Last Updated March 6, 2023
In May 2018, a new privacy-focused law known as the General Data Protection Regulation (GDPR) went into effect – requiring, among other things, that email marketers obtain consent for their company's marketing activities. GDPR email marketing campaigns became more restrictive and their effectiveness more critical.
GDPRs ultimate goal is to provide citizens of the EU more control over who has access to their personally identifiable information (PII). Specifically, the gathering, storage, and how the data is used online. GDPR – aside from regulating all types of online consent – protects digital privacy by assigning new responsibilities to companies, such as enabling users to erase their data upon request for any website that has collected it.
We are four-plus years into email marketing since EU GDPR was enacted and have seen both CCPA and LGPD arrive in that period. How have these laws impacted email marketing campaigns, and what are businesses doing to overcome some of the challenges these laws impose?
In this article, we'll discuss what you – as a business owner or email marketer – need to do to be GDPR-compliant when sending an email campaign. We will also share some tips you can use to make sure your marketing email campaigns remain effective despite new regulations. Let's get started!
What is GDPR?
The General Data Protection Regulation (GDPR) is a data privacy law with provisions that empower users (or data subjects) regarding the collection and handling of their data. The following are some of the rights guaranteed by the requirements of the EU GDPR law:
- The right to consent to data collection
- The right to understand fully how your data is being used and why
- The right to request that the information be deleted under certain circumstances
Also, some provisions require that data breaches be reported promptly. A full accounting of the personal data that might have or is suspected of being compromised should be included.
Why should you care about GDPR?
For business owners or marketers, it is common knowledge that email marketing is an integral part of the online commerce ecosystem, and GDPR affects email marketing. The General Data Protection Regulation law applies to companies based in the EU and all websites that collect data from EU citizens. Therefore, even if your company and website are not located within the European Union, so long as the site collects data on any EU citizen, your business is still subject to GDPR.
That means it is vital for business owners and email marketers to ensure their data collection activities comply with the law to avoid becoming liable for huge non-compliance fines.
The GDPR non-compliance fines can be as high as 4% of a business's global revenue. The €9 million fine Austria's Data Protection Authority handed the Austrian Post for failing to properly adhere to a data subject request is perhaps the best case to illustrate this point.
If you're wondering what the specific requirements are and how to stay on the right side of those, we're going to break it down into its parts, which are typically easier to understand than the whole.
Specific GDPR Email Marketing Requirements
Double Opt-In Procedure
With GDPR email marketing, a double opt-in (DOI) procedure gives customers transparency regarding what they're signing up for by sending a follow-up email – after initially signing up – so they can verify their email address again and confirm they want to opt-in.
Including forms in the opt-in page allows brands to send personalized and targeted emails that email subscribers find helpful. Data collected from the user can be used to craft more appealing and customized marketing messages.
They will only receive emails from you if they confirm their email address. Double opt-in is a perfect way to ensure your customers and subscribers are okay with receiving your emails, and it is also another way to ensure the emails you send don't get marked as spam.
The best email marketing software platforms have double opt-in, but many do not strictly enforce its use. Double opt-in in the United States is not a law unless CCPA governs you, but it is an email marketing best practice to follow.
First, before you can send any direct marketing emails, you need to obtain consent from your customers. As the sender, you must clarify the types of emails you will be sending them – making it clear they are free to opt-out at any time. Including the unsubscribe link at the bottom of each email is ideal, along with granting opt-out requests instantly.
In addition to that, provisions must be made for customers to be able to unsubscribe from marketing emails and adjust the frequency with which they are to be sent any marketing email. Before running email campaigns, ensure you gain access to the trust of your audience by making sure that they are opted-in to your email list.
You should clearly explain on your website why you'd need certain bits of data from the customer and what you intend to do with them to obtain consent. With this level of openness and transparency regarding your intent and how you would secure your users' data, customers would be more likely to consent to receive emails from your marketing team.
