The General Data Protection Regulation (GDPR), the European Union’s new privacy law, goes into effect on May 25. There’s no time to waste understanding and implementing the changes this law brings.
In this article, we dive into GDPR basics, what they mean, and how they affect your email marketing.
One of the biggest areas of change — and concern — is “consent”. Per Article 4(11) of the GDPR: “’Consent’ is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
What email marketers have widely accepted as consent through (passive or soft) opt-in, is now questionable under GDPR.
It indicates five conditions that need to be met:
not required as a condition of eligibility, access, etc.
given for a specific, intended purpose
given with awareness of how the data will be used, processed, maintained, etc., and the data subject’s rights
opt-in agreement was ascertained with viable certainty
clear affirmative action
opt-in process that requires an intentional, discernible, active action carried out by the subscriber to indicate consent
While arguably open to interpretation, and with language that’s rallied considerable consternation from the email marketing community, these rules boil down to doing the right thing with the personal data you collect.
Only send emails and information to people who’ve given you permission to do so for the purpose you told them.
when is consent required?
GDPR protects both citizens and residents of countries within the European Union (EU). The law not only applies to consent from new subscribers, it also applies to consent previously given by subscribers prior to May 25. You’ll need appropriate consent from these respective subscribers.
Even if you don’t believe a subscriber is an EU citizen or resident, following the same data consent and compliance process for all of your subscribers — no matter where they are in the world — creates ease and efficiency in the long run.
Additionally, the opportunity yields a subscriber who’s likely to be more engaged.
“’Personal data’ is any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
That’s a direct quote from the GDPR about personal data, and boy, is it a mouthful!
What it says in the vernacular is any data used to identify an individual, by itself or as a composite data point, is considered to be personal data. In most cases, consent is necessary to collect and process this data — and limited to just data that’s needed for the specific opted-in purpose.
Data that’s particularly sensitive in relation to someone’s fundamental rights and freedoms, requires that “explicit consent” be given. Multiple, discrete actions carried out by the person (actively, intentionally, and discernibly) may be necessary to achieve this.
Per Article 4(4):
“‘Profiling’ [is the automated processing of personal data] to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”
In many cases, automated “profiling” requires the data subject should be aware and/or give “explicit consent” (where there’s significant effect to the individual). Multiple, discrete actions carried out by the data subject (actively, intentionally, and discernibly) may be necessary to achieve this.
Email tracking can provide multiple data points related to the delivery of an email to a subscriber:
if/when the email was read (and number of instances)
what URLs were clicked on
email server data (e.g., IP, geographic location, etc.)
email client, browser and device/OS
“Consent” is just one of several lawful bases for emailing (i.e., data processing).
Most commercial emails — marketing related or advertising based — will likely require “consent” as a lawful basis.
Transactional messages or customer notifications could be considered lawful in order to fulfill a contractual obligation.
For B2B marketing, “legitimate interest” is an arguable alternative to “consent” (as a lawful basis). Although GDPR protection could be applicable when a business email address can identify an individual, the UK’s ICO adds guidance to be compliant when relying on this basis.
conclusion: get on board with GDPR basics
Understanding – and implementing – GDPR basics is no joke. You must get these right, or you could face severe consequences. For more information, return to our blog over the next few days. We’ll be posting additional information about this formative law.