GDPR Compliance for Email Marketing. A step-by-step guide.

GDPR Consultation: As a result of this blog post I am getting asked lots of questions about the GDPR but I am not a data protection consultant. One of my clients is a GDPR consultancy. If you have any questions about any of the topics raised in this post or the GDPR in general they have agreed to offer you a free 30 minute consultation to try and answer as many of your questions as possible. You can request your free consultation with Salvus Data here.

Information from the ICO: I have recently updated this post with some information from my call with the ICO. They were incredibly helpful. If you have any questions about GDPR I strongly suggest that you contact them directly. I was on hold for about 30 minutes before I got through to an advisor but they were incredibly helpful and gave direct answers to questions that consultants and lawyers I’ve spoken with have given differing opinions on.

Important Disclaimer

There is a lot of conflicting information available online and even the lawyers and consultants I have spoken to disagree with each other. I am a digital marketer and entrepreneur, not a lawyer. This post is presented for information purposes only. The content of this post does not constitute legal advice and should not be relied upon as such. Consult your legal advisor to understand your rights and obligations in order to comply with any laws and/or regulations.

Introduction to The GDPR and Email Marketing

Almost 70% of small business owners that we surveyed, said that email marketing is their biggest concern about the GDPR.

This isn’t surprising considering only 25% of existing customer data meets GDPR requirements.

The biggest issues that these businesses are facing is consent. Consent now requires “clear affirmative action”.

This means that failure to opt out of marketing is not valid consent. Nor are opt-ins where, for example, the opt-in was given through a checkbox that was pre-checked.

An even bigger issue for digital marketing is that these rules apply to existing data, not just new subscribers and customers.

When this was presented at a recent GDPR seminar that I attended, there was shock in the room as business owners began to realise the implications – especially those in e-commerce where upwards of 50% of sales come from email marketing.

What proportion of their database will they still be able to market to after May 2018?

What effect will this have on their ability to sell their products and services?

What about the value of their business which, for many, is largely the value of their customer data.

In this post, I will talk you through some of the most important things that you need to know about The GDPR for email marketing.

Contents

How The GDPR Affects Email Marketing

1. The need for consent for marketing
2. What is the GDPR standard for consent?
3. The most common reasons why organisations will not be able to use their mailing list from May 2018

What I learned at the GDPR seminar I attended

1. In terms of email marketing, is consent the only valid basis for processing or could we use legitimate interest?
2. Can we just send an email to our database with an updated privacy policy giving them the option to opt out if the don’t want to continue receiving communications?

What I learned from my call with the ICO

1. There is a possible exception to the need for consent when marketing to customers and leads.

What almost every business that uses digital marketing needs to start working on today

1. Update your website terms and conditions and privacy policy
2. Update the design of the lead capture forms on your website
3. High converting GDPR compliant consent form example
4. Work out how to document what the subscriber was told when they gave consent
5. Re-permission your existing database

How the GDPR affects Email Marketing

The need for consent for marketing

Consent is a little like what you might have called opt-in in the past. Giving individual the option to tell you that they are happy to receive marketing from your in the future.

The issue is that the GDPR standard for consent is much higher than the majority of businesses will have met in the past. Therefore, the majority of marketing data that businesses hold does not meet The GDPR standard for consent.

It is inevitable that the GDPR will result in marketing databases shrinking, but there are steps that businesses can be taking now to make sure they can continue to use as much of the data they hold as possible after 25th May 2018 when the GDPR is enforced. The sooner organisations start this process, the more data they will be able to continue using.

From 25th May 2018, all marketing permissions must be “opt-in”, with a “clear affirmative action” required. Failure to opt out will not be considered valid consent. Consent must also be granular, with separate options being provided to subscribers.

But this presents a problem to marketers. Passive consent has been shown to have a higher conversion rate which is, presumably, why so many digital marketers have relied on passive consent in the past. In a study, “Defaults, Framing, Privacy: Why Opting In-Opting Out”, Eric Johnson looked at how different approaches to getting permission affect the conversion rate:

We can take percent participating to be the conversion rate for the purposes of this discussion.

There is a significant increase in the proportion of conversions in the second and third options when compared to first and fourth options. That is, changing the decision from “notify me” to “do not notify me” reduces the conversion rate by approximately 50%.

