How to Create an Email Marketing Strategy with GDPR Rules
2018 has brought many marketing trends; some are here to stay and others are already gone with the wind. One specific trend, or rather a regulation that’s influencing which trends even become trends, is the General Data Protection Regulation (GDPR). As the most comprehensive update to Europe’s data protection rules made this century, the GDPR is affecting everything and anything related to personal data. This means that everything, from digital advertising to SEO services, has to be taken in and modified to account for GDPR’s new policies.
A Brief Overview of the GDPR
The GDPR came into existence when the European Union (EU) realized that the amount of personal data organizations collect from their users was climbing too fast and left unchecked for too long. For reference, this could include any information relating to a natural person, such as their name, identification number and location, or online identifiers related to the physical, genetic, mental, economic, cultural or social identity of that natural person.
Anyway, hoping to hold organizations accountable for how they handle personal data, the EU announced it was enacting strict regulations to protect their citizens from potential mishandling of this data. This means that anyone who handles an EU citizen’s data, whether they’re located in Europe or the Americas, has to abide by the GDPR’s new guidelines. As for noncompliance, that leads to VERY steep fines and penalties that can amount to millions of dollars.
How GDPR Is Affecting Email Marketing
Let’s start with the good: thanks to GDPR we should be receiving a fraction of the spam we used to get. Onto the bad: prior to May 25, the GDPR’s official debut, our inboxes were swamped with countless emails from organizations asking for our consent to ‘stay in touch’ (counterintuitive much?). Why? Because organizations now need unambiguous consent from users before they can send even a single email (see Article 4 (11)):
- ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Breaking it down further into the requirements for consent (freely given, specific, informed and unambiguous, and through a clear affirmative action), Recitals 42 and 43 state that for consent to be freely given, the option must be there:
- Recital 42
Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
- Recital 43
In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
As for specific, informed and unambiguous, Recital 39 lends that generic or confusing terminology cannot be used to gain consent:
- Recital 39
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used… Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed… Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
Moving to a clear affirmative (action), Recital 32 explains that the action of consenting has to be that: an action. In other words, you have to opt-in as opposed to opt-out:
- Recital 32
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Creating an Email Marketing Strategy with GDPR Rules
From the points covered above we arrive at a couple conclusions:
- If someone signs up for something, you can’t send them information about anything else (e.g., if someone signs up for a newsletter, you can’t send them information about any promotions you’re running)
- If your mailing list includes people who were automatically opted-in without explicitly doing so, you have to gain their explicit consent before sending a single email.
- If your mailing list does include people who explicitly opted-in to receive a particular email type, you can continue contacting them, but only for emails that fall in that email type.
Moving forward and like a good digital agency would, any email marketing strategy has to account for the points above. With that in mind, the first thing you have to be obtain permission from your subscribers to keep the emails coming. Unfortunately, as it is currently post May 25, 2018, you’ve lost your chances at an encompassing mailing list email asking them to resubscribe. It’s not the end of the world, though; if your list includes people who did opt-in explicitly, you can keep them in the loop. If, on the other hand, you have users you were automatically opted-in, such as with a pre-checked box or a purchased mailing list, you’re going to have to go back and obtain their explicit consent — the problem is, how can you contact them if you’re technically not allowed to?
After obtaining permission (or re-permission?), it’s time build your mailing list all over again. But, and this is a big but, this time around everything has to be done according to GDPR’s rules that don’t include filling out a pop up as an invitation to receive a barrage of emails. As we’ve covered countless times before, this means you need their explicit permission to receive your emails. To receive this, you need to inform them exactly why you need their information and what you’re going to do with said information.
Now that you have a somewhat solid list of email subscribers, you have to think about the inevitable: at some point, some of them will unsubscribe. As unfortunate as this is, it means you have to include an ‘unsubscribe’ link somewhere in the email that lets them know they have the option of staying or leaving. Keep in mind that this can’t be hidden, so make sure it’s clearly visible and allows them to also manage their subscriptions. For example, on clicking they can be taken to a subscription page that allows them to opt-in or out from our different newsletters.
Well, there you have it — the basics of creating an email marketing strategy with GDPR rules. Will it be easy? Not really. Will it be time consuming? Probably. Is it necessary? You bet.
If there’s one thing that sticks to your mind after reading this, it’s that you always need consent to send an email. And by consent, I mean consent that’s freely given, specific, informed and unambiguous, and thorough a clear affirmative action. If you can remember more than one thing, remember to be honest about why you want to contact your users and how you’re going to use any personal data they give you.
Best of luck!
About the Author!
Matthew is a content writer for digital marketing agency, Aumcore that specializes in SEO services. He writes on a variety of subjects that range from everything SEO to mobile app development.