There is new legislation arriving in 2018 which affects anyone who carries out email marketing.
The General Data Protection Regulation (GDPR) is the EU’s new privacy law and it’s due to be enacted on 25th May 2018. Its aim is to bring uniformity to a plethora of different legislation across all member states, and to replace the Data Protection Act and the Privacy & Electronic Communications Regulations (PECR) which are no longer fit for purpose.
GDPR will affect every company that uses personal data from EU citizens. If you collect email addresses and send marketing emails to subscribers in the EU, you’ll have to comply with GDPR — no matter where you’re based.
Penalties are due to increase significantly up to a maximum of €20 million or 4% of global annual turnover.
The key points are:
1. New subscribers will need to affirm that they want to opt in.
This affirmation must be via a dedicated subscription form, or via an unticked check box in situations where you’re collecting data for other reasons, such as order processing or membership applications. Pre-ticked boxes or “Tick here to opt out” will not be permitted.
2. You will need to tell subscribers how their data will be used.
For example, if they give you their email address to download a free article you must tell them if you plan to use that email address for marketing purposes and give them the option to opt into this.
3. You will need to keep a record of consent.
For example, if you use a provider such as Campaign Monitor they will store details of how and when a recipient subscribed along with their IP address. It is not clear at the moment whether such information will be sufficient. I’ll monitor how this will need to work in the coming months.
4. The following commonly adopted scenarios will no longer apply.
(i) An existing business relationship will no longer imply consent. For example, where you have an existing database of customers and suppliers and you use that for email marketing.
(ii) The current soft opt-in where you can email people if there is an existing business relationship.
[UPDATE 06.09.17] There is however a “legitimate interests for processing” test which means in some cases it might be possible to continue emailing a subscriber without the above in place. The Information Commissioners Office (ICO) is due to issue guidance on this towards the end of 2017. Read more from the DMA >>
5. You will need to get your existing data up to GDPR standards.
If you can’t provide sufficient proof of consent for existing subscribers, you won’t be allowed to contact them anymore. You will need to run a re-permissioning campaign. This includes subscribers you have added using soft opt-in.
What next?
I’ll be working with all existing Expertise on Tap clients to ensure they are compliant when the new legislation comes into force. If you are not a client and need help running a re-permissioning campaign do let me know.
There are other aspects to GDPR in addition to email marketing. There’s more information here from the ICO.
The above content should not be used as a substitute for professional legal advice.