Many of our web design and hosting clients also have email newsletter lists, and have been asking us what they need to do, to ensure their lists and email marketing is fully GDPR compliant.
Whilst we can’t offer legal advice, we can offer some advice and point you towards some really helpful and easy-to-understand resources that we have found.
The first thing to be aware of is that email marketing is not only affected by the forthcoming General Data Protection Regulation (GDPR), but you should also be aware of the PECR (Privacy and Electronic Communications Regulations). PECR also has a new version is on its way, but unlike GDPR, the rules aren’t finished, and so it’s replacement, the upcoming ePrivacy Regulation, is still in draft. – See more at: https://ico.org.uk/for-organisations/guide-to-pecr/what-are-pecr/
For now though the most common questions we get are
- Is my email list GDPR compliant?
- Do I need to gain re-consent?
- They’ve said yes before, surely I don’t have to ask again?
A significant point to remember, is that there are 6 lawful bases for processing under the GDPR and of these, the two that are appropriate for direct marketing activities, either Consent or Legitimate Interests.
When do you not have to have consent?
There is an exemption within PECR, rather ambiguously known as the “soft opt-in”, whereby you can send emails without Consent as long as the following conditions are met:
- You have obtained the contact details in the course of a sale (or negotiations of a sale) of a product or service
- You are only marketing your own similar products and services
- You provided a simple opportunity to refuse or opt-out of the marketing, when you first collected the contact details and in every subsequent communication.
This means you may well be able to email your own customers without Consent, but this will not apply to prospective customers or bought-in lists.
What do I need to do if I’m not relying on Consent?
Under GDPR, to have consent you will need clear and more granular opt-in methods (so for example, if you want to send newsletter emails and special offer emails, you should ask them to tick two boxes), good records of consent (so for example be able to prove the opted in, what they asked for, what form you used etc,) and simple easy-to-access ways for people to withdraw consent (lucky most email marketing platforms have been including this in the footer of emails for a while now).
What are the key changes to make in practice?
You will need to review your consent processes to make sure they are specific, granular, clear, prominent, optin, documented and easily withdrawn.
The key new points are as follows:
- Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Active opt-in: use unticked boxes (pre-ticked opt-in boxes are invalid) or similar active opt-in methods (such as a choice of two buttons).
- Granular: give granular options to consent separately wherever appropriate (so not “email newsletters, text offers and postal vouchers”)
- Named: name your organisation and any third parties who will be relying on consent
- Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented
How do I ask for re-consent?
Given the likelihood that your existing list was not obtained in a fully GDPR compliant manner, you will need to as for re-consent, prior to 25th May (after which, legally you should not email them, as you don’t have compliant consent).
If you have a small/medium-sized list, the easiest way is to email them, and ask them to confirm they wish to continue to receive marketing emails from you (you will probably of had numerous such emails from shops and other businesses yourself asking this recently). This email must be GDPR compliant (e.g. include unticked boxes/s, be granular if necessary, say what you do with their details, and include a link to your Privacy Policy).
There is no free/easy way to automate this, so for a small/medium list (under 300), I suggest you create a new blank list (or group within your list), send a compliant email with two buttons (one saying I do consent and one saying I don’t consent), and they buttone email you an email with a pre-formatted subject. The recipient just needs to click the button, and then hit send on the email. For each email you receive, you will then move them to the new list (or new group), keeping the email as proof of consent. This Facebook video shows how this works in MailChimp.
Up to 25th May you can send a few more emails to those who have not replied, and after 25th May just use the new list/group.
You will have high percentage of people who do not re-consent (or just ignore you) … that’s fine, they don’t want to hear from you, so don’t waste any more time worrying about them … this is the perfect opportunity to ‘clean’ your list!
Is you have a large list (over 200 or 300), this method is likely to be too time-consuming.
You have a few options, which you can see here
The easiest of which is to buy a re-consent service, this is one I am aware of – reconsent.co.uk/
This won’t do everything for you, but for £230-£250, they will set up everything you need as well as a comprehensive guide to implementing.
More information
If you use MailChimp (or other email marketing systems), we highly recommend you join the ‘MailChimp and GDPR‘ Facebook group, run by MailChimp expert Robin Adams. This group has lots of ideas and suggestions, and you can even ask Robin email marketing questions directly.
GDPR has been on its way for about two years, and although many businesses still aren’t’ sure what they need to do, it not something to be worried about.
It’s good news for consumers (as we’re all consumers aren’t we!), and once you have the systems in place and a clear understanding of what is required it is actually beneficial … even if just to encourage you to clean that ageing email list you’ve been meaning to do for a while!