How to Make Your Email Marketing Campaigns GDPR Compliant

How to Make Your Email Marketing Campaigns GDPR Compliant

Email continues to be one of the most popular and effective tools for reaching both current and potential future customers. It is the preferred channel for 86% of professionals when communicating for business purposes. The success of email marketing is even greater in the B2B space than B2C, with B2B campaigns receiving a 47% higher click through rate (CTR). The European Union’s (EU) impending adoption of GDPR regulations could affect your business’ capability to utilize e-mail marketing, even if you operate outside EU. Learn what GDPR is and how you need to alter your email marketing tactics to comply with new regulations.

What Is GDPR

The General Data Regulation Protection (GDPR), set to take effect on May 25th, 2018, creates stricter guidelines on the usage of customer data. It regulates how EU citizens’ private data is stored and used by businesses operating in the EU. The goal of GDPR is to improve the data rights of EU citizens by regulating what companies must do to protect those rights.

Who Does It Affect?

The effects of GDPR are far reaching. Any organization that offers “goods or services to, or monitor[s] the behaviour of, EU data subjects” falls under the umbrella of GDPR. Furthermore, “It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location” (source). This means you can neither be located in the EU, nor directly conduct business in the EU, and still fall under the governance of GDPR.

Businesses far and wide will feel the impact of GDPR. With only a few weeks remaining until compliance is mandatory, it is vital to ensure your business’ marketing activities adhere to all regulations. Follow this checklist to guarantee your marketing activities are GDPR compliant.

Making Your Email campaigns GDPR Compliant

Positive Opt-In Data Capture

One of the major impacts of GDPR on marketers is the method in which they can collect opt-ins from prospects. For consent to be valid under the new regulations, a user must actively confirm they are allowing the organization to store and process their data. Pre-ticked checkboxes, known as a soft opt-in, are not allowed under GDPR.

No longer allowing soft-opt ins could drastically reduce your email list growth rate. Individuals tend to accept a ticked box as the default when filling out a form. Removing the ability to pre-tick the boxes will result in fewer sign-ups. Marketers must get creative to combat this change. The ability to write engaging copy, compelling a prospect to opt-in to additional communications, is now an even more useful tool in the marketer’s utility belt.

Double Opt-in

To ensure GDPR compliance, a double opt-in is strongly recommended. A double opt-in, much as its name suggests, requires a prospect to consent twice to an organization requesting their information. For example, a user may submit their email address to sign up for a newsletter. A link will then be sent to their inbox, which they must click to confirm their subscription, thus consenting again to the storage of their data. Although double opt-ins are not mandatory under GDPR, it is an effective strategy to safeguard against non-compliance.

Freely Given Consent

If a user submits their information to download a whitepaper, e-book, or other resource, they cannot be automatically enrolled in additional marketing communications. The receipt of your asset also cannot hinge on them consenting to receive further contact from your organization. By consenting to the use of their data for one purpose, a user does not grant a company an all access pass to process their data. Consent to store data for one reason cannot also be bundled with another. A user needs to opt-in separately to communications through various channels.

Explanation Of Use

A prospect has the right to know:

  • The identity of the organization requesting their information
  • What will happen with the recipients’ data should opt-in be chosen
  • How that data will be stored
  • Why the data is required and how long the company will keep it

This information should be available prior to the opt-in and should detail exactly what the user is signing up for and how their data will be used. Requiring companies to share why they need the requested data will discourage them from asking for more information than necessary. It creates increased transparency between the customer and the company that is storing and processing their data. This requirement leads to a better-informed buyer and protects their data from misuse.

Separate Consent From Terms and Conditions

The explanation of use cannot be buried deep within the confines of the terms and conditions, but rather must be made accessible for anyone whose data you’re requesting. Additionally, consent itself cannot be hidden in the terms and conditions. As previously mentioned, active consent is required under GDPR. It must be made clear to a user what they are signing up for.

The Right to Be Forgotten

A subscriber has the right to be forgotten by your organization. This is stronger than a mere opt out, as they are requesting absolutely no further marketing communications from your business, in perpetuity. Additionally, the company must erase all data they have on that individual. The ability to withdraw consent should be as easy as allowing it. American regulations already stipulate that marketing emails must include an option to unsubscribe. If your company is already compliant with American email laws, you may not have to change much in this area to comply with GDPR. Significant change to your system may be necessary, however, if your scrubbing process is not compliant. Once a user requests to be forgotten, their data must be erased from all locations in your system.

Ignore these steps at your own peril. The punishment for breaking GDPR rules can be up to 4% of your global revenue or €20 million ($23.9 million USD), whichever is larger (source). The key portion of this fine is “whichever is larger,” meaning any company that records more than €500 million in annual revenue will pay more than a €20 million fee. For a company that records an annual revenue significantly lower than that, receiving the €20 million fine could be a death sentence.

With GDPR coming into effect later this month, it is imperative that companies get up to speed on compliance. To better understand how GDPR will affect you and your business, it is recommended to consult an attorney. The regulations are intended to protect the data rights of EU citizens and will likely make a marketer’s job a little trickier. Businesses may see slower growth in their mailing lists, but a potential reduction in new prospects is nothing compared to the cost of non-compliance.