So how do we overcome this problem?

1. Organisations are being forced to become more savvy about running re-engagement campaigns with their databases now as part of the process of re-consenting which I’ll talk about later in this post.
2. Organisations are taking the time to focus on the design of their lead capture forms as part of the process of upgrading them for GDPR compliance.

This means that some of my clients are actually improving their landing page conversion and email marketing engagement rates through the process of becoming GDPR compliant.

It’s an opportunity to take stock, review and renew.

The businesses that will benefit the most have already started this process but the more time you have, the more effective your effort is going to be before the May 2018 deadline.

So if you haven’t started working towards GDPR compliance for your digital marketing, there will no better time than right now.

What is the GDPR standard for consent?

In order to conduct any data processing using consent as the basis for processing, the consent must be unambiguous and this requires “clear affirmative action”. Consent must be “explicit” for “sensitive data”.

If someone checks an unchecked box that says “yes I agree”, this could be considered a clear affirmative action that should satisfy the consent requirements for both personal data and sensitive data processing. Failing to uncheck a pre-checked box is not sufficient.

In email marketing, “explicit consent” and “double opt-in” have been used interchangeably in the past. But “explicit consent” in the context of the GDPR does not just mean ensuring that all of your data subjects have double-opted in.

It does mean that they have explicitly agreed to your privacy policy and terms and conditions around how you will process their data and that those conditions are clear and transparent.

This means that your privacy policy and terms and conditions need to be easy to read and be very clear as to how you will store and use personal and sensitive information.

In summary, if you want to do anything with someone’s personal data you have to tell them, they have to agree to it, and you have to be able to prove that they have agreed.

The most common reasons why organisations will not be able to use their mailing list from May 2018

Many of my clients are saying “everyone on our list opted in on our website and we have an unsubscribe link on our emails so that should be good enough for The GDPR”.

The problem is, the rules have changed and that may not be sufficient anymore. If you want to continue using your valuable customer data for marketing beyond May 2018, you will need to bring it up to the GDPR standard for consent.

The most common issue is the use of pre-checked boxes, for example, a checkbox indicating that the user wants to “receive regular offers and updates” at the end of an online order process.

The second most common issue is that one or more of the following pieces of information have not been provided at the time of opt-in or it cannot be proven that they were provided at the time of opt-in.

• A clear explanation of how the data would be processed
• The identity and contact details of the controller
• Details of any recipients of the data including any third party systems where data is stored e.g. cloud-based email marketing or CRM systems (MailChimp, Campaign Monitor, Infusionsoft, Hubspot etc), email providers, cloud storage providers
• Details of any countries to which the data will be transferred. It is often the case that data will reside on servers in other countries especially when using cloud service providers including those above.
• The retention period of the data or the criteria used to determine the retention period
• The existence of the data subject’s rights (e.g. the right to be forgotten, the right to object, the right to data portability etc)
• The right to withdraw consent at any time if relevant (which it is in the case of most marketing)
• The existence of automated decision making including profiling and information about how those decisions are made, the significance and the consequences
• A statement about the right to complain to the Data Protection Authority

What I learned at the GDPR seminar I attended

I recently attended a seminar with a panel of presenters including the Deputy Information Commissioner and a lawyer specialising in data protection. Here I outline the two most important things that came out of the session for my clients.

In terms of email marketing, is consent the only valid basis for processing or could we use legitimate interest?

I originally considered that legitimate interests might be a basis for processing for marketing for some of my clients. I posed the following question to a panel of data protection experts at a recent seminar about the implications of The GDPR for digital marketing:

“Let’s assume an online retailer has a database of 20,000 customers. 10,000 of these customers have opted into receiving marketing emails at the time of order but this was through a pre-checked checkbox and therefore does not meet the GDPR standard for consent.

8,0000 of the customers that have opted into the marketing have engaged with a marketing email in the past 3 months and benefit from the offers. It would cause a significant reduction in sales for the business if they were no longer able to market to this mailing list.

Is it worth the online retailer taking legal advice to determine whether they might be able to continue marketing to the 8,000 engaged customers on the mailing list on the basis of legitimate interest?”