To ensure data protection and gain customer trust, explain your intent to the customer before requesting their consent. You can employ the services of automated email creation platforms that are GDPR compliant to help you do this and save the business money and time.
GDPR Email Marketing Compliance Practices
EU GDPR compliance is a grave concern for online businesses, making it essential that one's email marketing and general data collection and processing practices comply with the policy. Here are ways to ensure that your company – from the website to the actual email marketing – is not flouting any GDPR rules.
Appoint a data protection officer
For any business with the means to afford one, employing the services of a data protection directive is a wise decision, especially for an issue as serious as GDPR compliance. This is because while it is alright for a business to be GDPR compliant, having a team member with the requisite training is much better to serve as a good benchmark for the company to know exactly where they stand.
Another role a GDPR officer can play is to provide legal advice relating to achieving compliance. Also, if a concern arises during the business's day-to-day operations, a GDPR-trained official can handle and keep that concern under control.
The GDPR compliance policy states that customers should be notified within three days should there be any personal data breaches. Having a trained data protection officer monitoring the situation means the issue will quickly be brought to notice because that's what [s] he's been trained to look out for.
Audit, map, and organize the data flow
It's essential to ensure that all the information about the data subjects is directed to the right spot by keeping an inventory of all the connected devices on the network. The data of the people who process personal data should also be collected.
Avoid holding on to sensitive data the business does not need, and keep updated records on how the company handles data collection and processes personal data.
As with all new GDPR regulations and policies, training to ensure team members are up to date when it comes to being within the rules of data processing is essential. Investing in extensive training for the team is helpful, as it helps keep the team informed regarding their rights and how the employer is protecting its team and customers.
Compliance training should prepare team members for actions that can be taken in the event of any data breaches and the proper authority to report such violations. Data breaches can present companies with huge drawbacks, which is why an essential element of being GDPR compliant is to take steps ahead by putting measures in place to prevent them from ever happening.
A part of compliance training should also include why companies want their existing subscribers to have the option of a clear opt-out at all times. Besides achieving compliance, brands want to ensure the opted-in subscribers show a legitimate interest in their content.
Informed consent and access requests
Customers are influential when well-informed, which is why explicit and informed consent must be given about data processing and the sharing of personal data. The EU GDPR website defines consent as “any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
In addition to securing the customer's informed consent, customers are at liberty to request their data whenever they choose – and when that happens, the business is expected to provide all of the personal data it has collected on a customer and dispose of it properly. However, government, hospital, and journalism entities are exempt from this request.
Transparent privacy policies
A business should endeavor to make its customers, leaders, and team members aware of their rights when it comes to privacy. One way to do that is by updating the workplace handbooks so the human resource managers and team members can review any new policies accordingly.
For the benefit of customers, websites should display why the customer's information is being collected, why and where it is being stored and how it is processed.
Also, regarding third parties, websites should note any such entities with possible access to the data and the point at which it's being accessed. For such instances, a Data Processing Agreement will be required and should be linked online for customers to view easily. This adds transparency to the access granted to third parties, giving customers peace of mind while maintaining trust between businesses and customers.
Getting customers to consent to receive emails from you
An email marketing list is an integral part of any business's audience. To build them in the first place, EU GDPR requires email marketers to seek the express consent of the subjects involved to ensure GDPR compliance.
Express consent is said to have been given when a person agrees – without being coerced – to do, share, or receive something. In email marketing, permission is given when individuals sign up for a mailing list via any online signup form of a company. That is one way of legally getting user contact information.
The other way of doing this is to let people opt-in by physically writing down their contact information on signup sheets at in-person events, which could be parties or even corporate get-togethers.
The individual in both instances physically agreed to be added to your mailing list – giving you proof of consent.
Why Consent is Important in Email Marketing
Consent has always been a best practice in email marketing, requiring organizations and marketers to ensure that they follow legitimate practices to gain consent. From the onset, honest email marketing services have shut down businesses' mailing lists that included emails without the user's consent.
Also, consent means one's email campaigns are less likely to end up in the recipient's spam folders instead of the primary inboxes they were intended for. For direct marketing purposes, personalized and targeted emails work best. Information can be collected during the opt-in process from your subscribers and their consent to send personalized content and promotional emails.
In recent times, however, due to many countries enacting anti-spam laws, express consent has taken on a more active role in the future of email marketing as businesses want to avoid paying heavy fines for flouting such laws. One is the GDPR – a policy that can fine a company as much as 4% of its global revenue.
In such instances, consent is sought to keep the business compliant with the law while providing transparency in its information collection and email marketing activities.
Ways to prove consent
Following the GDPR requirements, you must have viable proof of consent to put someone on your mailing list. Your proof of support should be a document containing the following information:
How consent was given
This refers to having a copy of the relevant time-stamped signup form available as proof.
The consenting individual
This can be proven through the individual's email address, name, session ID, and username.
The time of consent
There are two ways this can be proven. The signup forms that email marketing and lead generation tools provide have features that automatically track when the individual signed up.
Also, for people who use paper forms, the sheets can be dated at the top and have time-stamped photos taken.
What was agreed to
This refers to the consent statement on the form the individual signed up with. You should also have copies of the relevant privacy policies or notices available.
Ensuring GDPR Email Marketing Consent
Now we know and understand the need to secure customers' express consent to ensure GDPR email marketing compliance, it is time to fix our attention on some of the best marketing practices for ensuring we have the permission of our email marketing audience to send marketing emails to them. Here is what to do to receive their consent:
Avoid having auto-filled checkboxes
This is important as having existing subscribers consent to email marketing-related opt-ins will not be considered deliberate manipulation.
Be clear about who you are
If you are an organization or person asking customers and subscribers for consent, then be sure to have the name of your brand visibly included in the signup forms. Aside from that, include a business address in all your email marketing communication to comply with anti-spam laws and obtain informed consent.
If you run your business from home and have data privacy concerns, rent a PO Box to help keep your residential address safe.
Let subscribers know what they're signing up for by being transparent about what they should expect to receive from you, including the frequency with which you'll be sending emails.
Develop a system to store proof of consent
Although this can be handled by most of the email marketing tools available, it would be great for your business to keep a backup somewhere.
Don't buy email lists
Building an email list from scratch can be tedious for most marketers, so they resort to buying email lists from providers of such services. Aside from these being inactive and often low-quality filler emails, you can only verify consent for such lists if you were never there when they were being built.
Again, GDPR fines are a serious matter. And that is why you have to develop your email list organically. It is complex and frustrating, but it will be worth it in the long run.
If you have old, decayed email lists, you'll need to spend time warming them. This is typically done using bulk email marketing services. Understanding that many companies might not have communicated with a subscriber in a long time, you want to ensure that subscriber still wants to be communicated to and having them re-engage with the brand is done using these bulk email providers.
Give subscribers the right to revoke consent
It would help if you made it easy for people to unsubscribe whenever they want to by providing an unsubscribe link that's easy to see at the bottom of all emails. This is an automatic feature in the most popular email marketing software.
Use easy-to-understand language
The average reading level for most people in the US is 7th-8th grade. This is why it's essential to use simple language that the average person can understand so that they can make informed choices regarding your emails and what you're asking them to subscribe to.
Key Strategies: Tracking Customer Consent and Permissions
With the GDPR email marketing regulations requiring marketers and website owners to prove the nature of consent between themselves and their subscribers, you must be able to keep track of the approvals and permissions your subscribers grant you.
The records must also be able to show how subscribers signed up to your mailing list if you want to fully prove compliance with the law – meaning there is the need to keep comprehensive records. While that may sound daunting, it is not hopeless, as there are some straightforward ways to get things done.
