Navigating Email Consent Under GDPR



Email marketing is making international headlines and marketers should take notice. On May 25, 2018, the European Union will enact the General Data Protection Regulation (GDPR), a new privacy law that aims to unify the different email laws of 28 EU member states under one common practice. This regulation drives consistency across all European countries – a benefit to most email marketers – but also ushers in some significant changes to the email industry.

If you’re questioning whether GDPR will affect you, it takes one simple question to know the answer: does your company collect personal data from EU citizens? If you’re collecting email addresses from European subscribers, you must comply with these regulations.

With many companies benefiting greatly from the large markets of EU powerhouses like the UK, France, and Germany, it’s crucial to ensure you’re complying with the new rules. The regulations will primarily impact how marketers find, collect, and record consent of subscribers.

Below are the most important changes you should be aware of under GDPR:

Stricter Regulations for Gathering Consent

Under GDPR rules, marketers must collect affirmative consent that is “freely given, specific, informed and unambiguous” to be compliant. One example of this action is that marketers cannot use pre-ticked consent boxes. The rules require subscribers to actively confirm their consent, meaning inaction doesn’t assume consent.

Withdrawing Consent Must Be Accessible and Clear for Subscribers

All major email laws require companies to offer subscribers the opportunity to opt out from receiving emails. This will not affect many compliant email marketers, but it’s important to ensure you’re up to code before GDPR is instated. As a reminder, you cannot charge a fee, require any other information beyond an email address, require log-in, or direct subscribers to visit multiple pages during the opt-out process. As a best practice, place a visible opt-out button in your footer to make the process easy for subscribers.

Separate Consent Requests and Terms & Conditions

Under GDPR, consent needs to be separated from terms and conditions, privacy notices, or any other services you’re offering unless email consent is necessary to complete that service. For example, you cannot require new users to share personal information, like an email address, in order to receive free newsletters, e-books, or other products and services.

Track Who, When, and How Subscribers Consent to Your Emails

Under GDPR policy, companies will have to keep detailed evidence of consent. Some marketers already track this, but for others, evidence of consent means you must be able to prove who consented, when they consented, what they were told at the time of consent, how they consented, and whether they have ever rescinded consent. Make sure your email service provider records detailed actions of subscribers that you can access at a later time.

GDPR Rules Applies to Existing Consents

Existing subscribers will not be granted freedom from the GDPR, and email marketers should audit the consent process of their current EU subscribers. If your subscribers have already given you consent in a way that’s compliant with GDPR, and you have an attainable record of that consent, you do not need to re-collect it from them. If your consent process was not compliant with GDPR, implement a re-permission campaign to refresh the consent. You cannot email those who do not re-grant consent until completed.

GDPR is coming whether you want it or not, although we promise it’s not a bad thing as long as you comply! But what happens if you don’t stick to the rules? Non-compliance with GDPR can result in fines up to €20 Million or 4% of a brand’s total global annual turnover (whichever is higher). The bandwidth required to penalize every non-compliant brand is enormous and will rely heavily on consumer reports, but it’s better to be safe than sorry.

If you are interested in reading more about GDPR, you can read the full law text here.