There were at least 3 e-commerce businesses in the room in the situation outlined above. One of the panel members was a lawyer specialising in data protection who would have benefitted from having the opportunity to advise them on whether legitimate interest could help them to continue using their customer and subscriber data without re-consenting / re-permissioning.

But the response from the panel was that because consent had been used as the basis for processing in the past, it would be very difficult to justify a change to legitimate interest as the basis for processing and therefore the best approach would be to re-consent/ re-permission as much of the list as possible and remove anyone who did not re-consent from the database.

Can we just send an email to our database with an updated privacy policy giving them the option to opt out if the don’t want to continue receiving communications?

I have received a number of GDPR related emails from companies including airlines and software as a service providers informing me of changes to their privacy policy.This led me to wonder whether just providing an updated privacy policy and the option to opt out would be sufficient.

I posed a question to the panel:

“Would be sufficient for organisations to email their existing marketing database with all of the information required to bring their consent up to GDPR standard and give them the option to withdraw their consent if they don’t want to continue receiving communications.”

The simple answer is no. The problem is that consent requires “clear affirmative action” and, therefore, failing to withdraw consent is not the same as giving consent.

But what about for customers rather than leads and subscribers? PECR/ePrivacy says that contacting existing customers may be acceptable. However, how long is someone a customer? A month after their last purchase, 6 months after their last purchase?

Therefore, from an email marketing perspective, we are left with needing to re-consent our database of subscribers, leads, and customers.

What I learned from my call with the ICO

Following this seminar, I went on to contact the ICO directly as I had been receiving conflicting information about whether it is possible to continue marketing to existing customers and leads or whether they, as well as subscribers, will need to re-consent to marketing to the GDPR standard.

The very helpful advisor referred me to page 39 of the Direct Marketing guidance. This is well worth a read if you think this might apply to you but, in summary, it may be possible to continue marketing to existing customers where contact details were obtained during the course of a sale (or negotiations for a sale) of a product or service to that person, where similar products and services are being marketed, and where the person had an option to opt out of marketing both when their details were first collected and in every message after that.

I then took it a stage further and asked whether people who had subscribed to a mailing list to receive information about products and services,  or notifications about upcoming events could be considered customers (and therefore we could continue marketing to them) because they had expressed an interest in our products or services. The advice from the ICO’s advisor was that they would need to re-consent to the GDPR standard because it is unlikely that they could be considered to be in negotiations for a sale. They had simply subscribed for information.

What almost every business that uses digital marketing needs to start working on today

Step 1 – Update your website terms and conditions, cookie policy, and privacy policy

The first step for almost all organisations that are looking to make their digital marketing GDPR compliant will be to update their website terms and conditions and privacy policy.

The website terms and conditions, cookie policy, and privacy policy are the easiest way to communicate the key information to data subjects that you are required to communicate at the time they share their personal data with you.

This will include:

• The purpose of and legal basis for processing the data including all legitimate interests pursued by the controller.
• The source of the personal data.
• Details of recipients, or categories or recipients, of the data
• Any countries that the data is transferred to and what safeguards are in place. These are known as approved transfer mechanisms.
• The period for which the data will be stored or the criteria to that will be used to determine how long the data will be stored for (the retention period).
• The existence of the rights of data subjects.
• Confirmation of the existence of individual’s right to request access to, and rectification or erasure of, personal data as well as the right to restrict or object to processing concerning the data subject, and the right to data portability.
• The existence of the right to withdraw consent that has been provided previously.
• The identity and contact details of the controller (and where applicable, also the controller’s representative).
• The contact details of the data protection officer (if applicable).
• Details of the right to complain to the Data Protection Authority.
• Whether data provision is a statutory or contractual requirement or a requirement necessary to enter into a contract including whether the data subject is obliged to provide the personal data and the possible consequences of the failure to provide the data.
• Details of where the legitimate interest condition has been relied upon.
• The existence of any automated decision making including profiling. Provide information about the logic involved as well as the significance and consequences of such processing.
• Any additional information that is needed considering the circumstances in which the data is or is to be processed.

Step 2 – Update the design of lead capture forms on your website

Once your new policies are ready, the design of your lead capture forms is the next piece of the puzzle.

