September 1, 2017

How Does the GDPR Affect Your Email Marketing?

Reading time about 9 min

Legal disclaimer: The author of this article is not an attorney. This article is not meant to be taken as legal advice, but rather as an overview of the GDPR from the perspective of an email marketer. If you have any concerns about legal compliance with the GDPR, please be advised to contact an attorney who specializes in data privacy matters.

If you use email marketing for your business, it’s important that you learn about a new European law regarding data privacy.

The General Data Protection Regulation (GDPR) was adopted in the Spring of 2016 and will go into effect in all 28 EU countries on May 25, 2018, and was created with goal of giving European citizens more control over their data privacy.

The regulation affects any business, whether European or not, that handles any European customer’s personal data.

Many marketers, bloggers, and ecommerce store owners don’t fully understand the consequences of the law, which includes particularly high fines against organizations that violate its stipulations.

Others are aware of the risks but are completely in the dark about what measures they can take to conform with the regulation.

This article aims to clarify a few of the most important points surrounding the GDPR, including:

Scope of the regulation
Concrete effects on email marketing
Steps to prepare for its implementation

What is the GDPR?

The GDPR is a new European regulation directed at protecting the personal data of EU citizens.

In the new legislation, the term “personal data” refers to any data that relates to an identified identifiable natural person or a person who can be identified, directly or indirectly, using this data (“data subject”). Therefore, email address, profession, age, and gender all fall under the definition of “personal data” for the purposes of the GDPR.

The regulation lays out new rights for data subjects (people whose personal data is being handled), as well as new responsibilities for organizations or people who are handling this data.

Here are the main things you need to know:

The definition of personal data has been expanded to include anything that would enable you to identify an individual.
The law reinforces an individual’s protection and rights surrounding consent and access to personal data.
Service providers and subcontractors (such as cloud software services) can now be held accountable.
Businesses are required to clearly communicate to customers how they plan to use their personal data.
Businesses must also be transparent about customers’ rights to request the restriction of access to, rectification, or erasure of their personal data.
Customers should be able to easily cancel their consent and request the erasure of their personal data as quickly as possible.
Businesses must put preventative measures into place to protect customer data.
Businesses must inform customers of any data breach or leakage that may have occurred.

If a business is found to be in violation of the GDPR, the may face fines ranging from 2% – 4% of their revenue and up to 20 million euros for the most serious infractions.

You can read the entire text of the regulation here.

Who does the GDPR affect?

The moment you handle personal data of an EU citizen, you become subject to the GDPR regardless of where you or your business is located.

As a result, businesses and individuals who use email marketing are on the front lines.

This is because the emails addresses you have stored in your database potentially allow you to identify customers, which means this information falls under the category of personal data for the GDPR.

To ensure proper compliance with the regulation, the GDPR actually mandates certain businesses and organizations to bring on a “data privacy officer” (DPO).

However, this requirement only applies to certain organizations. You are only required to recruit a DPO if your company falls into one of these categories:

Public company
Companies whose core function is the regular and systematic processing of data
Companies that handle data involving sensitive data or information on past criminal charges or convictions.

Consequences of the GDPR for email marketing

The main thing for email marketers to keep in mind with respect to the GDPR is there is a new definition of providing consent, or to use email marketing parlance: opting in.

Consent to the processing of personal data must be “freely given” in the form of a clear “affirmative action.”

In other words, opting in is to be taken very literally with regards to the GRPR.

Additionally, businesses will have the burden of showing proof that a contact has affirmatively opted in.

Passive opt-ins and opt-outs are no longer allowed

Passive opt-in – The roundabout process of acquiring contact information that involves making opt-in the “default.” An example would be having a pre-checked box that a user would have to uncheck if they do not want to give consent.
Opt-out – The process of adding customers to a contact list without their consent after they sign up for a different service. The contact is then required to unsubscribe if they don’t want to be on that list.
Opt-in – The process of gathering contact information in which the contact freely and willingly gives affirmative consent to the handling of their personal data. This usually comes in the form of a box that the contact must check in order to opt in.

Following this new definition of opting in, you’re no longer allowed to use email addresses that you collected through a passive opt-in or opt-out process. Consent must be freely and explicitly received from the contact or customer through an affirmative action.

This means that you can only legally use lists that are 100% opt-in — and only if you can prove that those contacts actually provided their consent.

Even if you have already been using a list that is 100% opt-in (a pre-requisite for signing up with Sendinblue), you may not be able to use it starting May 25, 2018.

You have to be able to show proof that your list is opt-in, which means you may need to re-confirm the consent of your contacts before then.

Customers should be made aware of any profiling

Profiling is defined as any automated processing of personal data to evaluate, analyze, or predict any characteristics of a user.

The new law provides people protection from any automatic decisions based on profiling of personal data.

This language is particularly relevant to certain use cases of marketing automation.

No need to worry though — you can still use marketing automation workflows, as long as you do the following:

Notify your contacts (in your confidentiality agreement or advertisements)
Give them the option to opt out of this profiling up front

Preparation tips for when the GDPR goes into effect

Most businesses don’t know what to expect because there isn’t a comprehensive explanation on the most effective way to adhere to the principles of the GRPD.

One of the most obscure areas of the regulation is the standard of proof required from businesses on being able to definitively show the consent of customers.

For now, it’s a good idea to put in place the following measures:

Evaluate how well your current email lists comply with the GDPR

Are your current contact lists GDPR-compliant?

To make sure, ask yourself these 4 questions:

Did your contacts consent to receiving your emails through an opt-in form?
Was this contact consent given for the specific purpose for which you’re using their data? For example, if they only opted into your newsletter list, this isn’t sufficient consent to use their data for a marketing automation workflow.
Have you kept precise and secure records of all the opt-ins you have received?
The law states that minors under the age of 16 may not give their consent without parental consent — does your list contain the personal data of any minors who would not have been able to properly give consent?

Make sure you’re respecting your customers’ rights

Are your procedures that give users access to their own personal data up to date?

Here are some things to make sure you update:

Take another look at your confidentiality agreement for opting in and make sure that users are clearly informed about how you plan to use their data.
Put in place a simple procedure (set up a form, contact page, or link in your newsletter) that makes it easy for contacts to request a copy or modification of their personal data that you have on record.
Set up a process for candidates to easily refuse having their data used in profiling or automated decisions.

Make sure your work tools are GDPR compliant

The new law places a common responsibility on businesses and their service providers to be in compliance.

To avoid getting penalized as a result of one of your work tools not complying with the GDPR, you should do the following:

Make a list of all the cloud services that host your customers’ personal data on their servers.
Ask them if they are GDPR compliant.
Re-evaluate your relationship with any tool that is not compliant with the new law.

Quick Recap

Date the law goes into effect: May 25, 2018
Opt-ins are the only legal way to get authorization from your contacts to use their personal data, including email addresses.
You are not allowed to use any current lists that you have if they are not opt-in.
You should update your confidentiality agreement, opt-in forms, and notification procedures to make it clear to contacts what their data is being used for, what data you keep track of, and how they can make any necessary requests to modify or delete this data.

Further reading
If you want to know more about the GDPR, take a look at these other resources: