With the entry into force on May 25, 2018 of the European Union’s new personal data protection law, the GDPR, it is now time for email specialists to ensure that their actions are compliant.
But what is GDPR?
The most significant change GDPR brings to email professionals is the how consent is processed including the question of how to collect and maintain consent.
The GDPR refreshes the rights of European citizens in terms of personal data and this means that the way your brand has collected consent users in the past could no longer comply after May 2018.
The GDPR goes beyond the consent required under the EU Privacy Directive, which is currently in force across the EU.
The new regulations require brands to collect positive, free, specific, clear and unambiguous consent to comply.
Here are 5 things to consider when it comes to your customers’ consent.
- Consent must be given by a positive act and not use pre-ticked boxes
- Under GDPR, Keep consent requests separate from other terms for your emails
- GDPR obligation: Keep proof of consent for your emailings
- The GDPR requires you to facilitate the withdrawal of consent in your emailings and clearly indicate how to do so.
- Check your existing emailing practices and consents to be in line with the GDPR
1. Consent must be given by a positive act and not use pre-ticked boxes
For consent to be valid under the GDPR, a customer must actively confirm it, for example by ticking a box unchecked previously. Pre-checked boxes that imply customer inaction are not valid under GDPR.
2. Under the GDPR, Keep Consent Requests Separate from Other Terms for Your Emails
Consent for emailing must be freely given and this is only the case if a person really has a choice whether or not to subscribe to marketing messages. If registration for a newsletter is necessary to download a white paper, for example, consent is not given freely.
Under the GDPR, consent to receive marketing emails must be separated.
Never attach your consent to your terms and conditions.
For example, when someone downloads a guide or other content from Mailjet’s website, they have the option to subscribe to their newsletter by checking a box. Subscribing to the newsletter is optional, you can always download the guide without constraint. (see previous image)
3. GDPR obligation: Keep proof of consent for your emailings
The GDPR not only sets the rules for how to collect consent, but also requires companies to keep a register of these consents.
In some countries, the burden of proof of consent has always been the responsibility of the company that collected the opt-in. For many other marketers, however, this requirement is a new challenge.
Keeping proof of consent (in your DB or in a CSV file) means that you must be able to provide several proofs including:
- The list of people who have consented.
- When they consented.
- What you told them at the time of consent.
- How they gave their consent (e.g. during checkout, through the Facebook form, etc.)
- If they have withdrawn their consent.
You will also like: Impacts of GDPR on emailing.
4. The GDPR requires you to facilitate the withdrawal of consent in your emailings and clearly indicate how to do so
All major email laws require brands to give their subscribers the ability to refuse to receive emails.
Every marketing email you send should include an unsubscribe option.
If you are already compliant with the laws currently in place, you may not need to change much regarding this GDPR compliance requirement.
Still, now is a great time to review your current unsubscribe process to make sure you’re following best practices:
- Do not charge fees.
- Does not require any information other than an email address.
- Does not require logging in to unsubscribe.
- Don’t ask subscribers to visit more than one page to submit their request.
It’s also important to point out that a complicated unsubscribe process is also a big factor in spam complaints. Indeed, putting in place opt-out barriers can not only compromise your compliance with the law, but also jeopardize your deliverability statistics.
5. Check your existing emailing practices and consents to be in line with the GDPR
GDPR doesn’t just apply to users who signed up after May 25, it applies to all EU users who are on your database at any given time.
If your current users have given you their consent in a non-compliant way in the face of new regulations (for example, if you currently use pre-ticked boxes), you will need to ask for their consent.
Thus, you can follow the following steps:
- Check your existing contact list.
- Determine who on your contact list has already provided GDPR-compliant consent and ensure you have a clear record of those consents.
- If for some of your contacts, you do not have a compliant consent or if you are not sure whether it is compliant or not then you will have to carry out a re-authorization campaign to update this consent or remove the subscriber from your mailing list.
To verify your GDPR compliance for May 2018you can still take this interactive and free quiz.