Email marketing has long been recognized as one of the most useful techniques out there, and it’s certainly one of the most cost-effective options for small businesses.
But what does GDPR mean for email marketing? Quite a lot, actually.
However, new regulations are nothing new, and this article will explain the steps you need to take to adapt your email strategy to this new environment.
What does GDPR mean for Email Marketing?
While not explicitly mentioned in the 261 pages of text, email is one of the marketing strategies most impacted by GDPR.
What’s more, this law affects pretty much every company in the world - if your email list of subscribers includes even one person who lives in the EU, then you need to comply with GDPR, or face heavy fines.
And, if you can’t be certain whether any of your website visitors or email subscribers are from the EU, it's best to play it safe and comply with GDPR guidelines just in case.
How to Make your Email Campaigns GDPR Compliant?
Let’s run through the steps you need to take to ensure that your email marketing meets GDPR requirements.
1. Create a GDPR Compliance Checklist
This is a great place to start, as it will be a useful foundation from which to build GDPR compliance across your email marketing strategy. The key elements of this are:
- Email data collection
- Email data processing
- Email consent
- Email cookies
- Email & third parties
- Email opt-out
If you need further inspiration, feel free to download our own checklist.
2. Ensure that your Email Platform is GDPR-Ready
Email services have also had to adapt to GDPR, and many of them have introduced GDPR compliance guides to help their clients.
And if this doesn’t exist, it’s advisable to change things up and change service providers.
3. Separate the consent form from your terms and conditions
Practically, most people don’t read the terms and conditions before they sign in. This is understandable but for companies, this goes against the GDPR requirement that consent must be “clearly distinguishable from other matters”.
Given this, you must make the consent form stand out with its own checkbox and separate it from the terms and conditions.
4. Get consent from subscribers
Consent is the keystone of GDPR compliance, and must be “freely given, specific, informed and unambiguous”.
In practice, this means that companies can no longer send emails without informed and explicit user consent. This is often referred to as a “hard opt-in”, whereby consent is freely given, and no options come pre-ticked.
Importantly, users cannot be penalized in any way for refusing permission for anything.
When presented with a consent form, your customers need to know exactly what they are going to receive – be it promotions, monthly newsletters, or re-engagement emails – and be able to cherry-pick exactly which ones they want to see in their inboxes.
The best way to achieve this is with a “double opt-in”; this means that you start by requiring a user to tick a consent checkbox in the sign-up form, and they then must click a link in a follow-up email to verify their intention.
And if you’re new to the GDPR compliance game, you could well have people on your email lists that were added without their permission. If this is the case, you’ll want to send them all an email that asks for their consent.
5. Document all Consent from Subscribers
Remember to keep a record proving that content was given freely for when data privacy authorities come knocking. Practically, this means that you have evidence of the clear audit trail from when the user has given their consent up to when you send them an email.
6. Add an Unsubscribe Option to Every Email
Under GDPR, consumers have the right to withdraw consent at any time. With email marketing, this is as simply as adding an unsubscribe button at the bottom of each email.
7. Review your Data Retention Practices
GDPR rules stress minimization when it comes to personal data, meaning that you must have a legitimate reason for storing any information, and must delete it as soon as it’s no longer needed.
With email campaigns, their consent means that you have a legitimate reason to store subscriber email addresses, but no justification for holding on to bank details after they’ve made a purchase for example (unless they’ve signed up to a paid monthly subscription).
It would also be wise to introduce an email retention policy or assess your existing one to ensure that you are not retaining excessive amounts of personal data that would put you at risk in the event of a data breach.
8. Secure any Personal Data Properly
GDPR insists that data is stored as safely as possible and to make emails compliant here, it is wise to use encryption measures.
For, while GDPR does not insist on encryption as an essential practice, it does pop up regularly in the document as an additional measure to mitigate security threats.
What this means is that you must either encrypt any email that contains personal data or use a messaging system that uses secure servers and links that ensure the privacy of personal data.
9. Update your Privacy Notice for GDPR
Under GDPR, transparency should be integrated into all your marketing channels and email marketing is no different – people now have a right to know what is happening to their personal data.
Given this, you must outline your use of email marketing within your privacy notice. It must be given its own dedicated section, and include the following information (ideally each in their own sections):
- What rights users have about their data
- How your company handles user data requests
- How your company protects user data
- What personal data is processed
- How personal data is collected
- What purpose your company has for processing data (newsletters, market analysis etc.)
- Cookies and automatic data collection methods
- Information on opting-out and unsubscribing
- Information on email marketing campaigns
- All third-party involvement
Happy Regulators Make for Happy Customers
When GDPR arrived, many marketers thought it would be the death of email campaigns.
This hasn’t come to pass, but email lists have certainly gotten shorter.
However, this is no bad thing since it means you are only left with loyal subscribers that are most likely to buy your products or services again.
GDPR compliance also aligns nicely with general concerns over data privacy and meeting these requirements is a sure way to build trust with your audience.