There are two ways by which you can record the signup process as it relates to any individual subscriber. They are:
- The source of sign-up (the webpage from where they signed up).
- A copy of the signup form or mechanism used for signing up when they became subscribers.
Your email marketing software may be able to record and track the activities of signup forms on your website. In that case, you should be able to see data such as:
- The subscriber's name.
- The source of their signing up (web page and subscription form).
- When they received their first and follow-up emails from you. As well as
- Their last activity (whether they unsubscribed after a specific email).
It should be that straightforward. However, there are websites whose case becomes complex because of behaviors such as having more than one signup form on the site. Constantly changing the signup form(s) and behaviors that make it difficult to prove the exact look of the signup form at the time of subscription in compliance with GDPR email marketing recommendations doesn't make it easy.
The factors highlighted above impact how your business would keep records of its signup forms and processes.
Single signup forms that have never been changed
Once a record of the signup form has been created, it is advisable to save multiple copies of the file in different places. You can upload it to Google Drive, save a document as an email or email draft, or save it on your computer or an external hard drive.
Also, if you change the signup form later, repeat the above process to manually make a new record with its details documented while retaining the older history.
If you're using WordPress, there are some great form plugins to check out to ensure you abide by GDPR regulations.
Multiple signup forms that get changed regularly
Manually recording and managing multiple and regularly changing signup forms – while verifying the specific versions of forms the individual subscribers signed on through – would take a lot of work. That is why using an automated service is recommended for the recording process. A computerized service like Optinopoli would be appropriate for the stated purposes.
Email Software with GDPR Compliance
The easiest way to get and stay compliant is to ensure the email marketing software you use is compliant. This doesn't mean you don't have additional compliance measures on your website, but it is an excellent start to ensuring compliance within your email marketing program. Here are three top options we know do a great job.
Mailchimp – Mailchimp is easily one of the best and most compliant email marketing platforms for improving GDPR email marketing campaign compliance.
ActiveCampaign – Extremely powerful email marketing software with many integrations with the best apps for privacy, data, and GDPR compliance.
HubSpot – HubSpot has become one of the leading platforms for adherence to proper email marketing protocol and policy.
CCPA and LGPD Privacy Laws
Globally, governments and state legislatures are taking measures to protect citizens' data, apart from giving them the right to refuse participation in any data collection activities by the businesses they interact with or patronize.
In this section, we'll be looking at some acts that have been signed into law to guarantee the protection of consumers' privacy rights in Brazil and California.
California Consumer Privacy Act
Enacted in 2018, the California Consumer Privacy Act (CCPA), which was molded after the European Union's GDPR, gives users control over their data as a way of helping combat Big Tech intrusion. Numerous incidents of data breaches happen as a result of poorly defined access controls and data management.
With the CCPA, companies that collect data on residents of California have to provide information regarding how the data is collected while giving users the power to protect their data.
What CCPA covers
The CCPA compliance regulations cover the various ways in which businesses collect and distribute users' private information collected digitally from websites and other media. CCPA gives users the right to contact any company that has their data to ask for information regarding the storage and use of their data – making it mandatory for companies to comply with specific requests.
Companies are required to comply with user requests for:
- A list of third parties with access to a user's data
- The business purpose for which user data is collected and sold
- Categories of data collection sources (contact, financial, medical, etc.)
- Data that's been collected and stored
Also, should the user request the following, companies are required to take action:
- Not be discriminated against for requesting control over their data
- Port their data
- Prohibit the sale of their data
- Request the deletion of their data
Who has to comply with CCPA?
It is essential for companies that collect data on California residents to look into the compliance regulations governing the CCPA. Businesses that do not operate within California or provide services within California data should endeavor to track related information to be in a position to understand similar regulations should such laws pass within their states and others.
Here are three business factors that fall under the regulations of the CCPA:
- At least 50% of their annual revenue comes from selling services or products.
