Email consent under GDPR
With the General Data Protection Regulation (GDPR), the European Union’s new privacy law, coming into effect on May 25th, 2018, now is the time for email marketers to ensure that their programs are compliant. (Not sure what GDPR is? Brush up on the basics.)
One of the major areas of change—and the one that’s been causing email marketers the biggest headache—is the question of how to collect and store consent. GDPR raises the bar to a higher standard of consent for subscribers based in the EU, meaning that the way your brand has collected consent from EU subscribers in the past might not be compliant anymore.
GDPR goes beyond the consent required under the EU Privacy Directive, which is currently in effect across the EU. The new regulation requires that brands collect affirmative consent that is “freely given, specific, informed and unambiguous” to be compliant.
The Information Commissioner’s Office of the UK (ICO) has provided a comprehensive guide on consent under GDPR. If you’re not ready to dive into the full 39-page guide just yet, here’s a breakdown of the five most important things you must know about email consent under GDPR—with plenty of examples of how we put them into action here at Litmus.
1. CONSENT REQUIRES A POSITIVE OPT-IN. DON’T USE PRE-TICKED BOXES.
For consent to be valid under GDPR, a customer must activelyconfirm their consent, such as ticking an unchecked opt-in box. Pre-checked boxes that use customer inaction to assume consent aren’t valid under GDPR.
“Silence, pre-ticked boxes or inactivity should not constitute consent.”
2. KEEP CONSENT REQUESTS SEPARATE FROM OTHER TERMS & CONDITIONS.
Email consent must be freely given—and that’s only the case if a person truly has a choice of whether or not they’d like to subscribe to marketing messages. If subscribing to a newsletter is required in order to download a whitepaper, for example, then that consent is not freely given.
Under GDPR, email consent needs to be separate. Never bundle consent with your terms and conditions, privacy notices, or any of your services, unless email consent is necessary to complete that service.
“When assessing whether consent is freely given, utmost
account shall be taken of whether… the performance of a
contract, including the provision of a service, is conditional on
consent to the processing of personal data that is not
necessary for the performance of that contract.”
When someone downloads an ebook or other content from the Litmus website, they do have the option to subscribe to our emails by checking a box. Signing up for emails is optional—you can always download the ebook without subscribing to our emails.
3. MAKE IT EASY FOR PEOPLE TO WITHDRAW CONSENT—AND TELL THEM HOW TO DO IT.
“The data subject shall have the right to withdraw his or her consent at any time. (…) It shall be as easy to withdraw as to give consent.”
All major email laws, including CASL in Canada and CAN-SPAM in the U.S., require brands to give their subscribers the opportunity to opt out from receiving emails. Each promotional email you send must include an option to unsubscribe. If you are already compliant with current Canadian, American, or European email laws, you may not have to change much when it comes to this requirement for GDPR compliance. Still, this is a perfect time to revisit your current opt-out process to ensure you’re following best practices:
- Don’t charge a fee
- Don’t require any other information beyond an email address
- Don’t require subscribers to log in
- Don’t ask subscribers to visit more than one page to submit their request
In the footer of every promotional email from Litmus, we include an option to opt-out from receiving emails. This makes unsubscribing easy should a subscriber ever lose interest.
It’s also worth pointing out that an unfriendly unsubscribe process is also a major driver of spam complaints. Half of U.S. consumers say they’ve reported a brand’s emails as spam because they couldn’t easily opt out, according to our Adapting to Consumers’ New Definition of Spam report. So putting up opt-out barriers not only jeopardize your legal compliance, they can jeopardize your deliverability as well.
4. KEEP EVIDENCE OF CONSENT—WHO, WHEN, HOW.
GDPR not only sets the rules for how to collect consent, but also requires companies to keep a record of these consents.
Article 7 (1):
“Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”
In some countries, the burden of proving consent has always been the responsibility of the company that collected the opt-in. For many other marketers, however, this requirement is a new challenge to tackle.
Keeping evidence of consent means that you must be able to provide proof of:
- Who consented
- When they consented
- What they were told at the time of consent
- How they consented (e.g., during checkout, via Facebook form, etc.)
- Whether they have withdrawn consent
If someone signs up to receive updates from Litmus, they receive an email asking them to confirm their subscription (read more on the pros and cons of double opt-in here). If a prospective subscriber clicks the link in the opt-in confirmation request email, our email service provider records that action. With that, we can look at each individual subscriber, see when they opted in, and what form they used to do so.
5. CHECK YOUR CONSENT PRACTICES AND YOUR EXISTING CONSENTS.
“Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation.”
GDPR does not only apply to signups that happen after May 25th, it applies to all existing EU subscribers on your email list. If your existing subscribers have given you consent in a way that’s already compliant with GDPR—and if you kept record of those consents—there’s no need for you to re-collect consent from those subscribers. If your existing records don’t meet GDPR requirements, however, you have to take action.
- Audit your existing email list.
Figure out who on your email list already provided GDPR-compliant consent, and ensure that you have a clear record of those consents.
- Implement a re-permission program
If for any of your contacts you don’t have GDPR-proof consent—or if you are unsure about whether or not their consent is compliant—you’ll have to run a re-permission campaign to refresh that consent, or remove the subscriber from your mailing list.
At Litmus we will use re-permission programs periodically to help keep our email lists clean. They include very explicit language asking the subscriber to confirm that they would still like to receive emails by clicking a confirmation link in the email.
Re-permission campaigns are a powerful way to update existing records to ensure GDPR compliant consent, but they do require detailed planning and execution. Remember: If you require an updated consent for GDPR compliance but your subscriber fails to engage with your re-permission campaign, you’ll have to remove them from your mailing list.
HOW DOES YOUR TEAM PREPARE FOR GDPR?
Have you run a re-permission campaign yet or are you planning to do so? What other strategies have you put in place to ensure compliance with GDPR? We’d love to hear from you!
This post provides a high-level overview about email consent under GDPR, but is not intended, and should not be taken, as legal advice. Please contact your attorney for advice on email marketing regulations or any specific legal problems.