Last year, European policymakers adopted a radical data privacy law known as the General Data Protection Regulation (GDPR).
Namely, GDPR aims to protect European citizens by regulating how companies handle their users’ online data. Even the world’s biggest companies took serious blows to their budgets.
In January 2019, a French data protection authority fined Google $57 million. So far, this is one of the highest GDPR-related penalties. Google is accused of not disclosing how they collect user data across their services for purposes of personalized ads. This is a proves regulators show no mercy to any online business depending on collecting personal information.
GDPR is closely connected to email marketing.
Naturally, this form of advertising depends on collecting personal data. But what constitutes personal data and what does GDPR have to do with email marketing?
GDPR and email marketing
GDPR builds upon existing data protection laws and makes them applicable to the digital age. And with so much online business activity, the reach of GDPR is far greater than before. Namely, it aims to protect information of EU citizens.
The privacy law affects companies operating in Europe as well as businesses who store and process personal information on an EU citizen. But what exactly constitutes as personal information?
As stated on the official GDPR website, personal information can be anything from a photo or a name to a personal IP address or sensitive medical data. So when we take into account the sheer number of personalized emails marketers send out every day, it becomes clear why the GDPR has such a strong effect on email marketing.
But what can marketers do to be in compliance with the GDPR?
Run a re-permission campaign
One of the biggest questions regarding email marketing and GDPR is whether you can keep sending marketing emails to your existing subscribers. This includes legacy contacts added to your lists before May 25, 2018. The good news is you can still send emails to contacts who explicitly opted-in before the GDPR took effect.
You are permitted to continue sending emails to those contacts who explicitly opted-in to receive emails from you in the past. But they will also have an option to opt-out from receiving any future emails. When it comes to those contacts automatically added to your list, you will need to gain their consent before sending them new emails.
Therefore, any contacts from purchased email lists or those added to a list by ticking a checkbox and without explicitly opting-in will not be able to receive your marketing emails. So you will need to gain their explicit consent first.
How to gain consent?
You will need to ask people on your list if they want to receive marketing emails from you in the future. GDPR is centered around asking for permission and keeping a record of it. So if you want to be on the good side of the law, you will need to run a re-permission campaign. The campaign serves to encourage contacts to re-opt in to your lists.
This might seem drastic, but actually it can even help reevaluate your lists and update your records. So don’t do anything extreme such as deleting your entire contact list. Rather, you need to run a re-permission campaign and ask those who didn’t explicitly opt-in the first time whether they would like to be on your mailing list.
Example of a good opt-in banner
It is important to remember that you should only send emails to those contacts that have previously opted-in to receive them. This goes for the re-permission campaigns too. Make sure to exclude anyone who has opted-out from receiving emails from you.
It might seem that by asking users to opt-in, the majority of contacts will just ignore the request. Try to offer users a simple way to opt-in. Too much hassle might deter them from giving you their personal information. When you run the re-permission campaign, a lot of contacts added automatically will not reply.
However, this will give you an idea of exactly how many people want to interact with your brand. Furthermore, you will have a much higher response rate to future campaigns and a chance to constantly build and update your lists with information about the type of person you should contact.
Get new opt-Ins and permissions
Before GDPR, marketers could send emails to anyone who filled out a web form or a pop-up. But today this is impossible. New contacts now have to explicitly give you permission to send them marketing emails. You can no longer hide your communication policy in your privacy statement or have subscribers just tick a box. New contacts must explicitly opt-in to your newsletter if you want to be able to keep marketing to them.
Update your web forms
If your web forms assume user permission you must update them. You have to specifically disclose what the users will receive from you after agreeing to your terms and conditions. By ticking the relevant boxes, the user needs to consent to receiving your marketing emails. They also need to accept your terms and conditions.
Example of a GDPR compliant web form
It is also very important to include a link to your privacy statement on the web form. This gives subscribers a chance to understand what they are consenting to and how to opt-out. Once you update your web forms, you will have to record the user consent in a way that is compliant with the GDPR. For most businesses, this meant implementing double opt-in, but this is not necessary.
Basically, double opt-ins are confirmation emails sent to the user after they fill out a form. While many businesses believe this is how you should record consent, double opt-ins are not a GDPR requirement. It will be enough to use the timestamp of when a user signed-up. You can find it in your customer relationship management (CRM) software.
Automation and data segmentation
Email marketing has completely changed due to marketing automation. But GDPR doesn’t allow you to send automated emails to users without getting their permission first. This goes for product materials, onboarding emails and lead nurturing campaigns. Even if subscribers opt-in, you will still have to think about how to segment your contact list.
If want to comply with the GDPR yourself, you need to know there are limits when it comes to data segmentation. If you use algorithms to processes segmented data, you need to be very careful. For example, if you start sending automated emails to users who are likely to churn, you might be violating the GDPR principles. You must not make any changes to your existing relationship with a user based on insights from segmented data.
This means you can’t adjust prices or subscription details for certain customers just because you noticed a pattern. But you can use segmented information to really assist users with using your service or make a payment. Then, you are in the clear.
Dealing with opt-outs
Users have the right to be forgotten. This is a huge part of GDPR which gives the users the power to reclaim their personal data. Always remember to just send marketing emails to people who have already opted-in to receive them. But also, you also need to make it easy for users to unsubscribe from your newsletters or mailing lists.
Example of a GDRP compliant opt-out form
The law requires you to include an “unsubscribe” link in your emails. These links should be clearly visible and the unsubscription process should be as straightforward as possible. When a user clicks on the “unsubscribe” link, they should be able to quickly remove themselves from your list. Lastly, you should delete all the personal data you have on them.
GDPR is here to stay
Consumer privacy is extremely important, especially when it comes to gaining client trust. GDPR tries to prevent any misuse of personal information. But the regulation isn’t all that bad. Instead of purchasing shady email lists, you will actually market to people who want to receive your offers. This increases engagement and gives your brand the credibility it deserves.
Even marketers themselves wouldn’t like to see their personal data fall into the wrong hands. And although you have to make some small adjustments to how you run your email campaigns, GDPR is actually a positive regulation. It opens doors to transparency and prevents companies from having an unfair competitive edge over other businesses in the industry.
This guest blog article was written by Nebojša Ćirić, who is a writer and partnerships manager with Advisera, one of the market leaders in helping businesses implement ISO, ITIL, IATF, AS and OHSAS standards. Neb has several years of experience in creating digital content, including sharing knowledge on the topics of cybersecurity, quality management, compliance, and other topics.