The key elements of your new lead capture forms will include:

• A clear explanation of what the user is signing up for
• A checkbox (that is not pre-checked) and that is required to be checked by the user before the form can be submitted. The text alongside this will read something along the lines of “I agree to the terms and conditions and privacy policy of Your Company Limited”. The words “terms and conditions” and “privacy policy” are linked to the relevant policy pages on your website.

Here’s an example of what this most basic version of the form might look like:

But the design of your form is going to directly impact the conversion rate (the number of people who submit it). Because the user now has to tick a box before they can submit the form (remember it can’t be pre-checked), it is likely that your conversion rate will fall.

That’s why we recommend investing some additional time into your form design to ensure that it will convert as many of your visitors as possible.

High converting GDPR compliant consent form example

1. Social Proof

Using social proof (in this case letting the user know that they are joining a large number of others who have trodden the same path) is proven to improve the conversion rate of lead capture forms.

Examples of social proof that can improve the conversion rate of lead capture forms include:

• Customer Testimonials
• Logos of companies that are well known and that you have worked for in the past
• Case studies
• Review, rating and customer feedback
• Number of followers or shares on social media
• Number of customers, users, or downloads
• Statistics and research
• Celebrity or expert endorsements

2. Clear Benefit

Be clear about what the user is going to get and explain why that is good for them.

By explaining exactly what the benefit of handing over valuable personal information is, rather than just saying “subscribe here” you will compel your visitor to go to the effort of completing the form.

Think about it. Would you be more likely to accept an offer of “join our mailing list” or “Join 500 other people just like you, get this great thing, and benefit in this awesome way”?

This also helps with your GDPR compliance because you are clearly explaining what the user is signing up for.

3. Required Fields *

It almost goes without saying but denote required fields with an asterisk (*).

Most users will realise that this indicates a required field and will result in fewer failed form submissions and frustrated users if they know which fields are required up front.

4. Directional Cues

Directional cues, in this case small triangular cutouts that look like arrows, draw the eye of the user and clearly indicate the path that you are asking them to take. This is going to be increasingly important in terms of conversion rate optimisation now that your form is longer.

5. Open and Transparent

The GDPR requires you to be clear about how you will use data. Be upfront and use language that is easy to understand. In this example, we have made the terms and conditions very clear and explained why they benefit the user.

6. Checkbox

The GDPR requires unambiguous, clear affirmative action and a checkbox that is unchecked when the form loads and has to be checked before the form is submitted where the user is asked to agree to your policies appears to be the clearest way to do this.

7. Links to Policies

There is certain information that you need to provide to data subjects at the time they provide you what their personal data. Some of this is outlined in my separate post about privacy policies which seem to be the clearest way to provide this information.

To ensure that it is very clear that the information has been provided and agreed to, it is a good idea to link to the privacy policies when you ask for consent.

8. Upsell Section

The GDPR requires that consent is “unbundled”. This means that users should be given the option to consent to one thing and not another. One example of this is where you have multiple mailing lists.

For example, you might decide to allow subscribers to join a range of different mailing lists. For example, let’s assume someone signs up to receive invitations to your future events. This doesn’t give you permission to start marketing unrelated offers to them.

However, on the opt-in form for the event invitations, you could up-sell a subscription to your mailing list for your latest offers.

That is exactly what the upsell section is designed to do. When promoting this up-sell you need to make the benefits clear. Promote the benefit to the user rather than simply asking them whether they want to “subscribe” or “receive notifications”.

9. Upsell Option Field

Once you have introduced the upsell, it’s time to display the field where the user will decide whether or not to opt-in to the upsell. After testing a number of approaches, the one that has had the highest conversion rate for our clients has been to provide both a yes and a no option with neither pre-checked and the field being “required” so that the user has to select one of the options before the form can be submitted.

Pre-ticked opt-ins in the past have often been hidden in light grey, in a small font, and positioned where they are easily missed. You should do the opposite. Use colour, larger fonts, icons – whatever it takes to draw the eye.

Taking this approach we have seen opt-in rates as high as 73%.

In his study “The Downside of Defaults”, Jeffrey Brown explains that a passive choice will almost always decrease people’s feelings of commitment to / motivation to act on the outcome.

