Even with the popularity of mobile messengers and chat apps, email continues to be a crucial part of our daily online activities. In 2022, the number of global e-mail users amounted to 4.26 billion and is set to grow to 4.73 billion users in 2026
We are all a part of that communication, and we receive daily emails for services or products, offers, and sales from different companies. However, how many of those are sent in a GDPR-compliant way?
Statistics show that 73% of EU citizens aged 16-74 are sending and receiving emails! Those are some significant numbers considering that the EU is – the world’s third-largest population after China and India.
We are trying to make the point that the EU market should not be disregarded, and processing EU citizens’ data makes you obligated to comply with the GDPR.
What happened after the GDPR?
Switching to GDPR-compliant email campaigns caused many companies to lose a lot of their contact database, but whether those databases were any good, to begin with, is an entirely different story.
For some, it is company profits before GDPR compliance. For others, those two terms are intertwined. Many companies that have put emphasis on PRIVACY are thriving.
You can find out more about how much companies are investing in privacy and what are the outcomes and ROI of investments in our blog; Why companies are investing in GDPR compliance
Six steps to GDPR-compliant email marketing
GDPR-compliant marketing means respecting the privacy of your contacts and their GDPR rights.
Not contacting people who have opted-out from your marketing communications, deleting contacts when there is no reason to keep their records, not having pre-ticked consent boxes, and having a record of consent for each and every purpose.
GDPR marketing should be transparent, trustworthy, and straightforward when communicating what you do with personal data.
1️⃣ FIND PROPER LEGAL BASIS FOR PROCESSING
You can process personal data under only six legal bases. In marketing, you will most probably rely on two lawful bases – consent and legitimate interest.
Consent should be a freely given, specific, informed, and unambiguous indication of an individual’s wishes by which he or she, by a statement or by clear affirmative action, gives agreement to the processing of personal data.
This means you have presented an individual with a genuine choice and withdrawal of consent at any given time.
If you need to notify your existing customers about new features of the product, new policies being applied, and updates that they could benefit from, you can rely on legitimate interest.
Also, if you offer downloadables on your website, you can use legitimate interest as your lawful basis. It is implied that the data subject gave you his/her email address so you can send them the content.
However, you can’t use that personal information in your marketing campaigns later.
2️⃣ BE TRANSPARENT ABOUT DATA PROCESSING
Make sure you explain who collects data, which data is collected and for what purposes, how you will process that data, and if any third parties are involved.
In the research “State of Connected Customer” by Salesforce, 86 % of surveyed individuals said that explaining how a company is using their information to give them a better customer experience, makes them more likely to trust that company with their personal information.
3️⃣MAKE UNSUBSCRIBE EASY
Remember, you have to enable your contacts to opt-out (unsubscribe) as easily as they opted-in (subscribed). Ideally, it is done through the self-service interface, which creates unique hashed links for each data subject, and allows your contacts to manage their requests and communicate their preferences in a GDPR-compliant way.
4️⃣ KEEP YOUR CONSENT BOXES UNTICKED
Pre-ticked consent forms are a big NO! All marketing platforms now have an easy way for you to set it up. Silence, pre-ticked boxes, or inactivity are not considered consent.
GDPR opt-in example:
5️⃣ ASK FOR AS LITTLE DATA AS POSSIBLE
This is the data minimization principle, which dictates you have to limit personal data you collect, store, or use to data that is absolutely necessary for you to provide service or fulfill a specific purpose.
For example, if you have a newsletter subscription form on your website, it would be compliant if you only ask for an e-mail and possibly a name (if you have personalized email campaigns).
You don’t need to know anything else about the contact to send an email.
Make an email address required field, while a name can be given optionally.
6️⃣ SEPARATE YOUR CONSENT
The most common marketing practice before the GDPR was to combine all consents together, along with privacy terms and conditions.
For example, the consent text would be: “By clicking the submit button below, you agree to receive marketing communication and personalized ads, and you agree to our terms and services.”
The GDPR-compliant version would let the contact choose which one of those consents he/she is willing to give.
If your website offers downloadable content like e-books, templates, or whitepapers, you can not conditionally download the content by leaving consent for marketing communication.
If the contact did not opted-in for marketing communication, he/she would receive the download, but that is it.
Operationalization of GDPR in Email Marketing
It is not just about collecting data in a GDPR-compliant way. You have to manage consent as well. This means keeping track of contact preferences, opt-ins, and opt-outs.
Remember, when a contact unsubscribes, every email you send after that point means a violation of the GDPR.
Unfortunately, when a contact unsubscribes, that information can stay “locked” in that system, meaning Marketing uses a list that is not automatically updated across multiple marketing layers. So even if you have collected valid consents, you will also have to know if your lists are compliant and register consents.