Email marketing has long been recognized as one of the most useful techniques out there, and it’s certainly one of the most cost-effective options for small businesses.
But what does GDPR mean for email marketing? Quite a lot, actually.
However, new regulations are nothing new, and this article will explain the steps you need to take to adapt your email strategy to this new environment.
While not explicitly mentioned in the 261 pages of text, email is one of the marketing strategies most impacted by GDPR.
What’s more, this law affects pretty much every company in the world - if your email list of subscribers includes even one person who lives in the EU, then you need to comply with GDPR, or face heavy fines.
And, if you can’t be certain whether any of your website visitors or email subscribers are from the EU, it's best to play it safe and comply with GDPR guidelines just in case.
Let’s run through the steps you need to take to ensure that your email marketing meets GDPR requirements.
This is a great place to start, as it will be a useful foundation from which to build GDPR compliance across your email marketing strategy. The key elements of this are:
If you need further inspiration, feel free to download our own checklist.
Email services have also had to adapt to GDPR, and many of them have introduced GDPR compliance guides to help their clients.
And if this doesn’t exist, it’s advisable to change things up and change service providers.
Practically, most people don’t read the terms and conditions before they sign in. This is understandable but for companies, this goes against the GDPR requirement that consent must be “clearly distinguishable from other matters”.
Given this, you must make the consent form stand out with its own checkbox and separate it from the terms and conditions.
Consent is the keystone of GDPR compliance, and must be “freely given, specific, informed and unambiguous”.
In practice, this means that companies can no longer send emails without informed and explicit user consent. This is often referred to as a “hard opt-in”, whereby consent is freely given, and no options come pre-ticked.
Importantly, users cannot be penalized in any way for refusing permission for anything.
When presented with a consent form, your customers need to know exactly what they are going to receive – be it promotions, monthly newsletters, or re-engagement emails – and be able to cherry-pick exactly which ones they want to see in their inboxes.
The best way to achieve this is with a “double opt-in”; this means that you start by requiring a user to tick a consent checkbox in the sign-up form, and they then must click a link in a follow-up email to verify their intention.
And if you’re new to the GDPR compliance game, you could well have people on your email lists that were added without their permission. If this is the case, you’ll want to send them all an email that asks for their consent.
Remember to keep a record proving that content was given freely for when data privacy authorities come knocking. Practically, this means that you have evidence of the clear audit trail from when the user has given their consent up to when you send them an email.
Under GDPR, consumers have the right to withdraw consent at any time. With email marketing, this is as simply as adding an unsubscribe button at the bottom of each email.
GDPR rules stress minimization when it comes to personal data, meaning that you must have a legitimate reason for storing any information, and must delete it as soon as it’s no longer needed.
With email campaigns, their consent means that you have a legitimate reason to store subscriber email addresses, but no justification for holding on to bank details after they’ve made a purchase for example (unless they’ve signed up to a paid monthly subscription).
It would also be wise to introduce an email retention policy or assess your existing one to ensure that you are not retaining excessive amounts of personal data that would put you at risk in the event of a data breach.
GDPR insists that data is stored as safely as possible and to make emails compliant here, it is wise to use encryption measures.
For, while GDPR does not insist on encryption as an essential practice, it does pop up regularly in the document as an additional measure to mitigate security threats.
What this means is that you must either encrypt any email that contains personal data or use a messaging system that uses secure servers and links that ensure the privacy of personal data.
Under GDPR, transparency should be integrated into all your marketing channels and email marketing is no different – people now have a right to know what is happening to their personal data.
Given this, you must outline your use of email marketing within your privacy notice. It must be given its own dedicated section, and include the following information (ideally each in their own sections):
Crucially, you’d also need to alert consumers whenever there is a change to your privacy policy and give them the opportunity to unsubscribe if they so wish.
When GDPR arrived, many marketers thought it would be the death of email campaigns.
This hasn’t come to pass, but email lists have certainly gotten shorter.
However, this is no bad thing since it means you are only left with loyal subscribers that are most likely to buy your products or services again.
GDPR compliance also aligns nicely with general concerns over data privacy and meeting these requirements is a sure way to build trust with your audience.
Gain World-Class Insights & Offer Innovative Privacy & Security
Sign up to Our Newsletter for Regular Nuggets. And don’t worry, we won’t tell sales.