Welcome to the age of data privacy, in which governments around the world are adopting legislation that limits how companies can collect and use the data generated by individuals. These laws have sweeping effects on virtually every aspect of how businesses engage potential customers in the digital world, including practices like email marketing.
If you’re thinking about launching an email marketing campaign, you need to be aware of data privacy laws that apply to your business. Failure to comply with these laws could result in significant financial penalties and damage to your brand reputation.
Editor’s note: Looking for the right email marketing service for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.
Data privacy laws are legislation appearing around the world geared toward protecting individual users’ rights to a certain standard of data privacy and security. They typically include rules about how companies can collect and use individuals’ data, as well as how companies must inform users about that collection and use. Data privacy laws are often vast and expansive, governing virtually every aspect of how a business engages with consumers digitally — that includes email marketing.
Some of the most publicized data privacy laws are the European Union’s General Data Protection Regulation (GDPR), which set the tone worldwide for a move toward stringent data privacy laws, and the California Consumer Privacy Act (CCPA), which was the first piece of data privacy legislation passed in the U.S.
Understanding these laws — as both a compliance imperative for your business today and as a bellwether for data privacy trends nationwide — is essential for any business engaged in digital marketing or data collection of any kind.
The GDPR is the European Union’s overarching legislation on data privacy, which unified the baseline requirements among the 27 member nations. The GDPR applies to businesses collecting and using data on any EU-based user, regardless of where that business is headquartered or operating. That means American businesses collecting data on European users are also subject to the requirements of the law. In regard to email marketing, the GDPR requires that businesses obtain the consent of anyone prior to contacting them via email. This is known as the opt-in provision. Before you contact anyone via email, be sure you have their explicit consent.
Additionally, the GDPR requires that companies demonstrate how consent was obtained and whether any consenting users have since opted out or unsubscribed from newsletters (or other email marketing communications). Also, companies must be willing to delete the personal information of a user upon request and refrain from collecting unnecessary data. [Read related article: The Best Email Marketing Services and Survey Software]
GDPR violations carry steep penalties. Under the law, a company that violates the data privacy requirements could be subject to fines of up to 20 million euros (roughly $22 million) or 4 percent of the company’s annual revenue, whichever is greater. For many small businesses, fines of this magnitude could be fatal; however, it’s worth noting that in many cases of GDPR violations uncovered thus far, the EU data protection authorities have declined to impose the maximum penalties permitted under the law.
Still, the threat of massive fines and lawsuits should be enough to give any company gathering user data pause. While some types of data collection and usage intuitively apply to the GDPR, so do seemingly innocuous activities like email marketing. [Want to learn more about GDPR? Read our guide on how the GDPR has been implemented here.]
The California Consumer Privacy Act (CCPA) is the state of California’s data privacy law, modeled largely after the GDPR, but with some key differences in language. For email marketing purposes, however, the rules of the law are generally the same.
Much like under the GDPR, a user’s email address is considered personal information (or personal data) under CCPA regulations. That means users must consent to the communication, as well as be able to opt-out at any time. Additionally, data regarding the open rate and click-through rate of each individual user is considered personal information; if a user requests their data be removed, you must not only delete their email address from your list but also any data gleaned from their engagement with your email marketing campaign.
The good news for email marketers is that compliance with the CCPA is more or less the same as the GDPR when it comes to email marketing. Other elements of the law are different, though, so if you’re engaged in other data-collection activities for your business, review both laws with legal counsel to determine whether you are in full compliance, because both laws might apply to your business at the same time.
Civil penalties for violations of the CCPA can range from $2,500 per unintentional violation to $7,500 per intentional violation. Businesses generally have 30 days to reverse any violations and solve the problem to avoid liability.
While these fines are not nominally as steep as the maximum penalties permitted under the GDPR, it is best to avoid them, as they stack per violation; that means if you repeatedly violate the consent requirement for thousands of email addresses in your email marketing campaign, you could be on the hook for a significant sum.
While it is possible to keep your entire email marketing program in-house, using an email marketing platform makes staying GDPR-compliant easier. That is because these platforms have these regulations built into their programming.
GDPR requires companies to obtain specific permission from people who opt-in for the type of communication they will be receiving. In other words, if someone gives you their email address, you can’t assume that they are OK with receiving marketing emails from you; they need to specifically give you permission to send those types of emails.
Email marketing platforms include opt-in forms that give people the option to proactively check a box giving permission for you to send certain kinds of information such as news, events and offers.
For example, when setting up Constant Contact forms within WordPress, you can enable email opt-in, letting subscribers know exactly what they would receive from you if they give you permission.
Source: Constant Contact
Boxes to receive information cannot be prechecked; the subscriber needs to check the box themselves for the permission to be valid.
In addition, email marketing platforms make it easy for you to set up a double opt-in process. This can be helpful if you have a list that may not have given you specific permission to send certain types of content. In essence, the subscriber gets a confirmation email detailing the type of content you would like to send them along with a link to opt in to receiving it.
