Email marketing and GDPR are closely related.
Well, GDPR has put more regulations on email marketing than ever before. In this article, Dustin Baly, Ignite Visibility Head of Email Marketing, gives actionable tips for email marketing and GDPR.
First, What is GDPR Compliance?
GDPR (or General Data Protection Regulation), and is essentially a new set of rules designed to give citizens more control over their personal data.
It was created for citizens of the EU, but don’t think that means you’re off the hook if you work in the US.
The regulation will affect all businesses, whether or not your customers are located in the EU.
Under GDPR, businesses can’t process customer data unless it’s for a lawful purpose or those businesses have received explicit instructions from the customer to do so.
GDPR requires companies to collect and process data keeps personally identifiable information (PII) secure. And any company that hasn’t been careful will soon find themselves in hot water.
How hot? Up to 4% of global sales hot.
That’s right: any company found to be in violation of the GDPR can be fined up to 4% of their global sales (we’re talking well into the millions, and maybe even billions of dollars).
Do I have your attention now? Good. Now let’s get to email.
Note: for more details on how GDPR may affect your business as a whole, read my full guide here.
How Will GDPR Affect Email Marketing?
In a nutshell, it will force companies to take a long hard look at what personal data they’re collecting, and more importantly, how securely they’re storing it.
The personal data situation is especially prevalent regarding email marketing, given that a good amount of that information is collected during an email signup process.
Hence the opening of the email watergates, and the ensuing flood of emails you’ve received from companies like Facebook, Uber, and any other company that collects and stores personal information.
That personal data is big news these days, given recent breaches from seemingly bulletproof companies like Facebook, and the regulation sent most scrambling to update their policies and let customers know they’re handling sensitive info with care.
(Fun fact: the email storm even has an accompanying Spotify playlist).
Some of the policies emailers need to be aware of include:
- The definition of personal data has been expanded to include anything that would enable you to identify an individual.
- Plain language (no legal jargon or technical gibberish) must be used in all privacy policies and explanations of how data is used
- Businesses must let people download their personal data and take it to another company if they wish
- They also must inform all affected users of a data breach within 72 hours of its detection
- Businesses are required to clearly communicate to customers how they plan to use their personal data, and
- They must also transparent about customers’ rights to request the restriction of access to, rectification, or erasure of their personal data
- Customers should be able to easily cancel their consent and request the erasure of their personal data as quickly as possible
- Businesses must put preventative measures into place to protect customer data
But wait, there’s more. To give the full text and guidelines a look over, click here.
Opt-Ins Are the New Norm For GDPR Email Marketing
This is the big one, folks.
When it comes to GDPR and email marketing, the main thing for marketers to keep in mind is that all communication must be strictly opt-in.
And when I say opt-in, I’m leaving no room for interpretation.
Every single customer, lead, visitor, even friend that you plan to send marketing emails to must give clear consent.
To get it, they must actively consent.
That means no more passive, pre-checked boxes that assume consent. A user has to click themselves.
In the past, it was common to be automatically subscribed (or include a pre-checked box) to email newsletters after making a purchase.
That’s a big no now, and will result in a GDPR violation.
Companies can still include an option to subscribe, but the customer must click for consent themselves.
Explain How Your Data Will Be Used for GDPR Email Marketing
A rundown of why you need the information you’re collecting is no longer a courtesy, it’s required.
During the sign-up process, you need to clearly explain how you’ll be using their information.
If the customer doesn’t like it, they’re free to quickly opt-out.
This may not seem like a big deal. So let me explain.
If you plan to use this information for any sort of profiling – as in, using it to segment your audience based for email automation – the user needs to know.
“Profiling is defined as any automated processing of personal data to evaluate, analyze, or predict any characteristics of a user.”
So, if you plan on tracking user purchases or behavior on your site in order to send them personalized product recommendations, you have to let them know.
Scary, yes, but no cause for panic. You can still use email automation, as long as you comply with the following:
- Notify your contacts (in your confidentiality agreement or advertisements)
- Allow them the option to opt out of this profiling
Do note that you don’t have to include all this information under you opt-in check box, but it does need to be available in your confidentiality agreement or privacy statement. So make sure you update accordingly.
Don’t Automatically Add Contacts to Lists for GDPR Email Marketing
We touched on this earlier in the opt-in section, but it’s big news for most marketers.
See, a lot of companies will use gated content (webinars, ebooks, whitepapers) to collect user information, including email, in exchange for the content.
Once they have those emails, many marketers use them to automatically enroll users in their email lists.
With the new regulations, that’s no longer an option (at least, not a legal one).
If someone gives their email for a single purpose, like downloading an ebook, that’s all you can use it for. They didn’t give you consent to use their email for anything else, so you can’t.
Again, all’s not lost.
You can still use your gated content as a way to collect emails, you just have to be clear about your intent.
All that means is that you need to include a field asking if the user would like to join your email list, and explain how you plan to use their information.
All Customer Data Must be Deleted if Requested for GDPR Email Marketing
Opting-out or unsubscribing is nothing new. In fact, most email software require that you include the option to use their services.
That part isn’t changing. What is a little different is that users now have the “right to be forgotten.”
That means that brands must be able to erase any information they’ve collected on any user, including purchase history, location, or any tracking data.
Keep a Record of Consent for GDPR Email Marketing
If you have your opt-in’s in place and people are signing on, great.
But you need to keep a record of it.
Why? To cover your biz in case of any possible violations, that’s why.
If you are targeted for any reason for a GDPR violation, the higher-ups will want to see a proven record of consent to show that yes, you had permission to send these people emails and yes, you explained how their information would be used.
You should be able to prove:
- Who consented
- When they consented
- What they were told at the time of consent
- How/where they consented
- If they have withdrawn consent
How you plan to keep these records might be something to have a chat with your IT department about.
That Record Applies to Everyone, Even Existing Customers
This consent situation doesn’t just apply to those who sign up post-GDPR drop. It applies to all users on your email list.
Which means brands will have to do a little backtracking.
It’s also why you’ve seen so many new emails in your inbox asking for you to re-consent to various brands email lists.
If you find yourself in a this kind of situation, follow these steps:
- First, evaluate your current list. Are the users GDPR-compliant? Do you have a way of proving when they consented, and did you inform them of how you planned to use their information?
- If you answered, yes, congratulations! You’re in the clear regarding re-confirming consent.
- If you answered no, read on.
- Create a re-enrollment plan. If you don’t have GDPR-proof consent or are even a little unsure, this is for you.
- First, analyze your list and find all active subscribers. These are the ones you want to target
- Create a well-crafted email that will make users want to stay enrolled, and send it out multiple times if need be
Concluding GDPR Email Marketing
Suffice to say, complying with the new regulations hasn’t exactly been a walk in the park for marketers.
But after the initial headache, the GDPR will likely prove beneficial to business. After all, the goal it to provide a more transparent, trustworthy experience for customers.
As users grow more reluctant to share their personal details, the enforcement of the new regulations will help them put their trust back in the marketing process, and your brand as well.