What does GDPR mean for your email marketing activities?

In today’s connected world, personal data is being collected at an incredible rate.

The websites you use, the calls you make, the places you visit and even the photos you take are all recorded, measured and leave a digital footprint – a footprint that is fast becoming a prized resource.

Data has now become a prized commodity.

However, because personal data is so valuable, it’s vulnerable to theft or misuse and this has led to consumers demanding to know how companies use and store their personal data.

Enter the General Data Protection Regulation (GDPR).

You’ve all heard of it!

When GDPR came into play on 25th May 2018, it affected practically every business that processes customer data within the EU.

It affects many aspects of business, but one main area it impacts on is marketing.

41 % of marketers admit to not fully understanding both the law and best practice around the use of consumer’s personal data.

So, let’s set about clarifying for you exactly how GDPR impacts your email marketing activity and what you need to do to avoid any breaches.

How does GDPR impact on your email marketing activities?

You may be asking yourself, “where do I start with GDPR?”.

There’s a lot to digest when it comes to the new regulation so, to help you out, we’ve created a dedicated GDPR Hub with lots of information about the GDPR, including what it is and why it came about.

We’ve even put together a handy checklist to help you focus in on the key areas for your business.

With that covered, what exactly can you do when marketing your products or services?

The first thing that is vital to understand is that GDPR works differently for B2C and B2B marketing.

This is little understood by many businesses, but it is an important point when it comes to marketing your goods and services.

Who you market to determines how you market to them!

The general rule for electronic direct marketing (emails), which is what most of you will be engaged in, is that it requires the ‘affirmative’ consent of the recipient.

In the past you had to give the recipient the right to opt-out of receiving any email correspondence from you.

And this is still a requirement.

However, you are now also required to have the recipient opt-in to receiving any correspondence from you.

Even when you have the recipients consent, that consent can be withdrawn at any time and you are required to advise the recipient of their right to withdraw their consent in any marketing correspondence with them.

Your communications cannot be unsolicited i.e. something that was not requested or sought, unless it is considered of legitimate interest – more on this a little later.

If you have an on-going, or recent relationship with a person, then contact with that person might not be considered to be unsolicited, as some form of consent may be present.

The purpose is really to prevent cold-calling scenarios from continuing.

So, are cold call emails allowed?

You may be surprised to hear that GDPR does not explicitly require opt-in consent for B2B marketing activities.

You can email a business if you can show that your marketing communication is considered a legitimate interest (i.e. where the use of data is necessary or expected by the individual).

It is generally accepted that B2B marketers will be able to make use of the legitimate interest legal grounds for their marketing activities in most instances.

You can find out more about legitimate interest here 

However, this is still only acceptable if the legitimate interest marketing offers the business a clear way to opt out, that it doesn’t override the individual’s rights, and the marketing is done in a relevant and time-sensitive way.

There are no legitimate interest grounds for B2C marketing.

Do pre-GDPR marketing databases need to be deleted?

This then begs the question, as a business owner do you need to essentially start your marketing database all over again, asking each person to opt-in, in order to be compliant with GDPR regulations?

Well, if you are a retailer or a service provider, the answer to this is probably ‘no’.

But you’d need to meet the following conditions:

1. The product or service you are marketing is your own product or service;
2. The product or service you are marketing is similar to that which you sold to the customer at the time you first obtained their contact details;
3. At the time you collected the details, you gave your customer the opportunity to object, in an easy manner and without charge, to their use for marketing purposes;
4. Each time you send a marketing message, you give the customer the right to object to receipt of further messages; and
5. The contact details were used within 12 months of the sale of your product or service.

In such cases, if continuing to market to such customers, you should provide them with the means to ‘opt-out’ from receiving further marketing materials.

You should do this by having an ‘opt-out’ box prominently displayed beside the field for customer contact details.

You should also have an unsubscribe facility on any marketing emails sent to them.

So, how do you keep email consent compliant with GDPR?

By focusing in on the five most important things…

1. Get consent from a positive opt-in, not pre-ticked boxes

For consent to be valid under GDPR, your customer must actively confirm their consent, such as ticking an unchecked opt-in box.

Pre-checked boxes that assume consent if people don’t uncheck them aren’t valid under GDPR.

2. Keep consent requests separate from other terms and conditions

Email consent must be freely given – and that’s only the case if a person truly has a choice of whether or not they’d like to subscribe to your marketing messages.

If subscribing to a newsletter is required in order to download an eBook, for example, then that consent is not freely given.

Under GDPR, email consent needs to be separate.

Never bundle consent with your terms and conditions, privacy notices, or any of your services.

3. Make it easy for people to withdraw consent – and tell them how to do it

You must give your subscribers the opportunity to opt out from receiving emails.

Each promotional email you send must include an option to unsubscribe.

You should make this process as simple as possible.

An unfriendly unsubscribe experience is a major driver of spam complaints.

So putting up opt-out barriers not only jeopardises your legal compliance but can also hurt your deliverability as well.

4. Keep evidence of who consented, when and how

You need to be able to show that the recipient of your emails consented to receiving them.

Therefore, it is important that you keep evidence of consent so that you can provide proof of:

• Who consented
• When they consented
• What they were told at the time of consent
• How they consented
• Whether they have withdrawn their consent

Your email service provider records any opt-in and opt-out actions.

5. Review your consent practices and existing opt-ins

It’s been a few years since GDPR came into effect, but if your email list is just crawling out of hibernation, you’ll need to check your consent practices and existing consent data.

For more on consent take a look at our guide on consent as a legal basis for B2B marketing (coming soon)

GDPR does not require double opt-ins…

The concept of double opt-ins has caused confusion.

Double opt-in is the ‘belt and braces’ approach to email marketing signups and applies only to activity justified by consent, not by legitimate interest.

Under this model, your potential subscriber fills out and submits an online signup form (opt-in ‘one’), and your business then sends an automated confirmation email link that your subscriber has to click to verify their email (opt-in ‘two’).

GDPR does not require double opt-ins for direct marketing.

However, double opt-in can prove especially useful in certain contexts – for example, where your business seeks to build an email list of highest quality, or where you’re concerned about spam subscribers

In conclusion, if your database doesn’t have the right level of consent and your marketing actions can’t be classed as being of legitimate interest, it’s likely that you’ll need to contact those customers on your database to inform them that they’ll need to opt in should they still want to receive communications from you.

Making sure your marketing actions and data processing fits the above rules, you not only protect your business by showing compliance with GDPR, but you also show your customers that you care about their data security – a valuable and respected trait in the opinion of consumers, especially with cyber security breaches often in the headlines.