Why is this important?

Because the subscriber has made an active decision opt-in, they are more likely to be engaged. Even if the same person was happy to have opted in by default, making an active decision will make them a more engaged subscriber.

10. Submit Button Text

A study by @danzarella that looked at 40,000 landing pages found that landing pages with submit buttons labelled “submit” tended to have lower conversion rates than those that used other wording.

(Image courtesy of @danzarella)

Whilst every landing page is going to suit a different call to action on the submit button, but here are some ideas that you might want to consider.

(Image courtesy of @danzarella)

Step 3 – Work out how to document what the subscriber was told when they gave consent

The burden of proof that consent has been given is high. You must be able to provide reasonable evidence to demonstrate that you have complied with the GDPR if requested and this includes demonstrating what you told the subscriber when they gave their consent. This might include the content for the consent form, your privacy policy, terms and conditions and any context around the consent form.

In the past, most organisations have not stored this information but it will now have to be presented on request.

This is a big change for many email marketing and CRM platforms. These platforms usually store the IP address, location and time at which someone submitted a form, but not the form itself. This is not sufficient under the GDPR.

As a minimum, it would be wise to include a screen grab of the page where consent was obtained if your email marketing or CRM platform does not support this automatically. Of course, you will need to know which version of pages visitors signed up on if you are running split tests or if you regularly update the content of pages. You should also keep a clear log of any updates to your policies and terms adn conditions over time.

Some of our current clients use Infusionsoft for their CRM and marketing automation and when a contact fills out a form that is generated through Infusionsoft, a copy of the form is added to the contact’s record. This will go some way to solving this problem for these clients but there are still some challenges around split tests and the content surrounding the form if the form is embedded on their website.

Step 4 – Re-permission your database

Where existing data does not meet the standard required by the GDPR you will need to re-permission / re-consent. This is the process of getting new, valid, consent from the individuals in your database.

Cleanse your database

Before you begin the process of re-permissioning you will want to ensure you have all of your data in one location and that it is properly deduplicated.

You will probably want to delete any records where emails have hard bounced. If these are valuable customers, then it may be worth making a personal approach. If not then you don’t want to waste your time trying to re-permission them.

For contacts that haven’t engaged with any of your campaigns recently, this is a fantastic opportunity to re-engage them with your brand as well as to repermission them so it is worth leaving inactive contacts in your workflow.

Only re-permission those who have given consent (or use a method other than email to reach them)

Under current rules you can approach B2B customers and prospects for consent as long as:

• They have not previously opted out.
• They are not a sole trader, whose email needs to be treated under B2C rules.

Sending a re-permissioning email to an individual who has opted out (even if they have previously subscribed) is a breach of existing rules. As Honda and Flybe learned – it’s not a good idea to try to re-permission these individuals.

You may be able to reach these individuals by another means – for B2B marketing channels other than email (like post), legitimate interest may be an appropriate approach to re-permission individuals who have previously unsubscribed from email, but not opted out of direct mail.

Consider a personal approach

Once you have a clean data set, identify the most engaged subscribers, leads and customers. Highlight those that are most valuable to your business. Depending on your business and the size of your database, you will probably want to consider a personal approach to the highest value individuals in your database.

GDPR re-permissioning campaign ideas

A simple email informing individuals that are already in your database that the law is changing and that to continue receiving emails from you they need to re-consent. Then provide a link to a landing page where they can re-consent.

Add a banner to every email sent to existing subscribers over the coming months informing them that they need to re-consent. Again, provide a link to a landing page where they can re-consent.

Start a VIP club where subscribers get access to exclusive discounts / events / products / services as appropriate to your business. Promote this through your usual digital marketing channels. As well as attracting new subscribers, this is an effective way to re-engage and gain consent from your existing subscribers.

Promote a discount code that is emailed to individuals that sign up to receive it. On the form that is used to capture their email so that you can send them the discount code, upsell a subscription to your marketing list.

Promote a competition, the result of which is emailed to individuals who enter. Upsell a subscription to your marketing list on the entry form.

Ask existing customers to re-consent when they visit your website through a popup or other message.

Got a question?

Do you have a question or an idea for an alternative approach? I’d love to hear from you in the comments below.