If your website uses email marketing, there's some new legislation you should know about. The General Data Protection Regulation (GDPR) is a new privacy-focused law that went into effect earlier this year. Among other things, it may require you to obtain consent for some of the email marketing your company does.
Fortunately, there are steps you can take to protect yourself from GDPR fines. By understanding what the regulation covers and following a few simple steps, you can more easily ensure compliance and avoid penalties.
In this article, we'll review what the GDPR is and discuss how it affects email marketing. Then we'll explain how you can comply with its requirements. Let’s get going!
An Introduction to the GDPR
The GDPR is a new set of laws in the European Union (EU), which protects digital privacy and regulates various types of online consent. The GDPR hasn’t been around for very long yet – it went into effect in May 2018.
The main goal of the GDPR is to give EU citizens more control over how their information is gathered, stored, and used online. It assigns new responsibilities to websites that collect visitor and customer data, such as obtaining informed consent and enabling users to erase their data if requested.
What's most important to understand about this new law is that it applies to any site that collects data from EU citizens, regardless of where the site owner or company is located. This means that even if your business is not based in Europe, the GDPR will almost certainly affect you.
Even if you aren't sure whether any of your website visitors or email list subscribers are from the EU, you'll want to adopt a “better safe than sorry” approach. GDPR violations can carry huge fines – up to 20 million pounds or 4% of your global revenue, whichever is higher.
In the next section, we’ll discuss how to make sure your email marketing list complies with GDPR requirements. However, keep in mind that the GDPR applies to more than just your email marketing, and includes your website itself. If you haven’t done so yet, you'll also want to configure your MemberPress settings to comply with the GDPR.
How to Optimize Your Email Marketing for the GDPR (In 4 Steps)
In the next few sections, we’ll look at how to achieve GDPR compliance when it comes to your email marketing. It’s crucial to get your email campaigns ready to go now, before the big holiday marketing push. Just remember that these are only suggestions, and you may also want to consult a lawyer to ensure that your business as a whole is GDPR-compliant.
Step 1: Check with Your Email Marketing Service
The first step is to find out what specific tools your email marketing platform offers to help you out. In the wake of the GDPR, many email marketing services have released GDPR-compliance guides specific to their platforms.
For example, the popular MailChimp service offers a GDPR consent collection form, with detailed instructions on how to use it:
If your email marketing service does not offer the features you need to ensure GDPR compliance, it may be time to switch services. Fortunately, there are many email platforms to choose from that are compatible with MemberPress.
Step 2: Obtain Consent from Your Subscribers
An important aspect of the GDPR is that you must obtain informed consent in order to store user data (including email addresses). That consent must be “freely given, specific, informed, and unambiguous.”
If you may have emails on your list that were added without the owners' explicit permission, you may want to send out an email now asking for consent to remain on your email list. This is also important because the GDPR requires proof of consent for data collection.
You can obtain that proof by sending out a GDPR consent collection form. Again, your email marketing service may offer tools to help you do this. In MailChimp, for example, you can collect new subscriptions using a GDPR consent opt-in, by navigating to Create List in your user dashboard:
Scroll down to Form Settings, and choose Enable GDPR fields:
As we mentioned, you'll also need to obtain consent from your existing subscribers. To do that, create a new campaign and choose the Email option:
Create a Regular email campaign, and select Design Email under the Content section:
In the Themes tab, choose Subscriber Alerts from the drop-down menu, and select the GDPR Subscriber Alert theme:
You can now edit the text and theme as needed. Plus, you can customize the message to encourage your users to re-subscribe to your list. Then, you just need to send it out! Don't forget to remove the emails of subscribers who don't provide informed content in this way.
Step 3: Add a Clear Opt-Out to Your Email Footers
The GDPR also requires that you enable users to withdraw consent. In marketing emails, this can simply be an Unsubscribe button (something you may already have).
Even if you do have a default unsubscribe option, you should still be able to add a custom message. Most email marketing services have a feature you can use to configure unsubscribe options.
To edit this in MailChimp, start by creating an email campaign. Then, select Edit Design under Content once again. Scroll down to the bottom of the email, and click on the pencil at the top of the design block containing the “unsubscribe” information:
This will bring up a text editor, which you can use to add a custom message. When you’re done, click on Save & Close:
Some email marketing services even let you to edit the unsubscribe page itself. That way, you can add a message encouraging your subscribers to remain on your list.
Step 4: Review Your Data Retention Practices
Finally, the GDPR also holds you accountable for how you store user data. It requires that any retained data (such as a copy of email addresses stored in a file on your computer) be stored securely, and not held for longer than needed.
The Information Commissioner’s Office (ICO), a legal organization in the UK, has put together a guide on data retention and the GDPR. If you are a large organization, you may be required to create a data retention policy (consult with a lawyer if you're not sure). However, even smaller businesses should follow the ICO’s checklist, and ensure that you understand the GDPR’s data retention rules.
The most important point is that these rules emphasize the minimization of stored data – you must have a legitimate reason for any information you retain. So, for example, your email marketing campaigns may be a reason to store subscribers' email addresses. However, they wouldn't be a legitimate reason to hold onto their credit card numbers (and so on).
The new GDPR regulations mean that you must be careful with how you collect and store personal data from EU citizens, or you might potentially face a fine. Even if your business is not located in the EU, if there is any chance that your email list includes EU-based subscribers, you should make an effort to comply.
To make sure your business’ email marketing campaigns are GDPR-compliant, you can:
- Check with your email marketing service for GDPR-specific guides and tools.
- Obtain informed consent from your subscribers.
- Add an opt-out in your email footers.
- Review your data retention policy.
Do you have any questions about the GDPR and how it affects email marketing? Let us know in the comments section below!