European privacy laws and spam regulations form the Directive on Privacy and Electronic Communication (EU E-Privacy Directive). Although the main goal of the regulation is outlined by the E-Privacy Directive, each country is free to interpret it into local law. This lack of consistency means that each EU member state has different email and privacy laws.
The new law – The General Data Protection Regulation (GDPR) – aims to bring together local laws in a bid to create a uniform email regulation that is consistent across all EU member states. GDPR is not a directive, it is a legality which will come into immediate effect on May 25th this year and apply to all EU countries.
So what does this mean for email marketers and what impact, if any, will this have on the email industry?
No matter where you are based in the world, any company using data from EU citizens will be affected by GDPR.
GDPR will affect a number of aspects of email marketing, in particular how data is sought, collected and recorded. Under the new law, marketers will only be allowed to send emails to people who have ‘opted in’ and given their consent to receive messages. Now this may not sound like something new, as many EU countries already abide by this regulation under the current EU Privacy Directive, but GDPR stipulates that consent must now be “freely given, specific, informed and unambiguous”.
GDPR clarifies that an affirmative action signaling consent may include checking a box on a website, ‘choosing technical settings for information society services’ or ‘another statement or conduct’ that clearly indicates consent to the processing.
GDPR clearly states that ‘silence, pre-ticked boxes, or inactivity’ are not adequate forms of consent and that subscribers must be informed about the brand that is collecting the consent and as to why the brand is collecting personal data. For example, if you are seeking data to determine what email offers someone receives you must tell them that is how you intend to use their data and give them the option to ‘opt out’.
Unfortunately many processes used by marketers to grow their database will not be GDPR compliant. If you are running a competition and someone left their information, if you didn’t tell them that you intend to use their data to send marketing emails then you will not be compliant under GDPR and it will be illegal to add their details to your mailing list.
GDPR also outlines rules on how marketers and companies should keep records of given consent. The onus is on the company to ensure they have proof that sufficient consent has been given. This means that you should have a clear record of consent which can be presented to the GDPR if you are challenged.
‘I suggest it would be sensible for marketers to include a screen-grab of the page or app where the consent was obtained. That is something your platform is not likely supporting out of the box today’ Andrew Bonar — co-founder of Deliverability Ltd – said in a blog post on Litmus.com.
GDPR not only applies to new collected data, but also to any existing data…If your database includes subscribers whose permissions have not been collected and recorded in accordance to GDPR, or if you cannot provide sufficient evidence of proof of consent for some of your current subscribers then you won’t be able to legally process their data. Getting all of your customer’s data and business processes up to the GDPR standards may mean running re-permissioning campaigns before the law comes into force in May.
Is there a way out of this?…..yes but it would mean excluding European subscribers from your database and considering the sheer size and importance of such a market, it seems an unlikely option for many brands that are trying to engage on an international level.
In short, marketers who want to send emails to EU citizens have no choice but to review their current and future email processes.
Bettina Specht at Litmus.com has a few suggestions of how you can go about it:
-Set up separate signup processes for subscribers coming from different parts of the world. People coming from the EU would have to go through a GDPR-compliant sign-up process, while for prospects from the United States, for example, things remain the same. However, the costs and complexities of running two separate sets of lists present a significant drawback to this approach.
-Bring your entire database up to GDPR standards and adapt all of your opt-in processes to match the EU requirements, which might be the best approach. While changes to opt-in processes and re-permission campaigns will likely slow down list growth in the short term, they’ll help marketers to make sure that they only send email to subscribers who really want to hear from them and thus can improve list quality overall.
I guess one positive is if your program complies with GDPR, then it is likely that you are compliant with other international email regulations as well…which is something…right?!
And what if you are not GDPR compliant? Well it is worth noting that GDPR is a binding legal force so penalties are high with fines up to €20 million or 4% of a brands total global annual turnover (whichever is higher).
(To learn more about what steps you can take now to prepare for GDPR click here)