It is just over four months until the EU introduces the General Data Protection Regulation (GDPR), and while this legislation will affect all sectors and countless businesses, the aspect that interests me is how it affects email marketing.
GDPR brings in new rules and regulations governing how businesses manage, hold, process and control people’s data across Europe. This means businesses outwith the EU who have customers within it will also need to comply – including the UK post-Brexit.
There are six bases for processing data according to GDPR: legal obligation, public task, vital interest, contract, legitimate interest, and consent.
Legitimate interest and consent are the two bases most relevant to email marketing. Legitimate interest is still a grey area, with GDPR guidelines yet to outline what exactly qualifies. So, for the time being, consent is where companies who use email marketing need to be pointing their attention.
From May 25th 2018, companies must be able to demonstrate that all customers within their existing databases have consented to their information being there and that they clearly understand what they have signed up to.
According to the guidelines consent must be:
● Positive – there cannot be a pre-ticked box, customers must actively sign themselves up
● Explicit – there must be a clear and specific statement of consent – what are they actually consenting to?
● Granular – you cannot bundle marketing as a whole in one statement, for example if the statement refers to email, companies cannot then text customers – the statement must be specific
● Easily withdrawn – it must be easy for customers to unsubscribe
● Proven – guidelines state companies must be able to provide evidence of customers giving consent and specifically what they have consented to
If you are wondering how you’re going to be able to demonstrate that every single customer in your existing database has consented then the easiest way is to get your customers to re-consent.
Depending on the size of database, some companies may want to do this manually – sending out an email to everyone, and manually inputting data from those who respond with their consent into a new list or group. For companies with upwards of a few hundred customers, manually inputting data will be very time consuming and for some just not an option. However, some forward-thinking souls have already come up with solutions, such as ReConsent and PORT. Both seek to send information to customers about consent and why it is important that they fully understand what they consenting to. Both then organise data lists accordingly with those who have consented and those who have unsubscribed.
The need for customers to re-consent may also be a blessing in disguise, as you’ll clear your databases of those who don’t open your emails. If emails coming from your address have a high un-open rate, the algorithms used by the likes of Google and Yahoo can categorise them as spam. It’s also better to have a list of 10 people with a 90% open rate, than a list of 1000 and an open rate of 0.9%.
While you can get your existing database to re-consent, it is important to ensure any data captured from now on meets GDPR guidelines. With contact forms one of the most popular ways to capture data, ensure your forms clearly outline what customers are signing up to. Take a step back and see whether your forms meet the GDPR guidelines about consent – is it positive action, does it explicitly explain what customers are consenting too, is it specific enough? And then it is vital that customers can easily unsubscribe. Being able to provethat customers have given consent can also be easy, with the likes of the double-opt in feature. This takes those who have clicked the box to sign up to another webpage, and asks them confirm via link sent to their email address. While double-opt in is not a requirement of GDPR, it is good practice and allows companies to easily show proof of consent.
While GDPR sounds scary, from an email marketing perspective it can be very easy to comply. By simply ensuring that by May 25th 2018 you can provide evidence that everyone in your existing database has given their consent, and that your data capture methods clearly outline what signing-up means for future customers while documenting each new sign-up, you will be GDPR compliant.