Deutsch
EN
Español
Français
Italiano
Português
The new European Union legislation known as the General Data Protection Regulation, or GDPR, enters into effect on May 25th, 2018. That means you only have a few more weeks to prepare. Now is the time to make sure that you’re following best practices with your email marketing strategy in order to be in compliance with the new law.
For the past few months, the GDPR has dominated headlines in Europe and even in North America. It establishes new rights for online users regarding their personal data, including more control over how this data is used, stored, and processed.
Although the law is being put forth by the EU, any business that is processing personal data of EU citizens is subject to the new restrictions and requirements. That means if you have any European subscribers to your emails, or you’re collecting personal data from customers in the EU for your ecommerce store, you need to be ready.
Make sure you’ve taken the necessary steps to align your email marketing strategy with the new regulation by following our GDPR checklist:
First Step: Get proper consent from new contacts
Make sure that your opt-in forms are up to date and clearly communicate to new subscribers what they can expect after signup.
One of the main tenets of the GDPR is the importance of receiving consent from users to process their personal data. This consent should be “freely given” through a positive action based on very clear information regarding how their data will be used.
To make sure that you’re collecting consent in the right way, there are a few steps you need to follow:
Use an Active Opt-in
When setting up your opt-in forms, use checkboxes accompanied by affirmative phrases that make it clear to users what they’re signing up for. This allows users to signup through performing the positive action of checking a box that affirms which types of data processing they accept.
Translation: The GDPR forbids the use of “pre-checked” boxes, for which users must uncheck if they don’t want to subscribe, and awkward language designed to confuse subscribers (e.g. “Please check if you don’t want to be subscribed to our newsletter”).
Distinguish between different types of data processing with separate opt-ins
Ther should be a separate checkbox for each of the different types of processing for which you plan to use their personal information. For example, if you send a newsletter, promotional emails, and automated emails based on the on-site behavior of your contacts, you have to get permission for these types of processing separately.
Translation: You can no longer lump together multiple different opt-ins into one affirmative statement (e.g. “I agree to receive the monthly newsletter, weekly promotional emails, and automated emails based on my behavior and interests”). They must be separate and explicitly stated so the user has a choice.
Collect only the personal information that is necessary
Every piece of personal data that you collect must be essential for the service that is being offered. If it is not clearly essential, like giving an email address to sign up for an online newsletter, you must explain why it is necessary.
Translation: If you want to collect additional personal details from subscribers at the time of signup, such as first and last name or gender preference, you need to explain why (e.g. “We are collecting these details to give you a more personalized experience with our promotional emails.”).
Although these restrictions may seem like they’ll hurt your business, it’s actually good for your email deliverability and customer relationships. That’s because these steps will ensure that people are signing up for the right reason: they want to receive your emails. This will create more engagement for your campaigns, leading to better deliverability, and happier customers because they’re getting what they want.
Second Step: Make sure contacts in your existing lists have given proper consent
The GDPR is retroactive, meaning it applies to contacts who are already in your database as well.
Becoming GDPR-compliant also means checking to ensure that you have the consent of contacts in your current lists as well. This process consists of two parts:
Verify that current contacts signed up through an active opt-in process
As a reminder, active opt-in means that they signed up after being clearly informed of how their personal data would be used through the completion of a positive action (e.g. checking a box).
If you can’t show that you had an active opt-in process for your current lists, you’ll have to move on to the second part of the process.
Create a re-opt-in campaign
If you want to continue emailing your old contacts, you’ll need to ask for consent properly and in accordance with the GDPR.
That means sending a re-opt-in campaign asking if they would still like to receive your newsletter. All you have to do is include a button that clearly states “Yes, I would like to continue receiving newsletters,” and then keep only contacts who have clicked on this button. You’ll have to include separate buttons if you have multiple different types of emails (as mentioned above).
Even if your contacts did sign up through an active opt-in, it’s still not a bad idea to clean your list with a re-opt-in campaign anyway. This helps with engagement rates and removes any potentially expired or inactive email addresses.
Third Step: Make data access requests easy for contacts
Under the GDPR, your clients have the right to access, modify, or change any personal data of theirs that you have at any time.
As I mentioned earlier, the new regulation gives online users more rights and control over how their personal information is used. It’s imperative that you make it easy for users to exercise these rights if you want to avoid penalties under the GDPR. Here are a few things to keep in mind that should help:
Make unsubscribe links easy to find
Some marketers think it’s a good idea to make it harder for contacts to unsubscribe by obscuring the unsubscribe link (or hiding it altogether). This is a very bad idea — especially in light of the GDPR.
Users have the right to object to or unsubscribe from any type of personal data processing at any time. Hiding the unsubscribe link would deprive them of this right, which is why you should just make the process easy and painless. Plus, there is no reason to keep an uninterested contact in your database anyways — it just hurts your engagement rates.
Ensure unsubscribing applies to all of your lists
Once a user unsubscribes, they should be removed from receiving all of your emails. Otherwise, you risk making someone very upset, in addition to any legal penalties you might face from the new laws.
Stop using “no reply” email senders
You should always have a reply address for your email campaigns. This makes it much easier for contacts to make any data requests in accordance with their new rights outlined in the GDPR.
Fourth Step: Check to make sure that all of your third-party software providers are also GDPR-compliant
You are responsible for your contacts’ personal data, don’t just entrust it to anyone.
If you’re like most businesses these days, then you’re likely using multiple different third-party software tools to help process and store your customer data. It’s always a good idea to check with these providers and make sure that they’re following best practices in compliance with the GDPR (like Sendinblue 😉 ).
Feeling lost? Make sure you’ve covered all the steps with our GDPR checklist below!
Comments
Excellent checklist. Came in handy for me.
Thanks Collins! Glad to hear you found it useful!
Thanks for this. I notice that it doesn’t differentiate between contacts in Europe and in the rest of the world. Are you suggesting that we need active consent for rest of the world people we have on our list (right now we use a soft opt-in for them)?
Hey Jerry — good question! The GDPR is a regulation that was passed in European Parliament (European Union), so the restrictions and requirements around consent would only apply to those customers living in European Union countries.
Therefore, re-opt-in campaigns would only be necessary in the case of European contacts for whom you have no “proof of consent” according to the GDPR requirements.
Does the GDPR regulation actually apply to European Union citizens or is it anyone initiating a contract or providing their personal details whilst within a member country of the European Union.
E.g. If a citizen of France signed up for a service from an EU based provider whilst in the USA on business would GDPR actually apply ? or If a US citizen whilst on their holiday in France signed up for the same service would they not also be offered the same GDPR protection?
Ready to find your marketing zen?
Take the stress out of your work day with a solution that’s built for you!
Get started free