An email marketer’s guide to GDPR changes

Scott Heimes
Chief Marketing Officer
SendGrid
Blogger
Share this content

Changes to the General Data Protection Regulation (GDPR) were announced in May 2016 and, if you are an email marketer in the UK, it’s time to listen up! The new GDPR becomes effective as of 25 May 2018 across all EU member states leaving four months to review and update your email program. But don’t panic! Here’s a breakdown of what you need to know to ensure you’re well prepared for the changes to come.

What is the GDPR privacy law?
The GDPR is a new set of rules around data protection that aims to harmonize the current patchy rules around privacy laws across all EU member states. Put simply, it will give email marketers a much clearer piece of legislation that’s designed to give individuals better control, access, and security over their personal data. The goal of the legislation is for EU individuals to have more say over what organisations do with their data.

GDPR applies to all EU-based businesses, regardless of size or industry, that handle personal data. It also applies to international organisations not based within the EU if you offer goods or services to, or monitor the behaviour of, EU individuals. The GDPR definition of personal data is broader and more detailed than it was previously. It includes online identifiers such as IP addresses and other unique online or device IDs, identification numbers and location data, as well as encrypted or hashed personal data.

Why is this so important for email marketers?
Well, for starters, failure to comply could mean up to a €20 million fine or 4% of your organisation’s global turnover, whichever is greater. YIKES! Clearly, no marketer wants that.

The biggest change is that the GDPR has made the definition of consent stricter. This has the knock on effect that the consent required to send marketing emails to people has also become stricter. This means that you may need to review your existing marketing consent mechanisms and ensure that any consent you have obtained is clear and unambiguous (e.g. an opt in tickbox). You’ll also have to give them information about why you’re collecting their data and what you will do with it. GDPR also focuses a bit further on parameters around the age that is required for a person to give consent to use or access their personal data.

So, what can I do to get ready?
First, you need to be clear that your brand has obtained the address from the recipient and what you plan to do with it. One way of doing this is with subsequent opt-outs. This has always been an EU requirement and even dates back to CAN-SPAM. Recipients must be provided a method of opting out of receiving further marketing communications. And, this method must be simple and clear to the user. A second way is to remove recipients who have withdrawn consent and consider removing recipients who appear to have stopped engaging with your brand. Consent to send messages is not forever and this is one of the easiest ways to maintain a good reputation with major mailbox providers.

GDPR also states that where consent is being obtained from a person under the age of 16, parental consent is required. An organisation must make “reasonable efforts” to verify that the consent comes from the parents, as opposed to the child. Verifying age on an address collection page is new for most marketers and difficult to verify therefore, having a simple policy that prohibits those under 16 years of age from registering or using your product or services is worth considering. This should be stated clearly in your Terms of Service or Privacy Policy. If you run a service which is likely to be used by children, then you may need to take extra measures—such as an age-gating mechanism and you should read further on GDPR to find out more about how different member states can set a lower requirement of 13 and if that is applicable to you.

The GDPR might seem like bad news for email, but the new rules can actually be a benefit to your organisation when it comes to engagement and overall email deliverability. In the final months leading up to 25 May 2018, it’s a good idea to take appropriate steps to adjust for it now. And, in any audits of your email program, remember that you can still offer a lot of value to your recipients and obtain a high ROI for your organisation even when following the strictest guidelines.

Note: This is for general informational purposes only and is not intended to constitute legal analysis or legal advice. You should contact a lawyer to find out more about your particular obligations under the GDPR.

About Scott Heimes

Scott Heimes, SendGrid

Scott Heimes serves as Chief Marketing Officer of SendGrid, where he is responsible for brand strategy, driving demand for its solutions and leading global marketing operations. Scott oversees corporate marketing, demand generation, corporate communications, partnerships and alliances, international expansion and SendGrid’s community development team. Before joining SendGrid, Scott was the Chief Marketing Officer of Digital River, where he led marketing and demand gen, communications, strategic planning, partnerships and managed Digital River’s marketing services businesses including the company’s direct-response marketing agency and its BlueHornet email service provider. Prior to joining Digital River, Scott was the Chief Marketing Officer for WebMD Health Services, where he ran the company’s marketing, product management, and long-term strategic planning. In prior positions, Scott served as a senior marketing executive at OptumHealth, a UnitedHealth Group company; Target Corporation and Target.com.

Replies

Please login or register to join the discussion.

By alec33
16th Jan 2018 15:34

This goes back to the passage of the Patriot Act, you know, that little bill that some 80% of the sitting Congress and Senators never even read, and it brings into question the 'reach' of American Law. The fact that we have global corporations storing data in other countries, and whether or not the desire by US intelligence agencies to control this data should override national sovereignty. Never mind that the example is Microsoft. After I try this account report I understood if the data being stored is under investigation due to suspected criminal activity (IN the country in question), then it is safe to say that the Government of that country would be inclined to cooperate.
Under the 'Five Eyes' agreement, the US, Canada, Great Briton, and Australia all share data readily. All it needs is a Warrant.
The problem is that Privacy Laws in other countries are sometimes more stringent than those being applied in the US, and some countries take it seriously. The US Intelligence services do not - and they have demonstrated this through illegal (constitutionally) mass gathering of citizens data.
One of the reasons Canadians rejected the Federal Conservatives in the last national election was because of the party's stand on individual citizen's rights, including privacy legislation, the granting of powers of arrest to US Marshal's in Canada, and the failure of the government to resist the Congressional assumption that US law applies everywhere.

Thanks (0)