Does the GDPR affect the sending of emails

The new GDPR and email marketing

That's going to change

 

The new EU General Data Protection Regulation (GDPR) also has a direct impact on all (online) marketing disciplines, including email marketing. Regardless of what your email marketing looks like, from May 25, 2018 binding provisions apply to all senders.

In the event of legal violations, e-mail senders are threatened not only with damage to their reputation, but also fines in the millions. In the following, you will find valuable information on how to make your email marketing legally compliant even after May 25, 2018.

 

General information

  1. What does the General Data Protection Regulation mean for email marketing?
  2. Can I still send promotional emails under GDPR?
  3. Can I still send promotional emails to my customers?
  4. How do I know whether my email marketing practice is GDPR compliant
  5. What fines are there for violating the law in email marketing?
  6. What about transactional email? Do we need approval here to be able to send them?
  7. What if you are using different types of email and someone wants to unsubscribe?

 

Collect email contacts under the GDPR

  1. How are email lists to be set up in compliance with GDPR?
  2. Which data are legally necessary for the collection of e-mail lists?
  3. How should checkboxes be designed for registration forms?
  4. What about existing email lists? What should you do with your outdated data / contacts?
  5. Can I also send my newsletter to people who have downloaded a free guide etc.?
  6. Can I buy contact lists under the EU GDPR guidelines?

 

Data analysis and processing

  1. Does the type of data analysis affect the structure of the e-mail list?
  2. What about product proposals?
  3. Is profiling still allowed in email marketing under the GDPR?

 

miscellaneous

  1. Is Mailjet GDPR Compliant?

 

General information

What does the General Data Protection Regulation mean for email marketing?

So far, the Federal Data Protection Act (BDSG) and the Act against Unfair Competition (UWG) have regulated the use of personal data for advertising purposes. The European General Data Protection Regulation (GDPR) takes its place, but leaves some national scope for interpretation and interpretation.

Email marketing under GDPR essentially means adopting new consumer opt-in eligibility rules, proof of consent to system storage, and a method by which consumers can ask questions and have their personal data removed .

 

Can I still send promotional emails under the GDPR?

Before you send promotional e-mails, it is important to clarify the purpose for which you are doing this. It must be clearly recognizable for the recipient that the sender is pursuing a commercial view with the advertising or marketing e-mail such as newsletter and co. In principle, advertising emails of any kind may only be sent with the recipient's prior consent. It does not matter whether it is consumers (B2C) or companies (B2B). In principle, the GDPR does not differentiate between interested parties and existing customers.

If you want to collect e-mail addresses for advertising purposes, the legitimate interests of the data processor must be weighed against the interests of the person concerned that are worthy of protection. When collecting addresses, the intention to advertise must be recognizable.

At the moment when users enter their data, the data processors are obliged to inform about the type of mailings they will or can receive in the future. (e.g. sending a regular newsletter with offers from the shop).

 

Can I still send promotional emails to my customers?

There is an exception rule for customers whose email address was collected in connection with a purchase. Here, however, several precisely defined requirements must be met. For example, the customer must not have objected to the use of his own personal data. The data processor must also point out, both when collecting the address and in every email, that the customer can object at any time.

In the event of an objection, the person may not incur additional costs. The applicable fair trading law remains unaffected by the new regulation. The advertisement must continue to contain products or services that are similar to the customer's previous purchase.

In the future, it will also no longer depend on the “whether”, but also on the “how”. All information and notification must be clear and understandable. In other words, purposes that are too broad and only vaguely described are ineffective. The intention and the sender must not be concealed.

 

How do I know whether my email marketing practice is GDPR compliant?

  1. Check your current database.
    1. Do you know the geographic location where your contacts are stored?
    2. Do you keep an audit trail of the consents received?
  2. Know your contacts and how you acquired them
    1. Did you work with the double opt-in procedure?
    2. Do you keep track of where your contacts are coming from and when they come in?
    3. How did your contacts get into your database?
    4. Do you have enough information about your permission and sources to show in court if necessary?
  3. Review and disclose your data practices
    1. Did you ask for consent at the time the data was collected?
    2. Do you have a data protection declaration that describes how you collect, store, transfer and process your data in clear, easy-to-understand language?
    3. Do you refer your recipients to your privacy policy?
  4. Take a look at your upcoming initiatives to ensure compliance.
    1. All new initiatives should take compliance with the guidelines into account so that you don't have to go back retrospectively to adjust your processes.

You can find more information about GDPR and consent here.

 

What about transactional email? Do we need approval here to be able to send them?

Transactional emails, also known as serial emails, describe event-related one-to-one messages that are sent automatically through a previously defined event. This falls under the basis for the lawfulness of the processing if the customer has previously consented to the processing of the data necessary for the fulfillment of the contract (e.g. when making a purchase). In other words, there are no specific opt-in requirements for purely transactional emails.

If you integrate promotional elements in your transactional e-mails, the situation is different and you may need separate approval for this.

What fines are there for violating the law in email marketing?

If there is no legal basis for email data processing, there is currently a risk of fines of up to 300,000 euros. This will change on May 25, 2018. The EU GDPR provides for the illegal collection or processing of an email address Penalties of up to 20 million euros or up to 4 percent of the annual turnover achieved worldwide of the previous financial year.

