GDPR and Email Marketing

Today we briefly look at GDPR and email marketing, GDPR is the General Data Protection Regulation. This replaced the Data Protection Act 1998 and took 4-years to draft, coming into force on 25 May 2018. The regulation protects all EU citizens and applies to organisations within the EU as well as outside the EU but engaging with EU citizens. You can download GDPR document on the EU’s website.

Email Marketing

Whilst you might think that GDPR only protects consumers and bashes business – that is not the case. Its primary aim is protection of the data rights of EU citizens, but it also helps organisations clarify data handling behaviour including marketing preferences and permissions to remain compliant.

It is an opportunity for organisations to assess their data management practices and spring-clean their email databases to rid themselves of unresponsive/non-compliant contacts.

Principles and Rights

GDPR has 6 Principles that must be adhered to that govern how data is collected, retained, stored, processed and destroyed. The data subjects have a clear set of rights under GDPR including data portability, rectification of errors, erasure of data, fairness in profiling, access to their data, restriction and objection to processing and information privacy.

Failure to adhere to GDPR has serious consequences – there are harsh penalties for non-compliance including fines of 4% of global turnover (revenue based on the previous financial year) or €20 million – whichever is greater.

GDPR and email marketing are closely linked because a consumer’s email address is classed as personal data (like their name and postal address). Broadcast of a marketing communication involves the processing of personal data. GDPR requires an explicit opt-in from the customer/prospect – pre-checked opt-in boxes are not legitimate consent anymore.

We should clarify here that we are only talking about marketing communications – the regulation does not require this explicit opt-in for receipt of emails that form part of the fulfilment of your product/service (such as a purchase receipt).

Seeking Permission Again

Prior to May 2018 we all received emails from organisations that were clarifying our continued interest in their marketing communications. We were asked to confirm our consent and provide that business with GDPR compliant proof of our opt-in.

To carry out a re-permission campaign was a daunting prospect in terms of the aggregate volume of data you had. You were relying on consumers questioning if your emails were useful or irritating and passing judgement with their positive agreement to continue. Failure to provide this re-permission would see them purged from the database as you did not have the right to retain that contact (for marketing purposes at least).

Whilst the overall volume of email addresses on your database might fall significantly – you must question the quality of those non-responsive leads in terms of ROI. What percentage of your database never open marketing communication broadcasts? How many opened but never clicked on any links in your emails? How many opened and clicked but never responded to the call-to-action?

It costs to host and store your database, to send marketing communications to those contacts as well as paying somebody to administer and manage the database. By requiring re-permission, you had an opportunity to cleanse your database of non-responsive prospects and cold leads. This in turn would improve your database performance and deliver better ROI in future campaigns. Those customers and prospects that had provided re-permission had made a conscious decision to do that and were reminded of your brand and purpose.

Clear and Unambiguous Opt-In

Changes to prospect and subscriber acquisition also changes with GDPR and email marketing as it mandates that for new subscribers the opt-in they agree to needs to clearly explain what they are signing up for. You should retain the opt-in wording along with the permission and its date for future audit purposes and data subject requests.

You must also provide the opt-in in isolation from any other requirement. It is no longer permittable to force an opt-in before a user can receive something such as a download of a white paper document.

To find out more about the UK guidelines for GDPR and email marketing, the Information Commissioners Office (ICO) has authored a useful GDPR consent guidance document that you can download here.

One last thing to remember is to update the wording of your privacy policy to reflect changes how you will adhere to GDPR and email marketing in the future. This includes how subscribers can stop your communications.