate interests? Let's say a customer signs up to your service, but doesn't consent to receive marketing emails. Can you still send them a welcome email confirming their signup?
This takes us into the area of reasonable expectations.
GDPR Recital 47 states:
"the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect [...] that processing for that purpose may take place."
Try to put yourself in your customers' shoes. You've signed up, but you've opted out of marketing. Would you expect to receive a welcome email when signing up for this service? What would you expect that email to contain?
Let's see how WordPress handles this. Here's a welcome email sent to an EU user:
You'll notice that while WordPress isn't trying to sell anything in this email, they do promote some free services. This seems like a clever way to get customers more involved without being in danger of sending marketing material without consent.
"Marketing" is not defined in the GDPR. Different EU Member States define it in different ways in their national law.
You may feel that WordPress is a little close to the line here - that's a matter for your own judgment about what a customer might reasonably expect. Just be aware that a welcome email is not automatically a marketing email.
Your customers need receipts for any purchases they've made. Some businesses send a purely functional email with just payment details and confirmation of the order. Others like to use this as an opportunity to deepen their relationship with their customer a little.
Here's an order confirmation from Amazon UK:
You'll notice that Amazon does include information about other products here. However, this is presented as information about the product that the customer has purchased.
This is how Amazon lets customers know that they'll be receiving this type of information:
Well, it is information related to a product the customer has purchased. Again - in the context of your company, you'll have to decide whether this is something your customers would reasonably expect to receive.
Apply the principles of the GDPR to anything involving processing EU citizens' personal data, including transactional emails.
Remember the following advice, and you'll be on the right track:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
18 January 2021