 

What if you are using different types of email and someone wants to unsubscribe?

If you integrate all promotional measures such as offers, event invitations, etc. in your newsletter, you may not send any of this information to the person after unsubscribing. You can set up various thematic newsletters or marketing email campaigns. Just make sure you get separate consent for each newsletter.

 

 

Do you have a relatively high unsubscribe rate and want to reduce them? This article will give you the best tips: Unsubscribing from the newsletter: 10 reasons and what to do about them

 

 

Collect email contacts under the GDPR

How are email lists to be set up in compliance with GDPR?

E-mail lists are to be set up in accordance with the law. For this, the recipient must have explicitly consented to the receipt. Such consent must not be part of formulated contractual conditions. A required check mark must also not be set automatically. Consent for advertising or marketing emails should therefore be given separately.

The double opt-in is the only procedure for building up the e-mail address list that is still legally secure after May 25, 2018.Incidentally, according to a ruling from 2016, the opt-in email is not yet considered an inadmissible advertising email, but rather a control body to ensure that the previous consent was actually given by the owner of the email address.

Instructions can be found in the article: Build a newsletter list in compliance with GDPR: This is how it works

 

Which data are legally necessary for the collection of e-mail lists?

Basically, in order to be able to do email marketing, you only need the email address. You have to prove when the consent was given, i.e. the time.

Further personal data that you want to collect at your own request - the IP address is considered personal data - is possible. These should be requested directly on the registration form. Adding further personal data later requires express consent.

 

How should checkboxes be designed for registration forms?

The GDPR also has an impact on checkboxes. Consent for the submission of personal data must be given actively and voluntarily.

Customers who make a purchase or register for an account may not be required to sign up for an email list at the same time. I.e., Preselected checkboxes, i.e. boxes in which the user has to actively remove the tick, will not be permitted in the future. The same applies to linking to other services.

 

 

Here we show you how to create such registration forms:Design a GDPR-compatible registration form

 

What about existing email lists? What should you do with your outdated data / contacts?

The provisions for the legitimate establishment of email lists do not only apply to the data collected from May 25, 2018. Existing e-mail lists must be checked for further use.

Is there a clear record of their consent that proves that you are allowed to send e-mail campaigns? If not, then senders are required to obtain new and explicit permission before sending email marketing campaigns to their obsolete contacts.

How to create a consent e-mail and a free template to download is available here: Create GDPR consent email

 

Can I also send my newsletter to people who have downloaded a free guide etc.?

There is no general answer to this. Using freebies as a measure to grow your email lists remains a legitimate tool - but with limitations. It depends, among other things, on how strong the thematic overlap between the two is.

In any case, you must expressly point out that the user also registers for the newsletter or mailing X at the same time. We recommend working with a checkbox that the user must actively click.

You can read here how to operate GDPR-compliant lead generation: How successful lead generation really works.

 

Can I buy contact lists under the EU GDPR guidelines?

While certain purchased e-mail lists can be classified as legally binding with a very clear declaration of consent within the original subscription under the General Data Protection Regulation, Mailjet does not recommend purchasing such lists.

You can find out the reasons and the alternatives here: Buy email addresses: yes or no.

 

Data analysis and processing

Does the type of data analysis affect the structure of the e-mail list?

There are basically two ways of analyzing personal data: anonymous analysis and individualized usage evaluation.

An anonymous analysis of the data is unproblematic in terms of data protection law. If, on the other hand, the data processors intend an individualized usage evaluation, a distinction must be made between a pseudonymized and a personalized evaluation.

A pseudonymized evaluation exists if the person can be clearly identified by the IP address or email address, but this data is stored separately from the specific usage behavior.

The decisive factor here is to ensure that specific behavior such as opening and click rates (whether a person has opened a certain advertising e-mail and / or clicked on a link contained in it) cannot be assigned to a specific user. Assignment to a specific ID (pseudonym) is permitted, however.

A personalized evaluation may only be carried out with the consent of the person concerned. Such an agreement is only effective if it has been clarified exactly which specific customer data (first name, last name, e-mail address, etc.) is collected and for what exact purpose this collection is carried out.

 

 

What about product proposals?

The data processing / evaluation basically affects all marketing practices that work with personal data. If the product proposals are based on the processing or evaluation of personal data, you also need your consent. You are alluding to cookies here. The new ePrivacy regulation will regulate this practice.

 

 

 

Is profiling still allowed in email marketing under the GDPR?

Profiling in email marketing concerns, for example, the creation of segments and data analysis for the purpose of personalized email campaigns. Areas of application and a more precise definition remain to be clarified, as well as the specific requirements for pseudonymized data (data is assigned to an ID).

Nevertheless, it can be stated that profiling is still possible under the GDPR, but you must enjoy the 5 rights (right to information, right of access, right to rectification, right to erasure and right to data portability) that all of your contacts in your data list enjoy can guarantee.
More information about GDPR and profiling.

 

miscellaneous

Is Mailjet GDPR Compliant?

Yes, Mailjet has been EU GDPR compliant since December 2017. We respect the right to information, to change, to data portability and the right to be forgotten and can process these requests quickly.

Our customer or the data subject can open a support ticket via our website or send an email request to us: [email protected] We respond directly to the request and inform our customers if they are affected.

 

 

Further information on the GDPR