- Data on consumers numbering at least 50,000 is collected for commercial reasons.
- The business should have at least $25 million annual gross revenue income.
Penalties for violating CCPA
CCPA regulations were enacted in 2018. However, businesses had until January 2020 to ensure that their systems were compliant. Should there be any consumer request under the CCPA rules, companies have 45 days to respond.
Businesses may receive notices regarding the non-compliance of their systems, should that be the case. The company in question for GDPR violations will then have 30 days o remediate the issue. If there's any failure in doing so, there could be $7500 in fines for each problem. For each data breach, users can seek $750 in damages.
A business that violates compliance laws is open to additional lawsuits. Should a critical data breach affect numerous consumers, the cost to that business could be years of litigation in addition to reparations and other charges on attorney's fees.
Brazil's General Data Protection Law
The General Data Protection principles (or Lei Geral de Proteção de Dados, LGPD, in Portuguese) is Brazil's federal law designed to unify 40 existing laws aimed at regulating the processing of personal data of individuals.
Passed on September 18, 2020, it was backdated and brought into effect on August 16, 2020. On August 1, 2021, penalties became enforceable, and data subjects and public authorities could enforce their rights starting on September 18, 2020.
While it is not the first or only data privacy law of its kind in South America, it is perhaps the best publicized one from that region and was influenced by the European Union's General Data Protection Regulation (GDPR) – with coverage expanded to some areas from the GDPR's parameters. The ANPD will also be instrumental in evolving its parameters.
How does the General Data Protection Law apply?
The LGPD applies to all forms of data processing in Brazil to process data and offer goods and services.
It also covers all data processing by persons or public or private legal entities (commonly known as businesses or organizations). Here, the physical presence in Brazil of the organization doing the data processing is not required. It does not even need to be headquartered there.
It only becomes relevant if the data subjects are located in Brazil, and the processing takes place in country. You can read more on the law here.
Additional Resources for Privacy Protection
The following resources and information has been compiled to assist in the general needs of a company website to ensure compliance with all privacy laws and guidelines.
Termly.io is one of the best sources of compliance information related to GDPR, CCPA, and other data and PII compliance needs. They offer both policy generation and consent management software.
- Terms and Conditions Generator
- EULA Generator
- Disclaimer Generator
- Return Policy Generator
- Shipping Policy Generator
Termly Consent Management Platform
- Cookie Consent Manager – Obtain consent & manage cookie preferences
- Cookie Scanner – Scan & classify your cookies
- Cookie Banner Generator – Create a compliant consent banner
- Blog Terms and Conditions – For a website with user-generated content that uses advertising or affiliate links for monetization.
- E-Commerce Terms and Conditions – Used by an online store offering products or services.
- Mobile App Terms and Conditions – For Android or iOS users, set the rights regarding access and the use of an application.
- Online Marketplace Terms and Conditions – A legal disclaimer detailing the laws in which the marketplace operates between its customers/users.
- Website Terms and Conditions – A set of text allowing a website to establish a set of operating laws between the website and its users that are legally binding.
- WordPress Terms and Conditions – For a website using the WordPress content management system.
Complete Compliance Solution
Choose Harbor Compliance if you are an organization that wants to utilize expert software and services to plug compliance gaps across your entire organization, regardless of vertical, location, or industry. Harbor Compliance has you covered, and it's incredibly easy to get started with their free Compliance Healthcheck.
GDPR Email Marketing Wrap-up
For many marketers and those that rely on marketing communication to be handled through email, GDPR may seem quite restrictive when in all actuality, it is a very positive step in the direction of giving private citizens more control of how they are being tracked and how their data is being used.
CCPA and GDPL are great additions, but more is needed. The United States is notorious for not providing enough protection in this regard, and companies continue to profiteer from private data with no restriction on its use. Everyone should know how their data is used, tracked, and stored. Will we see a change in the next five years across more countries, including the United States? Let us know your thoughts in the comment section.