Everything Email Marketers Need to Know About the GDPR
Everyone in email marketing has been talking about the far-reaching consequences of Europe’s new GDPR law, but what does it mean for you day to day?
Confused about what the General Data Protection Regulation (GDPR) means for you and your email marketing efforts?
The GDPR came into effect in May 2018 and it’s already impacted businesses across the globe.
While this European Union (EU) regulation aims to protect the private information of European consumers, it’s also changing the way U.S. businesses and email marketers operate.
Read on to discover the ins and outs of this new law and its impact on U.S. marketers.
What is the GDPR?
The GDPR is an EU law that protects user data and puts the power back in the hands of EU citizens.
It requires companies to collect affirmative, active consent that is “freely given, specific, informed, and unambiguous” for any EU subscribers.
Companies must also track and keep a record of all consents obtained from EU subscribers, including their name, time of signup, what was written in the form they filled out, how they consented, and whether they’ve withdrawn their consent.
Beyond consent, the GDPR also lays down the law when it comes to managing user data. Companies must manage EU consumer data carefully, and allow consumers to control, monitor, check, move, and delete any data related to them.
The EU’s GDPR was established to provide data protection to EU citizens, no matter where their data is used. If you’re working for a large, global enterprise then this will undoubtedly impact you, as companies located outside the EU still need to abide by GDPR rules if they obtain data from EU citizens.
And you’ll want to abide by these rules, fines can reach a staggering 20 million euros or up to 4% of a company’s annual turnover (whichever is larger!).
So as a U.S. marketer, how can you navigate GDPR compliance while avoiding these crippling fines?
Ensuring GDPR compliance
Under the GDPR, companies must provide a “reasonable” layer of protection over personal data. Personal data is defined as any data set or information that can be used to identify an individual.
To ensure compliance, companies should establish processes and personnel to manage data correctly. Here are the basic areas you’ll need to cover:
- Identify and classify any personal data
- Track every data-related activity
- Employ data protection officers
- Monitor company-wide compliance
- Regularly check for vulnerabilities with risk assessments
When it comes to email marketing and tracking email consent, there are five critical components that you must implement to be GDPR-compliant:
- Consent must be actively given by the subscriber, like ticking an unchecked opt-in box (it’s not valid if the box is pre-checked!)
- Email consent must be requested separately from other terms and conditions, offers, services, privacy notices, or downloads
- It must be easy to withdraw consent, so you can’t require a log in, charge a fee, require any information other than an email address, or ask users to visit more than one page
- Keep a record of all the email consents you obtain
- Ensure all your existing EU subscribers and email consents meet the above requirements
Now that you know how to ensure GDPR compliance, how will your business be impacted?
What does the GDPR mean for you?
It’s only been a few months since the establishment of the GDPR but we’ve already seen some significant ripple effects. While some experts are still trying to gauge the impact of the GDPR on U.S. businesses, only time will tell what the far reaching operational and financial repercussions are.
A report in Computer Business Review states: “Analysts estimate the cost of enabling customers to request Fortune 500 companies find and delete data held on them could hit $7.8 billion, the FT reports. This amounts to a rough average of $16 million outlay per organisation.”
Beyond the financial burden of EU data management, brands are also losing existing subscribers who are either ignoring privacy update emails, choosing not to actively opt in, or unsubscribing.
According to CNBC, “one email marketing firm said some of its clients have lost 80% of their email audience because they couldn't get customers to open those emails and say it was OK to keep sending them email.” While this is an extreme case, it does suggest the crippling effects of the GDPR for businesses.
Some U.S. companies are simply blocking EU users to avoid complying with these new regulations. Earlier this month, Nieman Lab reported that more than 1,000 U.S. news sites chose to block EU visitors. This impacts both Europeans who want to keep up-to-date with American news and any American tourists, business travelers, and expats in the EU.
Luckily, it’s not all bad news. Jake Saper (Principal, Emergence Capital) believes that this lack of compliance presents a rare opportunity for U.S. startups: “The most compelling reason for startups to invest in GDPR compliance is to build a competitive moat, allowing them to serve customers who demand compliance and box out competitors who can’t.”
We’re also seeing positive results regarding EU user consent with consent management platform Quantcast recently reporting that more than 90% of visitors to EU domains are granting active consent. However, this rate is the average across EU-based web domains that provide consent screens to visitors, including those with EU IP addresses.
This GDPR requirement for active consent could also improve the performance of your email marketing campaigns. IBM’s 2018 Marketing Benchmark Report found that the average open rate for a Watson Marketing customer in Canada is 38%, while it hits just 17% in Latin America. Jay Baer, keynote speaker and founder of Convince & Convert, believes this difference in open rates is due to the introduction of the Canadian Anti-Spam Legislation (CASL), which led to better email list hygiene.
“We’ll see a similar scenario unfold in the USA and Europe, and open rates for emailers that have cleaned up their lists due to GDPR will see a bump upward in average open rate, since inactive subscribers are likely to have been purged to some degree,” predicts Jay.
Whether your company is GDPR compliant or not, its effect is clearly wide ranging. To help you better understand this space, we’ll be sharing more content soon so sign up to the stensul newsletter to stay up-to-date.
If you’d like to discuss the GDPR and the future of email marketing in more detail, contact us at firstname.lastname@example.org or engage with us on Twitter through @stensul.
Disclaimer: This article is provided as a resource, it doesn’t constitute legal guidance. Contact your attorney for legal advice on how to interpret the GDPR.