GDPR also requires companies to document the consent of your contacts, including who consented, the date, how they consented, and what they were told about giving their consent at the time. This data is automatically stored in each contact record within the platform.
A data protection officer (DPO) handles all data protection for a company, including ensuring that GDPR and CCPA compliance is met.
GDPR gives European citizens the right to be forgotten. If an EU citizen wants a company to access, delete or change personal data, the company must comply. Email platforms include an unsubscribe link in their email templates and can also include a link to each individual subscriber’s customer profile with the option to manage email preferences.
Source: Constant Contact
Email platform opt-in forms also automatically inform people that they can unsubscribe at any time and email footers provide them a link to do so. People who unsubscribe are added to an Unsubscribe list in your account so that they are not accidentally emailed again.
Another GDPR requirement is to take “reasonable and appropriate measures” to keep subscriber data safe.
Major email platforms have data security measures in place to protect subscriber data, including the following:
If you have questions about email marketing and how it relates to data privacy, you aren’t alone. Here are some of the frequently asked questions entrepreneurs have about their email marketing campaigns and how they can avoid unintentionally violating data privacy laws like GDPR and CCPA.
While sending an email to someone might not seem like a violation of data privacy, it could be one if the email is not sent properly. It’s important to understand the rules surrounding the collection of user contact information and when you are legally able to send communications to those email addresses. Additionally, users must have a clear way to unsubscribe from your email marketing list.
“Email has everything to do with data privacy and is most often where businesses run afoul of digital privacy laws,” said Harry Maugans, CEO of Privacy Bee.
To protect yourself from unnecessary data privacy violations, present users with an easy way to opt out or unsubscribe from your emails and newsletters.
“Opt-outs should be easy and marked clearly, and in no instances should businesses add people to email lists without permission,” Maugans said.
While there are some important guidelines to keep in mind regarding email marketing and data privacy, email is a relatively easy channel to keep in compliance, said Jeff Kupietzky, CEO of Jeeng, formerly PowerInbox.
“Email is a safe alternative to cookies and other forms of tracking where the user hasn’t given permission for the site/marketer to collect their data,” Kupietzky said. “Email is fully opt-in. By signing up, subscribers have inherently given you their permission to market to them and use their data to create a more personalized experience.”
Data privacy laws generally stipulate that users must knowingly consent to be contacted via email before a company can legally do so. That means buying email lists likely violates the consent requirements of the GDPR and CCPA. Therefore, relying on purchased email lists as a cornerstone of your email marketing campaign is a risky move likely to land your business in hot water. Instead, gather email addresses directly, ideally through a subscription form on your website.
“The best way to ensure GDPR compliance when sending emails is by having an explicit opt-in checkbox on all subscription forms,” said Melissa Sargeant, CMO of market intelligence and search platform AlphaSense. “Through this, a company has the exact time, date, country and source through which someone opted in, which is important data to have — especially … if they are located in a GDPR country, which would require an alternate strategy.”
Additionally, purchasing an email list of cold leads increases the likelihood that key metrics of your email marketing campaign, such as open rate and click-through rate, perform poorly. Since purchased email lists are those of people who have not necessarily expressed interest in your products or services, they are unlikely to perform as well as smaller lists of organic email contacts. Furthermore, many email addresses on a purchased list could be inactive or outdated; you could be risking a data privacy violation just to contact an inbox that will never be used.
If someone is an existing customer, they may be considered a “soft opt-in,” which would allow you to email them. For your contact to be a soft opt-in, the following should be true:
If you need additional detail, consult legal counsel to make sure that you are in compliance. Alternatively, you could send these contacts a double opt-in email to ensure that they have given you proper permission. [Read related article: Best Business Newsletters of 2023]
What do I need to do to make sure my email marketing campaigns don’t violate data privacy laws?
In many cases, requirements in data privacy laws are convoluted. However, in regard to email marketing, the rules tend to be fairly straightforward. Still, abiding by these guidelines is critical to avoiding the penalties for violation laid out in the legislation.
“You can run a compliant email campaign without much trouble, as long as you fundamentally don’t aggressively target individuals who have not expressed direct interest,” said Alexander M. Kehoe, co-founder and operations director of Caveni Digital Solutions. “In many cases, targeting interested individuals is better for your conversions regardless.”
Here’s how you can avoid running afoul of consumer data privacy laws:
>> Learn More: Essential Data Analytics Terms Every Marketer Should Know
Overall, email marketing is one of the simpler aspects of complying with the sometimes complex and wide-ranging data privacy legislation emerging around the world. However, it is important to do your due diligence to avoid unnecessary fines and damage to your brand. After all, even once the fine is paid, your customers might remember if you handled their personal data poorly in the past. The true cost of data privacy violations is often far higher than just the fines incurred.
Jennifer Dublino contributed to this article. Source interviews were conducted for a previous version of this article.