As we’ve discussed already in the previous articles, it does not matter if you don’t even dwell in the EU. If your visitors include the people from this part of the world then you can face the brunt of the General Data Protection Regulation (GDPR).
New GDPR legislation has been brought in to help give customers more control over their data. This has led to many businesses getting data consultancy to not only make sure they’re compliant but also to find the patterns behind their business’s operations and convert them into effective actions. It can be harder to make the necessary changes to become compliant, especially if you have any ongoing email campaigns.
And that’s quite obvious since you’re collecting email addresses and other information (using RocketReach or similar email finder tools) that can locate your subscriber. Hence, it is deemed as private information and therefore, GDPR safeguards apply to it.
So it’s necessary that not only your blog or website but the email campaigns are also GDPR compliant. In order to maintain this kind of compliance in your email marketing, you could also consider using an email marketing calendar, or something similar. The said email marketing calendar can also help you stay organized and to be more strategic about what content you send out to your email subscribers. Moreover, if you were to use themes and dates as a guideline for your email content, it might enhance the results of your campaign as well.
In this article, we will learn how to make your email campaigns GDPR compliant in general, as well as how to achieve this compliance as a user of the email marketing software, GetResponse.
However, before jumping right in, just in case you’re not aware of nuances of the
How will GDPR Affect your Email Marketing Campaigns?
The underlying principle of the GDPR legislation is unambiguous, clear and explicit consent. This applies to all the facets of the web. Wherever the data of the users is being collected, stored, tracked and processed. Doesn’t matter if it’s a blog, contact form or even the email opt-in forms.[Enter link of double opt-in form]
You need to be clear about your intentions of how and why the information is being collected.
This obviously impacts your email marketing as well as you now have to bring some changes in the way you seek, obtain, save and manage the
When you collect information from your subscribers, you need to be wary of the following:
- New subscribers opt-in rules
- A system to track user consent
- Allowing your subscribers to request, edit and/or delete their information.
Given the above basic requirement, the following best practices are recommended:
1. Always go for double opt-in
A single opt-in is when a user submits his/her email address and other information in the opt-in form and subscribes and gets subscribed to your email list immediately. There’s no additional confirmation received from the subscriber. The mere act of entering his information in the form is considered
To keep the risk of exposure at the minimum, the best practice is to always go for the double opt-in forms in your email campaigns.
What this means is that whenever the visitor subscribes for your email list, send them confirmation email inquiring if they’re sure they want to subscribe.
Note that just sending an email to confirm the subscription does not constitute as confirmation or consent. The subscriber needs to express his consent by performing a certain action (say, clicking a link).
If you’re a GetResponse user, I’ve written a separate article about how to create double opt-in forms in GetResponse? I hope you’ll find it useful.
2. Review and Disclose your Data Practices
You need to disclose your data practices which state what information you collect and how do you intend to use it.
3. Allow users to download, delete or modify their information
Your subscribers should be able to download, delete or modify their information in your database. This does not necessarily mean providing them with the interface to doing so. They can simply send you an email and you should oblige by it.
4. Keep a complete audit trail of how the user information ended up in your database
This information includes how the user subscribed to your email list, their location, consent history and basically every piece of information that’d constitute as
In other words, if need be, you should be able to present enough information to prove that proper consent was received pertaining to any information.
If you follow the above practice, you’d significantly reduce the risk of being prosecuted under the breach of GDPR compliance.
While you wrap your head around the above best practices, I believe it’s best to discuss a
Question 1. Does the GDPR compliance Only apply to the subscribers enlisted after May 25th, 2018?
NO. The GDPR law applies retrospectively to the subscribers who became part of your list even before this law became a reality.
What you can do now is to send your subscribers a confirmation email seeking consent if they want to be a part of your list. No response from them should be deemed as a disagreement.
Question 2. Can you now buy email contact lists?
Many email marketers rely on third-party lists to convey their “message”. So the big question is, is this allowed under GDPR?
For me, it’s a grey area.
Let’s say A buys an email list from B. A creates an email and send them to the contacts B’s contact list using his own domain. Is this practice allowed now?
Well, it’s highly NOT RECOMMENDED. The reason is that the data processor should be able to demonstrate consent and when you buy the list from the third party, it becomes difficult to prove the agreement or consent.
Let’s say that B indeed sought consent to receive emails from A and any other marketer. Even then A will have to confirm by performing due diligence on his part that the list indeed complies with GDPR.
Or in other words, the mere statement from the seller of data that the list complies with the GDPR does not absolve the buyer from the repercussions.
Under GDPR, it’s the data buyer’s responsibility to carry out due diligence on the seller to make sure:
- The data is current.
- The seller has permission from the individual to pass their data onto you.
- The individual’s consent for your type of planned marketing is valid.
- The consent is recent enough to still be valid.
To understand further, here’s an informative article discussing the same in detail.
How to Make your GetResponse Email Campaigns GDPR Compliant
So given the above information, I’m sure you must be able to figure out the salient steps for yourself that you need to take to comply with this much-hyped and feared European law.
Nevertheless, I’ll mention a few to make your life easier:
- Avoid, single opt-in subscription forms and use the double opt-in instead. In case you already have a single opt-in GetResponse email subscription forms placed on your blog, you can easily convert them to the double opt-in. Just follow the instructions in this article (How to create double opt-in forms in GetResponse?)
- The GDPR field should have an unmarked checkbox where the subscriber has to explicitly mark it to express his consent.
- I’d also recommend keeping the color and size of the text of the GDPR field(s) the same as other fields in your subscription form.
- You should maintain a proper system of consent-tracking should you need to perform an audit. Fortunately, with GetResponse, you can easily follow this requirement as the GetResponse comes fully equipped with a proper record-keeping system.
- If you have subscribers from Europe before 25th May 2018, you may need to send them a confirmation email seeking confirmation if they agree to receive marketing emails from you.
Following the above guidelines will ensure that you are in the safe zone when it comes to abiding by the GDPR law. However, in the end, I’d suggest that the tips mentioned in this article do not equate to legal advice and I’d suggest you seek legal counselling in case you think that you need any extra details or even if you think that your case is unique.
Secondly, I’d also suggest to keep a continuous watchful eye on your data protection and management practices to make sure that you do not violate the best practices.