GDPR and email marketing: what you need to know

This is a quick reminder that for those of you processing data of EU residents (well, which means almost everyone), your email marketing efforts will need to comply with General Data Protection Regulation (GDPR) policy as of 25 May 2018.

It’s the last moment for you to reach out to your email subscribers to obtain their consent (if you haven’t done so) and make your mailing list legal! After May 25 you will not be able to do it according to the new legislation!

In this post I have summarised how GDPR will affect email marketing in your business:

1. What is GDPR?

2. Implications of GDPR for email marketing

3. Is my email list ‘legal’?

4. What do I need to do now to comply with GDPR?

One note: the post is designed to be bite-sized and actionable, not exhaustive. We are all tired of reading lengthy tirades about GDPR and its implications, right?

OK, one more thing I need to do before we kick off:

Disclaimer: The information provided below shall not be construed as legal advice. Get a Newsletter does not assume responsibility for the accuracy of the information provided below. We took care to make sure that the information is true and accurate, but we cannot eliminate the possibility of inconsistencies or errors. You should seek help from legal professionals for legal advice on how to adapt your email marketing to the new legislation.

1. What is GDPR?

1. General Data Protection Regulation (GDPR) is a general digital privacy law that will unify practices of data protection across all EU member states.
2. It was adopted on 27 April 2016 and it comes into force on 25 May 2018.
3. It is an *EU regulation, not a directive* – which means it is legally binding.
4. Not complying with it can result in large fines.
5. GDPR applies to all businesses that handle the personal data of EU residents (so – not only businesses registered in EU member states, international entities too!).
6. It also applies if e.g. your data storage systems (e.g. cloud storage solutions) are based in the EU.
7. The regulation introduces two principles of data protection: ‘data protection by design’ and ‘data protection by default’
8. ‘Data protection by design’ means that each business that handles personal data needs to have systems designed to protect them. This includes keeping the database of personal information secure through e.g. pseudonymization (encoding data by replacing personal data with a random identifier) of data fields.
9. ‘Data protection by default’ means that all personal data are subject to data protection regulations.
10. Consent to store or process personal data in any way needs to be given explicitly in a ‘freely given, specific, informed, and unambiguous’ way, and through clear ‘affirmative action’.
11. The data owner also has the right to access their data and have them removed at any time.

 

2. Implications of GDPR for email marketing

1. Personal data or email addresses cannot be harvested, bought, or used without the owner’s consent. So you cannot go online and scrape emails from the ‘contact’ pages anymore after 25 May. You cannot sell your email lists without obtaining the data owner’s consent either.
2. Opt-outs are not enough anymore, your subscribers have to opt in to receive emails from you. Consent cannot be *assumed* – it has to be explicitly given (and for a specific purpose, to a specific entity – your business details and contact information has to be provided too). This means you cannot even have a pre-ticked consent box on your email subscription form – the data owners have to do it themselves to make sure that they did that fully consciously.
3. This applies to previously obtained emails too, even if you already have been in communication with the owners and they have not *opted out* of receiving your newsletters.
4. Email addresses cannot be used for any other reason or by any other person/entity than the one for which/whom they have been given. So, if you have a list of emails from your clients that you obtained at checkout, you cannot use them to send a newsletter to your clients. You need to confirm with them if they want to receive your newsletter and get their *express* consent for that.
5. If your newsletter contains diverse content with different purposes, you’d better state explicitly what kind of content you intend to send to people subscribing to your newsletters and put tick-boxes next to each type of content you are planning to send: e.g. ‘I agree to receive emails about 1) new product features; 2) special offers 3) events 4) press releases 5) interesting information about XYZ’
6. You cannot collect or store more data than is necessary for the purpose the owner has consented to. So, e.g. if you have an online store and need shipping information from your customers to complete the purchase, you cannot collect information about gender, age, etc. to target special offers to different customer groups (the so-called ‘profiling’) without their separate, specific consent.
7. You cannot share the email addresses you have with another entity without explicit permission and consent of the owner

 

3. Is my email list ‘legal’?

Your email list is *not* compliant with GDPR if:

1. You have scraped email addresses from the internet without the owner’s permission.
2. You have obtained the emails from another source, e.g. at checkout in your online store rather than the subscription box for your email. Even if you provided a notice ‘I agree to my email address being stored and used for the purpose of sending promotional newsletter’
3. You have bought the email list from someone and are not sure if they collected the consent of the email owners to sell it to you specifically.
4. You are using the emails for another purpose than the one the owner has granted permission for: e.g. sending offers rather than information about events.
5. You are using them for another business than the one they have given permission to use for.
6. You have pre-ticked the consent box on the subscription form. 
7. You have not stated *explicitly* what kind of content the subscribers can expect in the consent form.

4. What do I need to do now to comply with GDPR?

1. Update your data protection policies to reflect the new legislation.
2. Make sure you have a clear data protection system and process in place. You will also need to keep a record of your data processing activities.
3. If you are not sure the owners of the emails you have given their explicit consent for you to use their emails for your newsletter, contact all your email subscribers with a notice to re-subscribe.
4. Update your subscription forms to include:
   1. Unticked check-boxes so that the subscribers have a chance to give their explicit consent.
   2. A list of content options so that the subscribers give clear consent to all types of content with different purposes.
   3. Clear information on who will be responsible for data storage and processing + contact information.