Email Marketing & the GDPR Regulations
Since May 25, 2018, the GDPR has been in effect. So although the law has been around for quite a few years, it is still not clear to everyone. What does the GDPR stipulate and what consequences does it have for email marketing? You can read about it in this blog.
What is the GDPR?
The GDPR is the General Data Protection Regulation. It ensures that consumers are better protected against misuse of their data. For example, the regulation requires companies to be transparent about how they process and use their customers' personal data (such as e-mail addresses and phone numbers). In addition, consumers may request access to their stored data and revoke previously given permission to process this data.
The above rules, by the way, are not new. They existed for some time under the Data Protection Act (DPA) but have been tightened up considerably.
Obtaining consent via an opt-in
Thus, since the effective date of the GDPR, customers are required to provide consent for processing personal data. A direct consequence of this is that you can no longer just send customers emails. You have to ask permission for this. You ask for permission by means of an opt-in.
❗️ The GDPR requires an opt-in for e-mail & mobile campaigns.
There are different types of opt-ins. Below we explain them for you.
The single opt-in
The most standard variation is the single opt-in. A single opt-in only requires a customer to enter an e-mail address and agree to the data being processed. Examples of a single opt-in include:
- A pop-up
- A subscription field in the footer of a website
- A checkbox in the check-out to subscribe to the newsletter
Note: It is illegal to pre-fill an opt-in for your customers. So do not check the checkbox to subscribe by default in the checkout! Subscribing should be a conscious choice from the customer.
The double opt-in
A double opt-in goes one step further than the single opt-in. Here you ask for an extra confirmation from your client for processing data. Imagine this: your client signs up for the newsletter via a pop-up on your website. In this situation, the customer is not directly subscribed to the newsletter. After completing the pop-up, your customer receives an email containing a link or button to confirm his subscription. Only when the customer has clicked on it, that person is subscribed. Thus, you are once again, actively, asking for your customer's confirmation before mailing.
The soft opt-in
The third opt-in is the soft opt-in. The soft opt-in is entirely about building your relationship with the customer. If the customer has previously ordered from you, you have already obtained his e-mail address. In that case, you can approach this client for similar products or services and you do not have to explicitly ask for permission, according to DDMA.
A soft opt-in is subject to the following conditions:
- A soft opt-in applies only to the use of contact data obtained in the context of sales, and not in the context of profile enrichment.
- The customer must have had the opportunity to opt-out.
- Customer perceptions must be considered for the duration of the soft opt-in. If you are still emailing a customer a year after purchase, even though it was a trial subscription at the time, your email is logically no longer relevant.
Double opt-in mandatory?
As previously written, the GDPR mandates the use of an opt-in. Which opt-in you use for this is entirely up to you. So a double opt-in is not mandatory, you can also choose a single or soft opt-in. And that's good news! In fact, a double opt-in reduces the chances of growing your email file, because each subscriber has to perform an extra step.
Whether you use a single, double or soft opt-in, each opt-in is subject to the following conditions:
- It must always be clear that the e-mail address is being used for commercial purposes.
- Consent should not be obtained by referring to the Terms and Conditions or a Privacy Statement, as customers are unlikely to read these.
Possibility to unsubscribe: the opt-out
The opt-out is the opposite of the opt-in and is the actual unsubscribing of your customer. Offering an opt-out in all your commercial emails is required by law and must meet a number of requirements:
- It must be as easy as possible for the customer to unsubscribe.
- There must be an opt-out option in all email communications.
- Your customer does not have to log in to arrange an opt-out.
- Every unsubscribe must be processed immediately.
Abandoned shopping carts and GDPR
The abandoned shopping cart e-mail in conjunction with the General Data Protection Regulation (GDPR) is currently still an area where there are some questions.
After all, you send an email to the person's email address without their express permission when they leave a shopping cart.
The spam and telecommunications law says the following about it:
Any person who has obtained electronic contact data for electronic messages in connection with the sale of his product or service may use such data for the transmission of communications for commercial, idealistic or charitable purposes relating to his own similar products or services, provided that when the contact data were obtained, the customer was clearly and expressly offered the opportunity to oppose the use of such electronic contact data, free of charge and in a convenient manner, and, if the customer did not avail himself of this opportunity, he was offered the possibility of opposing the further use of his electronic contact data under the same conditions with each communication transmitted. Article 12, second paragraph, of the Spam and Telecommunications Act applies mutatis mutandis.
As seen above, as a web store you have slightly different rights because you are selling a product. It is then up to the website visitor to object if he or she does not wish to receive communication. The law is not clear on how to do this as long as it is clearly visible, free of charge and can be done in an easy way.
One method that customers of ours use is to mention during checkout that the web shop uses abandoned cart emails. If the user does not want this then they can indicate this through the email. Also including the text in the privacy statement of the webshop is a must.
GDPR proof mailing with a proper sender
The last point of the AVG that affects your email marketing is that your email communication must reflect your shop's identity. What does this mean concretely?
- Every e-mail is sent from a working e-mail address to which people can actually reply. No-reply is no longer allowed. Changing your e-mail address from no-reply to something else, without the e-mail address really working, also makes no sense.
- The name of the sender (or of the shop) is always in the "from" field, so the recipient can recognize you.
- The message should not be misleading. It must be recognizable from the layout of the e-mail that it is a commercial e-mail.
GDPR Proof: the email address you use to reach your customers
The GDPR also states that you must express identity in your email communication. This means that:
- Every email has a functional and working email address. No-reply is no longer allowed. Changing your email address from no-reply to something else, without the email address actually working, makes no sense either. What matters is that you have a working email address that people can actually reply to.
- The name of the sender (or of the webshop) is always in the 'from' field, so it is recognizable.
- The message may not be misleading. The layout of the e-mail must show that it is a commercial e-mail.
In summary, what is allowed and what is not allowed?
Consider how you handle customer data. For example, do you send customer data by e-mail (in an Excel file), or do you and your colleagues log into one account in e-mail marketing software? These are two examples of daily work that are already in violation of the GDPR. Take a close look at your daily work. How can you better protect your customers' data?
Just to recap, what is allowed and what is not allowed under the GDPR?
You are allowed to...
- Send customers relevant offers when the customer has previously ordered from you (within a significant amount of time).
- Email customers when they have actively opted-in.
- Do profile enrichment.
- Do you do profile enrichment? Then be sure you're going to use the data (think birthday email when requesting date of birth).
You may not...
- Send someone a message digitally without their consent under the AVG law.
- Transfer opt-ins from one company to another.
- 'Pre-fill' checkboxes on sign-up forms.
- Using a no-reply email address.
Reloadify and GDPR
Reloadify makes it easy for you to comply with the GDPR. You can easily arrange the right opt-ins and opt-outs with our software. You build an opt-in with our ready-made forms (on a pop-up or landing page) and an opt-out is ready for you by default. Your subscribers can unsubscribe with one click.
You can also add unlimited users to your Reloadify dashboard and require two-step verification. This way every colleague can log in with their own account and you protect all customer data even better.
As icing on the cake: from us you can expect your data to be safe. We store your data on Dutch servers. As a client of Reloadify you therefore fully comply with the Dutch and European servers. From Reloadify we also provide an AVG/GDPR statement. By signing this statement you know for sure that your data is well protected.
Want to know more? Request a one on one consultation or try Reloadify yourself, the first 14 days for free.