Enforcement date: in effect since May 25th 2018
What is it about?
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. GDPR Portal
Does it affect me?
It affects every company that uses personal data from EU citizens. Regardless of your location, if you’re collecting email addresses and send newsletters to subscribers who are residents of the European Union, you’ll have to comply with GDPR.
GDPR is not limited to email marketing activities.
What's the key point in the context of email marketing?
You must have your subscribers "affirmative consent" that is "freely given, specific, informed and unambiguous”.
What's challenging is that in case you are asked, you must provide evidence of this process. Let's see how we can do that.
What should I do?
Audit your lists
Do you know the origin of your lists? Are your subscribers based in the EU? Were the subscribers explicitly informed about the purpose their data will be used?
Depending on your answers it may be wise to send a re-confirmation campaign
. And then permanently delete subscribers who will not confirm.
Inform your subscribers and prospects
Explain the purpose for which you are collecting their data, the period you will keep it and how you plan to use it. Explain also their right and process to have their consent removed.
Include the link to your privacy page in your opt-in forms.
Use double opt-in and/or check-boxes.
The "Please confirm your subscription" email that is sent with double opt-in
is the best way to explain the purpose of the subscription, your policy and to get your subscriber's affirmative consent.
When a subscriber confirms his IP and date-time are captured.
Explicit consent checkbox
" includes a mandatory checkbox that the subscriber must check in order to submit the opt-in form. Example:
In older version it can be done by using a custom subscriber field. See how
Keep evidence of consent
With every new sign-up you receive an email as administrator which contains all the data from the opt-in form. Save these emails with their headers.
If you collect email addresses over the phone or without using the internet you should also find ways to keep evidence of subscriber's consent (e.g. conversation recordings).
Use double opt-in.
Removal of consent (opt-out)
A global opt-out link in a newsletter results in permanent subscriber removal.
However, a record is kept in your opt-outs. Such records are helpful as exclusion filters when you are importing subscribers. Based on your business processes you should decide whether to delete these records or not.
You can use both a global opt-out link and a list opt-out. You can also provide an email address where subscribers can contact you regarding their privacy.
You can also direct the subscriber to his account to view and update his data. In this page he can also self-suppress his account.
By any means a subscriber has the right to be forgotten.
What shall I do with my existing subscribers?
GDPR applies also to data collected before its effective date. Thus, if your data was collected in an GDPR compliant manner and if you kept records of the subscribers' consent then you should be ok.
However, many companies still decide to send re-confirmation campaigns
and ask again their subscribers' permission.