The EU General Data Protection Regulation (GDPR) will be enforced starting on May 25 of this year. While this regulation is designed to protect the privacy and data of EU residents, it has implications for businesses across the globe.
Regardless of the size of the organization or business model, GDPR will impact any business that meets one or more of the following conditions:
- Is established in the EU
- Offers goods and/or services to EU residents
- Monitors the behavior of EU residents
- Collects, stores, and/or shares data of EU residents
As it relates to email marketing, this means that if your email list contains the emails address of any EU resident, or allows any EU resident to make a purchase or opt-in to your email program, your business will need to be in compliance.
Given the globalized nature of business, and the flexibility and reach of e-commerce, the majority of US-based businesses will need to evaluate their current policies and practices and determine whether updates are needed.
If you’re ambivalent about complying, consider the repercussions. After May 25, violations of GDPR regulations can result in massive fines. For severe violations, penalties are €20 million or four percent of the business’ global annual turnover.
While GDPR extends well beyond email, email marketers should take heed of how this regulation can impact their day to day work. Below are email specific concerns that should be top of mind for email marketers for US based companies as we approach the May 25 deadline.
If there is any chance that you have data from EU residents in your database or may collect data from an EU residents, you need to prepare for GDPR.
This regulation is focused on data privacy and consent, and while not specific to email, many brands will find that their email programs will impacted. There numerous quizzes and checklists available to determine risk and readiness but you may want to consult a lawyer to confirm.
Securing Adequate Consent
The definition of consent is explicit and relatively strict under GDPR. Consent must be “freely given, specific, informed, and unambiguous.” In addition, GDPR imposes constraints on content standards, stating that "silence, pre-ticked boxes, or inactivity should not therefore constitute consent."
The standards of consent outlined in GDPR are aligned with best practices for a positive subscriber experience. Consumers should be able to easily understand what they are opting in to and do so willingly. I’ve spoken to this best practice time and time again in more blog posts than I can link to without things getting awkward. This is a foundational practice that is essential in building subscriber trust, improving engagement, and decreasing negative subscriber behavior.
Brands with acquisition methods designed to drive as many new subscribers into the program as possible may be at risk, especially if opt-in consent is tied to other actions or by means of a pre-checked box. GDPR also has very strict requirements related to users under the age of 16 that extend well beyond COPPA law.
For the time being (until the ePrivacy Regulation is updated later this year), there is still some wiggle room regarding the opt-out rule and legitimate interest exceptions. While legally acceptable in some scenarios, securing freely given and unbundled, unambiguous consent is the safest and most subscriber-centric approach.
Data Collection, Usage, Transparency and Access
GDPR also includes requirements regarding the collection and use of personal data. It also gives residents control to see and revoke storage and usage rights of that data. As email marketers, we often sit atop a mountain of consumer data. Due to constraints imposed by GDPR, marketers will have to reevaluate what data they are collecting, storing, and using.
Should an EU resident ask for details on what data is collected and how it is used, brands must comply. In addition, brands must honor user-level requests to update, remove, or restrict usage of their personal data. As it relates to email marketing and restricting usage, EU residents can request that marketers stop leveraging personal data for profiling, targeting, and personalization.
It should also be noted that brands may not deny service to data subjects who do not consent to usage unless the service depends on data and data processing.
Making It Easy to Say Goodbye … Forever
Similar to CAN-SPAM, GDPR requires a simple, accessible opt-out method. Subscribers must also be able to unsubscribe from all communications. Essentially, unsubscribing must be as easy as subscribing.
Beyond being able to opt out of receiving communications, EU residents must be able to exercise their right to be forgotten, or know why they can’t. This is a marked change for many businesses, as it’s most common for information such as email address to be stored to a suppression list rather than deleted, should a subscriber want to be removed from the database.
Additional Resources and a Note on GDPR Guidance
There are seemingly limitless resources available to further research GDPR and how it can impact your US based business. If you are just starting to explore implications for your business, here are a few good posts to start with:
- GDPR: What Europe’s New Privacy Law Means for Email Marketers via Litmus
- Is Your General Data Protected? Ignore GDPR at Your Peril! (Part I)
- The Imminent Impact of GDPR — 12 Issues Marketers Cannot Ignore (Part II), via Target Marketing magazine
It’s imperative to note that GDPR regulations are complex and nuanced. While I do want to surface potential risks related to GDPR, I’m not a legal expert and nothing in this post constitutes legal advice.
This post is not a substitute for, should not be used in place of, and should not be considered, legal advice. If you suspect that your business or email program may be subject to GDPR or the penalties associated with it, contact your legal counsel. Better to be safe than sorry!
As a Senior Email Strategist with Return Path, Casey specializes in driving increased engagement and boosting deliverability. Casey has a healthy fixation with helping marketers realize the potential of their email programs by addressing human needs, building better relationships, and ultimately driving improved results for the business. Her nine years of experience and obsession with evolving the email space helped land her a spot on ExpertSender’s list of “25 Email Geeks to Help You Get Your Geek On.”