The end of email marketing?
Ready or not, GDPR will take effect on May 25th, 2018. There is much buzz in the email marketing world right now on just how nervous we should be—with some publications predicting the end of email marketing as we know it, and others nearly shrugging off the law because of a phrase called “legitimate interest.”
Neither reaction is probably appropriate. We’re here to say: don’t panic, but be prepared.
In fact, it’s best to be overly cautious when it comes to email permissions. We can think of a dozen reasons this is a good idea aside from GDPR, including better email engagement, a healthier marketing list, and increased deliverability, to name a few.
If anything, GDPR will force companies to reassess their email collection policies and build better trust with their subscribers, which is good for everyone. So here’s what you need to know.
GDPR + Email Marketing In A Nutshell
GDPR is a European Union privacy protection regulation that addresses how personal data is collected, used, and managed. This protects all EU citizens regardless of where the company is based. If you have subscribers on your list that live in the EU, GDPR affects your organization.
The two data collection and processing policies of GDPR that email marketers are talking most about are (1) Consent and (2) Legitimate Interest.
Getting Caught With Your Hand In The Cookie Jar
Let’s talk about Legitimate Interest first. Article 6 of GDPR outlines six possible reasons that constitute lawfulness of processing personal data. The sixth reason is as follows:
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Could adding someone to your promotional email marketing messages after that user makes a purchase from your web store be construed as legitimate interest? Possibly, but this is definitely a slippery slope. You can think of Legitimate Interest as the “being caught with your hand in the cookie jar” argument. Chances are, you’ll end up paying for that cookie—either with frustrated customers, or even worse, paying a fine.
Given that GDPR places an intense emphasis on consent, and reiterates that the burden of proof falls on the company for proving consent, we strongly recommend taking a consent-centered approach to list building.
Your Email Marketing & GDPR-Compliance Checklist
So how do you know if you’re compliant? While it’s important that you work with your legal team to determine what is necessary for your particular business, we’ve compiled a short checklist of common DOs and DON’Ts to assess your email acquisition practices.
- DO Be Clear: Data collection points should be clear about what data is being collected, and what that data will be used for.
- DON’T Pre-Check Boxes: Opt-in check boxes should not be pre-checked. Also, don’t forget to include check boxes at every point of email collection, even including Account Creation and Cart Checkout.
- DO Keep Records: Your email provider should record the opt-in date and opt-in source for emails collected. Ask your email provider how they plan on gathering and keeping this data on record; it’s possible they already have this system in place.
- DON’T Require Opt-In: Email opt-in should not be required in the terms & conditions for downloading content or entering sweepstakes. Users should be able to access the content freely, while also having the option to receive email marketing messages if they wish.
- DO Allow Unsubscribes: Email messages should contain an unsubscribe link embedded in every email footer. This is standard practice, but also don’t try to hide the unsubscribe link. This can lead subscribers to mark your email as spam, which is even worse for your sender reputation than an unsubscribe.
It’s important to note that the policies above apply to email addresses collected both before and after May 25th, 2018—which means if you have subscribers residing in the EU and any of those emails were collected in a manner not compliant with GDPR, you should seriously consider running a re-permission campaign. The re-permission campaign should establish GDPR-compliant consent; otherwise, that user should be unsubscribed.
It’s also important to periodically audit your organization’s email lists to ensure there is no non-compliant data. Shifts in personnel or launching new initiatives could allow the possibility of breach. This is why we also advocate for company-wide training on GDPR policy.
Do Your Homework & Get Ready
We recommend checking out additional sources that have been covering the GDPR. Litmus has published various articles that we love, including in-depth background on the law, steps to take to become GDPR compliant, and tips on running a re-permission campaign.
The more information you consume on GDPR, the better you will begin to understand the law through the lens of your business and what steps you need to take to be compliant.
The final decision should be a conversation between your organization and its legal team. Ultimately, despite any initial growing pains, erring on the side of caution will enable brands and customers to build better relationships.