How the GDPR impacts email marketing
Disclaimer: This article does not constitute legal advice.
With the European Union (EU) putting into effect new consumer privacy regulations on May 25th, email marketers might be wondering how the new rules affect them. The General Data Protection Regulation (or the GDPR) could change the way email marketers deal with everything from list-building to data security.
Let’s look at the basics of how the GDPR does, and doesn’t, apply to email marketers, and what you can do to make sure your email list is compliant.
Five ways the GDPR impacts email marketers
Privacy data issues as well as users’ security are often the subject to complaints, as seen from reviews on PissedConsumer.com. Since the GDPR focuses heavily on consent, privacy, and security, it’s best that online businesses study this new regulation.
With that in mind, here are some of the ways email marketers might be affected by the new GDPR regulation:
1. Any email marketer collecting personal data from people in the EU could be GDPR-bound
The GDPR protects the data of any person in the EU when their data is collected. If your business accepts email subscriptions from people in EU member states, you likely have to become compliant with the GDPR rules even if your business itself isn’t in the EU.
2. Opt-ins to your email list must be ‘positive’ or active
Someone must check a box, or take a comparable action, to give you their consent. They must opt in. You can’t just show them a pre-checked box and require them to opt out. It's not recommended to buy an email list from a third party and to harvest people’s email addresses or other data.
3. Consent for your email list should be separate from other consent
If someone consents to be added to your list, you want that to be the only thing they consent to with that single action. For example, don’t bundle email consent into someone accepting your TOS.
4. You must be able to prove consent
When people opt into your email list, you should have proof of that – that they consented, what data they consented to share with you when they gave consent, and how they consented (such as through which specific form).
5. People must be able to withdraw consent
Chances are good your emails already have ‘unsubscribe’ links. Make sure it’s as easy to withdraw consent as it was to give it. For example, one click to unsubscribe is much better than making someone email you to request that you stop emailing them.
When the GDPR doesn’t apply
While the GDPR is a complex regulation that can have serious impacts, it doesn’t apply to all email marketing. A company might not be required to follow the guidelines on consent if they have a legitimate and legal basis for collecting that data and sending emails.
For example, if someone makes a purchase from your online store and provides their email address, you don’t need their opt-in consent to email them an order confirmation or delivery information.
Three GDPR email marketing myths
While there is a lot of email marketers need to know about the GDPR, there are also some popular myths floating around. Here are some examples:
1. You have to use double opt-ins for your email list
While double opt-ins are a good practice in general, they’re not a requirement of the GDPR. What matters is getting explicit consent and making it clear to subscribers what you’ll email them in exchange for their data.
2. You need to have your entire list confirm their subscriptions (re-opt-in)
As long as you obtained positive consent from email subscribers and have proof of that consent, you do not have to make them confirm their subscriptions to be GDPR-compliant.
3. If a subscriber gave their personal data pre-GDPR, you don’t need GDPR-compliant consent
Even if you collected subscriber data before the GDPR went into effect, you have to comply with the requirements if you want to keep storing or using that personal data. This is why many companies are asking people to opt into their lists again. The old data collection wasn’t compliant.
Five things to do to make your email list GDPR compliant
Not sure if your email marketing list is GDPR compliant yet? Here’s what you can do:
1. Audit your current email list
Make sure all of your subscribers opted into your list (and didn’t have to opt out). And make sure you have proof of that consent, and what they consented to.
2. Ask subscribers to opt in again if your list isn’t compliant
If your subscribers didn’t actively opt into your list, or you can’t prove it, send a re-engagement email to get their opt-in consent.
3. Minimise the amount of personal data your email forms ask for
The less personal data you ask for, the better. Ask for only what you need in order to give subscribers what they’re consenting to. In most cases that means only asking for an email address. If you’re asking for more, make sure it’s absolutely required and there’s a legitimate purpose.
4. Make sure every subscription form on your site gathers consent properly
A common way of gathering positive consent is to include a checkbox in your form. But that isn’t technically necessary. At a bare minimum, your form should let people know what data you’re collecting, and how you’ll use it. Form fields to enter a name and email address along with a submit button is not enough.
In the meantime, a good next step would be logging into your email marketing service provider and seeing what GDPR changes they’ve made to help you with this process. Or you can start by reading the General Data Protection Regulation in-full.
I'm a Head of Marketing at PissedConsumer.com, a review platform and consumer advocacy website. I’ve worked in the marketing area for over 14 years and have gained extensive experience in communication with businesses, customers, and media representatives. Aside from helping customers be heard, I also intend to help businesses improve their...