Your GDPR Emails May Be Illegal and Customers Aren’t Opening Them, Anyway

Brands are sending customers GDPR emails asking them to opt in to share their personal data with companies in light of the new E.U. data privacy rule. But General Data Protection Regulation explicitly states that customers need to have opted in for marketers to use their data in the first place — so if marketers didn’t have that permission, those GDPR emails are violating the law.

Despite this synopsis from the Guardian, CNBC reveals a blessing in disguise — customers aren’t opening the GDPR emails.

So basically, if marketers already had first-party consent from customers to market to them, there’s no need to send those emails. But if they have, they’re probably not going to get reported for violating GDPR, because customers aren’t even opening them. Customers who’ve already provided consent may use those emails as chances to opt out of marketing, too.

CNBC reported on Friday that marketers do need to get non-customers who are on their email lists and did provide consent for marketing to allow it again, so that’s the segment they need to target — yet it’s not going well. The CNBC article states:

“Internal research from Huge found about 38% of Americans are ignoring these emails, and 23% have actually used them as an opportunity to unsubscribe. Email marketing firm PostUp has even grimmer stats, estimating that only 25% to 30% of recipients globally, and only 15% to 20% in the U.S., are opening the emails at all.”

CNBC says some brands aren’t even segmenting their lists when sending out the GDPR emails, resulting in losses of U.S. customers instead of just the email addresses the law covers — those of E.U. citizens.

And, as the Guardian article explains on May 21, even the E.U. citizens may not need those GDPR emails. The article quotes Toni Vitale, the head of regulation, data and information at the law firm Winckworth Sherwood:

“Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR,” Vitale said. “The first question to ask is: Which of the six legal grounds under the GDPR should you rely on to process personal data? Consent is only one ground. The others are contract, legal obligation, vital interests, public interest and legitimate interests.

“Even if you are relying on consent, that still does not mean you have to ask for consent again. Recital 171 of the GDPR makes clear you can continue to rely on any existing consent that was given in line with the GDPR requirements, and there’s no need to seek fresh consent. Just make sure that your consent met the GDPR standard and that consents are properly documented.”

In other words, if the business had consent to communicate with you before GDPR, that consent probably carries over, and even if it doesn’t carry over, there are five other reasons a company can cite for continuing to process data.

What do you think, marketers?

Please respond in the comments section below.