SuretyMail Email Reputation Certification


How Email Marketing must Comply with the EU General Data Protection Regulation (GDPR)

The EU GDPR (General Data Protection Regulation) goes into effect in May of 2018, and applies not only to email marketing and email senders within the EU, but also to anybody anywhere who sends email to anybody in the EU.

(Note: With respect to email marketing and other email sending practices, it’s important to note that under the GDPR, the term “data” includes email addresses. We will be using the term “email address” throughout this article, as we are talking about email marketing.)

First and foremost, for any email address that you collect, the person’s consent to the collection and use of that email address must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

In other words, you cannot collect, let alone use, a business’ or person’s email address unless they have provided you with clear, specific, informed consent.

And guess what? Pre-checked boxes are out (of course anyone who has read our Email Deliverability Handbook knows that) – they are not considered informed consent. Same for “lack of action”. In fact, the GDPR specifically says:

Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.

And that’s not all.

That consent applies only to that use which you have clearly specified to them at the time of their consenting.

For example, if you collect their email address so that you can “email them your free white paper”, that is the only purpose for which you can use their email address. You cannot add that email address to a mailing list or otherwise use it for email marketing (or anything else).

This means that you have to disclose every single way that you might use their email address – clearly and in plain language – at the time that they are giving their consent. If a particular use of their email address was not clearly disclosed at the time they gave their consent, then it wasn’t informed consent for that purpose, and you cannot use their email address for that particular use.

Moreover, you must document that consent, and store that documentation regarding the consent.

The GDPR also addresses data retention, and with respect to email addresses it means that a) you need to keep all of the data you collect secure, and b) the withdrawing of consent (such as unsubscribing) “shall be as easy to withdraw consent as to give it.”

Also, if your stored data is breached, you must notify the Data Protection Authority within 72 hours, and inform all affected parties “without undue delay”.

It’s also important to note that legal action under the GDPR is available both for individuals, and against individuals. This ‘private right of action’ is available to any citizen of the EU and, presumably, any individual anywhere against an EU-based email sender.

And fines are hefty. Up to 20million euros or 4% of a business’ gross annual worldwide income, whichever is higher.

(For a more detailed look at the consequences of violating the GDPR, see this excellent article from the International Association of Privacy Professionals.)

So how are they going to enforce it? Given the potential exposure, it almost doesn’t matter how they are going to enforce it – it makes a lot more sense to just comply. That said, while it will be relatively easy for them to enforce against anyone in any EU member state, it’s unclear how they will reach a company in, say, the United States (the act of sending an email from the United States to the EU gives them a hook; what’s unclear is how they will prosecute it).

But make no mistake, they do mean to enforce it. According to the EU GDPR site, “The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company‚Äôs location.”

This has been a brief overview, and only with respect to the collection and use of email addresses. You can read the full EU General Data Protection Regulation (GDPR) here.