How the GDPR impacts email marketing

Disclaimer: This article does not constitute legal advice.

With the European Union (EU) putting into effect new consumer privacy regulations on May 25th, email marketers might be wondering how the new rules affect them. The General Data Protection Regulation (or the GDPR) could change the way email marketers deal with everything from list-building to data security.

Let’s look at the basics of how the GDPR does, and doesn’t, apply to email marketers, and what you can do to make sure your email list is compliant.

Freepik

Five ways the GDPR impacts email marketers

Privacy data issues as well as users’ security are often the subject to complaints, as seen from reviews on PissedConsumer.com. Since the GDPR focuses heavily on consent, privacy, and security, it’s best that online businesses study this new regulation. 

With that in mind, here are some of the ways email marketers might be affected by the new GDPR regulation:

1. Any email marketer collecting personal data from people in the EU could be GDPR-bound

The GDPR protects the data of any person in the EU when their data is collected. If your business accepts email subscriptions from people in EU member states, you likely have to become compliant with the GDPR rules even if your business itself isn’t in the EU.

2. Opt-ins to your email list must be ‘positive’ or active

Someone must check a box, or take a comparable action, to give you their consent. They must opt in. You can’t just show them a pre-checked box and require them to opt out. It's not recommended to buy an email list from a third party and to harvest people’s email addresses or other data.

3. Consent for your email list should be separate from other consent

If someone consents to be added to your list, you want that to be the only thing they consent to with that single action. For example, don’t bundle email consent into someone accepting your TOS.

4. You must be able to prove consent

When people opt into your email list, you should have proof of that – that they consented, what data they consented to share with you when they gave consent, and how they consented (such as through which specific form).

5. People must be able to withdraw consent

Chances are good your emails already have ‘unsubscribe’ links. Make sure it’s as easy to withdraw consent as it was to give it. For example, one click to unsubscribe is much better than making someone email you to request that you stop emailing them.

When the GDPR doesn’t apply

While the GDPR is a complex regulation that can have serious impacts, it doesn’t apply to all email marketing. A company might not be required to follow the guidelines on consent if they have a legitimate and legal basis for collecting that data and sending emails.

For example, if someone makes a purchase from your online store and provides their email address, you don’t need their opt-in consent to email them an order confirmation or delivery information.

Three GDPR email marketing myths

While there is a lot of email marketers need to know about the GDPR, there are also some popular myths floating around. Here are some examples:

1. You have to use double opt-ins for your email list

While double opt-ins are a good practice in general, they’re not a requirement of the GDPR. What matters is getting explicit consent and making it clear to subscribers what you’ll email them in exchange for their data.

2. You need to have your entire list confirm their subscriptions (re-opt-in)

As long as you obtained positive consent from email subscribers and have proof of that consent, you do not have to make them confirm their subscriptions to be GDPR-compliant.

3. If a subscriber gave their personal data pre-GDPR, you don’t need GDPR-compliant consent

Even if you collected subscriber data before the GDPR went into effect, you have to comply with the requirements if you want to keep storing or using that personal data. This is why many companies are asking people to opt into their lists again. The old data collection wasn’t compliant.

Freepik

Five things to do to make your email list GDPR compliant

Not sure if your email marketing list is GDPR compliant yet? Here’s what you can do:

1. Audit your current email list

Make sure all of your subscribers opted into your list (and didn’t have to opt out). And make sure you have proof of that consent, and what they consented to.

2. Ask subscribers to opt in again if your list isn’t compliant

If your subscribers didn’t actively opt into your list, or you can’t prove it, send a re-engagement email to get their opt-in consent.

3. Minimise the amount of personal data your email forms ask for

The less personal data you ask for, the better. Ask for only what you need in order to give subscribers what they’re consenting to. In most cases that means only asking for an email address. If you’re asking for more, make sure it’s absolutely required and there’s a legitimate purpose.

4. Make sure every subscription form on your site gathers consent properly

A common way of gathering positive consent is to include a checkbox in your form. But that isn’t technically necessary. At a bare minimum, your form should let people know what data you’re collecting, and how you’ll use it. Form fields to enter a name and email address along with a submit button is not enough.

5. Update your privacy policy and link to it in your email subscription forms

Make sure your privacy policy itself is GDPR compliant. It should tell people what information you collect about them, how it will be used, and how they can view or request the removal of their data for example. 

Then link to your new or updated privacy policy in every email subscription form you use so people can learn more before they subscribe. These actions alone won’t necessarily make your email marketing efforts GDPR compliant. But they will move you in the right direction.

In the meantime, a good next step would be logging into your email marketing service provider and seeing what GDPR changes they’ve made to help you with this process. Or you can start by reading the General Data Protection Regulation in-full.