Is your Email Marketing GDPR Compliant?

Published: 01-Dec-2021
Last Updated: 25-Nov-2021
Is your Email Marketing GDPR Compliant?

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is the privacy and data regulation law for the European Union that was created to protect the "fundamental right" of personal data privacy for all EU citizens. The GDPR came into effect in May of 2018 and is touted by the EU as "the toughest privacy and security law in the world".

After the law was enacted it inspired countries like Brazil, Australia, Japan, and many others to create tougher personal data protection laws. In the United States, California raised the bar on US regulations when it created the California Consumer Privacy Act (CCPA). 

The GDPR states that any organization in the world which processes and holds the personal data of an EU citizen must comply with these new regulations. The "territorial scope" of this legislation makes the GDPR a concern for marketers all over the world. These regulations are designed to ensure that companies maintain high standards when it comes to protecting customers' data privacy, transparency, security, and rights.

Critics of the EU's Data Protection Authorities (DPA) initially criticized their lack of initial action, but they have recently started to crack down on GDPR offenders. 

What Does it Mean to be GDPR Compliant?

team working on email marketing compliance

GDPR doesn't mean doom and gloom for email marketers. It doesn't mean the end of cold outreach or newsletters. It just means organizations need to build data privacy & protection into our marketing systems. 

To have email marketing that is compliant with the GDPR marketers must acquire explicit consent before sending regular marketing emails and be able to provide proof of consent in the event of a complaint (don't worry sales team we will talk about cold outreach later).

This means opt-in forms must be optimized to capture and store this explicit consent. Some organizations have moved to double opt-in forms. Double opt-in forms require the user to select that they want to subscribe and then confirm by email before communications are sent. These signup forms are a great way to gather evidence of consent, but it makes becoming an email subscriber a more difficult process. And double opt-ins are not required for compliance. 

Common tactics pre-GDPR like adding the email address of a customer to your list after purchase or using pre-checked boxes on opt-in forms are not a clear statement of consent. 

Another no-no under GDPR is adding an individual to your email list after receiving their business card. Receiving a business card isn't clear consent for mass communication. 

Opt-in forms meant to collect email addresses should be accompanied by an easy-to-access privacy policy. The privacy policy should detail how your organization collects, stores, uses, and transfers personal data. 

In the example below, Activision's marketing department has included their privacy policy and an option to unsubscribe in their email footer. 

activision email legal policy screenshot

Additionally, organizations must make it fast and easy for email subscribers to unsubscribe. And they must promptly delete any stored personal data (name, email address, etc.).  

Cold Email in the Age of GDPR

Can you still reach out to leads who have not provided you with their contact information or given you permission to contact them? 

Yes! GDPR did NOT outlaw cold outreach. B2B marketers can still reach out to leads without previous consent. But that doesn't mean your cold email strategy and processes don't need to be adjusted for compliance. Make sure your sales team is being selective when reaching out to prospects, giving prospects an option to opt-out, and honoring those requests & deleting their data. 

In summary a GDPR compliant business:

Collects data in a way that is "lawful, fair, and transparent" to the individual whose data is being collected. 

Collects Data for a Specified Purpose

Only Collects Data that is Necessary for the Purpose Specified 

Only holds data for the length of time it takes to complete the specified purpose

Processes Data using Encryption

Can Show Data Controllers that they are Compliant

How to Make your Current List GDPR Compliant

Obviously, email lists existed before GDPR, and organizations that operate exclusively in the US are still building email lists based on US standards. But what if you're looking to turn your list into a GDPR compliant one? Do you have to delete your list of email addresses and start over? 

No! We suggest creating a "re-permission" campaign. 

Establishing Consent with a Re-Permission Campaign

Creating a re-permission campaign may seem weird at first and it will probably scare you. You are not going to retain 100% of your email list. There's going to be a percentage that isn't going to provide you with consent to continue contacting them (even some customers who want to hear from you won't). But this is the first step to converting your old list to a list with records of consent. 

We like to think of a re-permission campaign as a re-engagement campaign. It is another opportunity to create the highest quality and most engaged list possible. The individuals who take the time to provide you with a consent record are committed to receiving communications from your organization. Those who don't choose to opt back in were probably damaging the quality of your email list. 

That being said the potential business impact of losing a large percentage of your list is not to be underestimated. So the time and energy that your team would put into a product launch should also be applied to this project. 

A one-off email that asks if subscribers are still interested in receiving emails is simply not going to cut it.  We suggest a multi-email campaign over a time period of a few weeks. 

This campaign gives your organization the opportunity to reestablish your:

- Brand's value proposition

- The value of being a subscriber

- Active consent to contact 

General Data Protection Regulation Enforcement and Penalties

judge gavel and money on brown wooden table

Violating GDPR regulations is a big deal and after a slow start, the EU's Data Protection Authorities (DPA) are cracking down on violators. According to a study by DLA Piper, regulators in the EU have imposed nearly $188 million in fines in 2020. The GDPR gives the EU’s DPA the authority to issue fines of up to ($24.1 million) or 4% of annual revenue (whichever is higher).

High-profile cases of GDPR compliance violations include Google (fined $56.6 million), British Airways (fined $26 million), and Marriott (fined $23.8 million).

With enforcement on the rise, it's even more important to shine a light on your organization's data security processes and systems. 

Wrap Up

GDPR is one of the many pieces of data privacy legislation used to protect citizens around the world. Unless you're a lawyer focusing on the ins and outs of the GDPR, it's nearly impossible to be an expert.

But as marketers who hold personally identifiable information (also known as PII), it's important that we do our best to understand and comply with data privacy legislation. 

Our customers' information deserves to be treated with care. And they deserve to fully understand how their information is being used. 

At the end of the day, global consumers are pushing for a higher standard of data privacy. And they are right to do so!


What's Next?

Are you ready to begin?

No problem! Schedule a call with us to get started on our journey together! 

"The first step in solving any problem is to recognize there is one." - Aaron Sorkin

Need more time?

No problem! Honestly, it might never be the right time. 
We've got plenty of articles that discuss many of the topics that we'll talk about over the phone!

Ready for Change?

We pride ourselves on helping clients grow their brands to reach the next level in business.

Copyright © 2012-2023 · Carbon Digital · All Rights Reserved.

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram