With the General Data Protection Regulation (GDPR) taking effect in only a few short weeks, plenty of questions abound about the who, what, when, where, why and how of compliance. This is particularly true when it comes to email marketing, so we have compiled a list of some of the most pressing and popular GDPR questions we’ve heard from email marketers.
What needs to be on a web form for consent?
A web form needs to contain a few things to meet the GDPR requirements for consent and transparency:
- The company’s identity must be displayed.
- The reason for collecting the information must be clearly stated.
- There must be a way for the subscriber to actively mark their consent (e.g., an unchecked box, radio buttons or a slide).
- Each processing operation or channel needs to have a separate consent option; this means if you want to communicate with the subscriber by SMS, postal mail and email, each communication channel should have its own consent.
Relevant GDPR sections regarding consent:
Articles 4(11), 6
Recitals 32, 38, 42
What needs to be documented for consent?
The data controller (you can learn more about data controllers and data processors in this blog post) has the obligation to demonstrate that consent was obtained. We suggest that the controller documents the following elements to be able to demonstrate consent:
- How the consent was obtained.
- When consent was obtained.
- Who gave the consent.
- What processes are being consented to.
- What information was provided at the time of consent.
Relevant GDPR sections regarding consent documentation:
Does consent have an expiration?
No. There is no official timeframe within which consent will expire. As of now, we recommend the use of common sense and context given the lack of published definite timeframes or best practices. At a minimum, consent is required prior to the beginning of data processing and at any time there is change to the processing type or scope. How often consent is refreshed should be based on the length of the sales cycle and what makes the most sense for the organization.
The consent guidance published by the EU Data Protection Working Party discusses this subject in more detail.
Does GDPR require a confirmed or double opt-in?
GDPR requires “explicit” consent for processing of “sensitive” data. There is a distinction between “active” or regular consent, where the data subject needs to take an action to confirm consent and “explicit” where the data subject must provide “an express statement of consent.” Per GDPR, confirmed or double opt-in would only be required if you were to process sensitive personal data. The consent guidance provides a few different examples about how this can be achieved. One of those examples is what is referred to as “two stage verification of consent,” (what we know as confirmed or double opt-in).
However, for marketing purposes in general, double opt-in is a best practice in that it allows you to verify the owner of the email address and that they want to receive the communications.
Relevant GDPR sections regarding consent documentation:
Article 4(1), 9
The consent guidance published by the EU Data Protection Working Party discusses this subject.
Can I use the opt-ins that we already have or do we need to get refreshed opt-ins?
If the opt-ins that you currently have meet both the consent requirements and the consent documentation requirements, there is no obligation to refresh the opt-ins.
If the opt-ins you currently have don’t meet one of the criteria, you’ll want to re-permission your marketing lists.
Re-permission campaigns, where you ask your currently opted-in subscribers to resubmit their preferences (in a way that meets GDPR requirements) doesn’t have to be just a one-off email campaign. Having an email campaign with two or three touches including an initial communication and then some reminders will give your subscribers the opportunity to submit their preferences. It doesn’t have to be a standalone campaign at all; including calls to action for preference updates in existing campaigns (newsletters, for example) is a great way to get the word out.
Which contacts can be re-permissioned?
Only subscribers that are already opted-in to your marketing communications can be asked to refresh their preferences. If a subscriber has opted-out/unsubscribed previously, you cannot email them again asking them to consent to marketing.
What do I need to know about web tracking?
GDPR doesn’t going into detail about tracking personal data on the web, but to be conservative you could apply the GDPR requirements of consent and withdrawal of consent to processing of personal data on websites.
The European Union’s new ePrivacy Regulation, expected to be published at the end of 2018 or the beginning of 2019, will cover electronic communications specifically including the internet, web tracking, cookies and online advertising. Most marketers are avoiding any major changes until the final ePrivacy regulation is published.
What do I need to know about email tracking?
Much like web tracking, GDPR’s detail about tracking in emails (opens, clicks, etc.) is limited. The ePrivacy Regulation is expected to provide more clarity around this subject. For now, many brands have included information regarding bulk email tracking, what is tracked, and why it’s tracked in their privacy policies or disclosures.
Is business data personal data?
GDPR does not make a distinction between personal data and business personal data. If the data can identify a natural person, then yes, it is personal data. The easiest example is email address. A general email address that could be received by many people (firstname.lastname@example.org) would not be considered personal data. But an individual’s work email address (email@example.com) would be considered personal data.