GDPR: Email Marketing in the Age of Digital Privacy

What is a data privacy law?

Data privacy laws are regulations geared toward protecting individual users’ rights to a certain standard of data privacy and security. They typically include rules about how companies can collect and use individuals’ data and how companies must inform users about that collection and use. Data privacy laws are often vast and expansive, governing virtually every aspect of how a business engages with consumers digitally, including via email marketing.

Some of the most publicized data privacy laws are the European Union’s GDPR, which set the tone worldwide for a move toward stringent data privacy laws, and the California Consumer Privacy Act (CCPA), which was the first data privacy legislation passed in the U.S.

Understanding these laws — for both compliance today and for data privacy trends in the future — is essential for any business engaged in digital marketing or data collection of any kind.

What is GDPR?

The GDPR is the European Union’s overarching legislation on data privacy, which unified the baseline requirements among the 27 member nations. The GDPR applies to businesses that collect and use data on any EU-based user, regardless of where that business is headquartered or operating. That means U.S. businesses that collect data on European users are also subject to the requirements. 

In regard to email marketing, the GDPR requires that businesses obtain the consent of anyone prior to contacting them via email. This is known as the opt-in provision for opt-in email marketing. Before you contact anyone via email, be sure you have their explicit consent.

Additionally, the GDPR requires that companies demonstrate how consent was obtained and whether any consenting users have since opted out or unsubscribed from newsletters (or other email marketing communications). Also, companies must be willing to delete the personal information of a user upon request and refrain from collecting unnecessary data. [Read related article: The Best Email Marketing Services and Survey Software]

The cost of GDPR violations

GDPR violations carry steep penalties. Under the law, a company that violates the data privacy requirements could be subject to fines of up to 10 million euros (about $10.5 million) or 2 percent of the company’s annual revenue — whichever is greater. For many small businesses, fines of this magnitude could be fatal. However, in many GDPR violations thus far, the EU data protection authorities have declined to impose the maximum penalties permitted under the law.

Still, the threat of massive fines and lawsuits should make companies cautious about collecting user data. [Want to learn more about the GDPR? Read our guide on how to make your website GDPR-compliant.]

What is CCPA?

The California Consumer Privacy Act (CCPA) is California’s data privacy law. It was modeled largely after the GDPR, but it has some key differences. For email marketing purposes, however, the rules of the law are generally the same. 

Much like under the GDPR, a user’s email address is considered personal information (or personal data) under CCPA regulations. That means users must consent to the communication, as well as be able to opt out at any time. Additionally, data regarding the open rate and click-through rate (CTR in email marketing) of each user is considered personal information. If a user requests that their data be removed, you must not only delete their email address from your list but also remove any data gleaned from their engagement with your email marketing campaign.

The good news for email marketers is that compliance with the CCPA is more or less the same as the GDPR when it comes to email marketing. Other elements of the law are different, though, so if your business is engaged in other data-collection activities, review both laws with legal counsel to determine whether you are in full compliance, because both laws might apply to your business at the same time.

The cost of CCPA violations

Civil penalties for violations of the CCPA can range from $2,500 per unintentional violation to $7,500 per intentional violation. Businesses generally have 30 days to reverse any violations and solve the problem to avoid liability.

Although these fines are not as steep as the maximum penalties permitted under the GDPR, it is best to avoid them, as they stack up per violation. That means that, if you repeatedly violate the consent requirement for thousands of email addresses in your email marketing campaign, you could be on the hook for a significant sum.

How does email marketing software help you stay GDPR-compliant?

Although it is possible to keep your entire email marketing program in-house, using an email marketing platform makes it easier to comply with the GDPR because the platforms have these regulations built into their programming. 

Data permission

The GDPR requires companies to obtain permission from people who opt in for the specific type of communication they will be receiving. In other words, if someone gives you their email address, you can’t assume that they are OK with receiving marketing emails from you; they need to specifically give you permission to send those types of emails. 

Email marketing platforms include opt-in forms that allow people to proactively check a box that gives permission for you to send certain kinds of information, such as news, events and offers. For example, when setting up Constant Contact forms within WordPress, you can enable email opt-in, thereby letting subscribers know exactly what they will receive from you if they give you permission.

Source: Constant Contact

Boxes to receive information cannot be prechecked; the subscriber needs to check the box themselves for the permission to be valid. 

In addition, email marketing platforms make it easy for you to set up a double opt-in process. This can be helpful if you have a list that may not have given you permission to send certain types of content. In essence, the subscriber gets a confirmation email detailing the type of content you would like to send them, along with a link to opt in to receive it. 

The GDPR also requires companies to document the consent of your contacts, including who, when and how they consented, as well as what they were told about giving their consent. This data is automatically stored in each contact record within the platform.

Data access and unsubscribe rights

The GDPR gives EU citizens the right to be forgotten. If an EU citizen wants a company to access, delete or change their personal data, the company must comply. Email platforms include an unsubscribe link in their email templates and can also include a link to each subscriber’s customer profile with the option to manage email preferences. 

Source: Constant Contact

Email platform opt-in forms also automatically inform people that they can unsubscribe at any time, and email footers provide them a link to do so. People who unsubscribe are added to an unsubscribe list in your account so they are not accidentally emailed again.

Data security

Another GDPR requirement is to take “reasonable and appropriate measures” to keep subscribers’ data safe. 

Major email platforms have data security measures in place to protect subscribers’ data, including the following:

• Physically controlling access to the servers 
• Providing network security 
• Requiring strong passwords 
• Limiting access to administrative accounts 
• Having a cybersecurity incident response plan, starting with a cybersecurity risk assessment
• Clearing employment with criminal and reference background checks
• Using security patches
• Installing virus scanning software
• Updating measures against malware daily
• Continuously monitoring systems for intrusions

Overall, email marketing is one of the simpler aspects of complying with the complex and wide-ranging data privacy legislation emerging around the world. However, it is important to do your due diligence to avoid unnecessary fines and damage to your brand. After all, even once the fine is paid, your customers might remember that you handled their personal data poorly. The true cost of data privacy violations is often far higher than just the fines incurred.

Kimberlee Leonard and Jennifer Dublino contributed to this article. Source interviews were conducted for a previous version of this article.