GDPR and email marketing: What you need to know
By Hannah Moss
Do you collect names and email addresses from EU citizens through your website? Then you probably need to make some changes to be compliant with GDPR come 25th May 2018. Read on to find out more.
Update: For the latest guidance on GDPR, read our newer post Protecting data: How to be GDPR compliant, which explores emerging best practices almost 5 years on from the implementation of GDPR.
Disclaimer: The information in this article does not constitute legal advice in any form. These are our recommendations based on our understanding of the GDPR. You should seek legal advice for accurate compliance based on your own business.
What is GDPR?
As you’re no doubt aware, new EU data laws come into force on 25th May 2018 under the General Data Protection Regulation (GDPR). This new law aims to standardise privacy rules across the EU, giving individuals more control over how their data is used. It’s the biggest change to privacy law in 20 years.
GDPR affects every company that processes personal data from EU citizens. So, if you collect and store names and email addresses from EU citizens, for example, you’ll need to comply with GDPR – no matter where you’re based.
How does GDPR affect email marketing?
One of the key requirements of the regulation is that consent must be “freely given, specific, informed and unambiguous”. This means the way you collect and store people’s consent for sending them your marketing materials (such as your blogs, newsletters, bulletins and other updates) might need to change.
The main concerns around email marketing under GDPR are:
- Collecting & storing consent for new and existing subscribers
- Lead magnets
- Pre-ticked opt-in boxes
- Website cookies
- Google Analytics
We will look at each of these in turn.
Collecting & storing consent
One of the key requirements of GDPR is being able to prove that you have your subscribers’ consent – not only to email them but to store their personal data too. In MailChimp this is recorded in the ‘Source’ column of your mailing list. If your subscribers’ listed source is any of the following, then you should already be able to prove consent:
- Facebook Signup Form
- Hosted Signup Form (signup form in MailChimp)
- Embed Form (signup form embedded on website)
- API – Generic (website signup form via third party plugin, e.g. Gravity Forms)
However, if the source for any of your subscribers is listed as any of the following, then you’ll need to re-obtain their consent:
- Admin Add
- List Import from CSV
- List Import from Copy/Pasted File
Don’t use MailChimp? Whichever email marketing provider you use, similar data should be recorded when each subscriber joins your list. However, if you cannot find this information in your account, or it’s not clear how/where each subscriber signed up, then you’ll need to follow the steps below to ensure you’re compliant.
If you use MailChimp to embed signup forms on your website, you can switch on their new GDPR-friendly fields and use list segmentation to make sure you only email subscribers who have explicitly consented to receiving your emails. Read this article for more on this.
If, like us and most of our clients, you use a third party WordPress plugin to manage your forms, e.g. Gravity Forms, then we suggest adding a checkbox to each form with wording such as “I consent to my submitted data being collected and stored”. As long as this is a required field, then you have explicit consent, as the subscriber cannot submit the form without ticking this box.
We suggest the safest way to ensure that every subscriber on your mailing list has given their consent for you to send them marketing materials – and to be able to prove this if you’re audited – is to do the following:
- Start a brand new GDPR-compliant list in your email marketing account: you could call this “[Company Name] Mailing List (GDPR)” for example.
- Remember to set up any groups in exactly the same way.
- Send a re-consent campaign to everyone on your list, explaining that they need to re-subscribe to continue receiving your emails after 25th May (you may well have seen examples of these pop up in your inbox recently).
- In that campaign include a link to your newly updated GDPR-compliant signup form (see above).
- Send one or two follow-up campaigns reminding people to re-subscribe.
- Just before 25th May, remove your old list from your account.
- Use your new mailing list for all future email campaigns and enjoy peace of mind that you’ve explicitly gained consent from everyone on that list.
Don’t use MailChimp? The above steps are based on using MailChimp or similar email marketing software. If you use a different provider you’ll need to adapt the above process accordingly. For example, if you use Drip, you’ll need to re-organise your workflows and tags to ensure compliance, such as creating a ‘gdpr’ tag that gets applied to every new subscriber who submits your GDPR-friendly form.
The GDPR will have a big effect on lead magnets – these are pieces of content you give away in return for an email address. You’ll no longer be legally allowed to add someone to your mailing list just because they’ve requested a download of your free eBook, PDF practice guide, or audio file, for example.
You can ask for their email address in order to send them the specific content you’re offering, but you cannot send them any further emails UNLESS they’ve specifically opted in. So, providing the free content has to be separate from opting in to your email list.
What we suggest is adding a checkbox to each lead magnet form inviting them to also sign up to your mailing list. This would need to be set as conditional logic on your form – if they don’t tick the box then they don’t get added to your mailing list. But you’ll still need a process for sending them the lead magnet they’ve requested.
Update: There’s some debate about whether this is strictly necessary. It may be ok to simply add some wording to your lead magnet form, explaining that by submitting the form they’re also opting in to your mailing list. Some further research is needed here.
Pre-ticked opt-in boxes
Under the GDPR, it’s not permissible to use pre-ticked opt-in boxes in online forms. For example, you might have a contact form with an additional checkbox for signing up to your mailing list. You should make sure this checkbox is not pre-ticked, as a person filling in the form might not notice and therefore be unaware that they’ve signed up.
Remember that consent has to be “freely given, specific, informed and unambiguous”. Therefore, a person has to take an action in order to sign up and give consent, i.e. they have to tick the checkbox themselves.
At Wildheart we recently updated our own Privacy and Cookies Policy and believe this satisfies the requirements of GDPR.
Cookies are text files containing small amounts of information which are downloaded to your personal computer, mobile or other device when you visit a website. They’re useful because they can remember your preferences, improve your user experience and allow the website owner to collect important data about how their site is used.
Your website may already comply with the current EU Cookie Law, but you might need to make some changes in order to be fully compliant with GDPR.
As we understand it, there are two main changes that would need to be made in your Google Analytics (GA) account, in order to be GDPR-compliant:
Anonymise IP addresses
If you’re not already anonymising your IP addresses in GA, you need to start doing so. As standard practice, customer IP addresses are not stored in your GA database, and they’re not accessible to any client specifically. However, technically speaking they can be accessed by a Google employee, and they do qualify as personal identifying information. So, even if you don’t have access to your visitors’ IP addresses, you need to make sure they’re anonymised.
Turn off User ID
If you use GA and you have User ID switched on, it’s best to switch this off in order to be compliant with GDPR, as this tracks individual users across devices and sessions. Google are rolling out various new Data Retention controls in line with GDPR, so you should be able to review and update these settings next time you log in.
At Wildheart Media we don’t use User IDs, we’ve anonymised our IP addresses, and we’ve reviewed all our GA settings accordingly.
How we can help
If you need help making sure your email marketing is GDPR compliant before 25th May, get in touch. We’ve put together a package that includes the following:
- Mailing list:
- Update signup forms (email signup forms, contact form, event booking forms)
- Create and send consent campaign plus 2 follow-up campaigns
- Reorganise/clean list
- Review/update any other website forms
- Install/configure GDPR-compliant cookies plugin
- Google analytics – anonymise IP addresses & turn off User ID
Don’t take the risk – make sure you’re GDPR compliant before 25th May 2018.
For more information about GDPR and how it affects email marketing, you might like to read these articles:
- 5 Things You Must Know about Email Consent under GDPR (Litmus)
- MailChimp: Collect Consent with GDPR Forms (MailChimp)
- WordPress, Gravity Forms, and GDPR Compliance (Gravity Forms)
- Google Analytics and GDPR: Is it Compliant? (Convert)
Never miss a blog post!
Sign up to receive our newsletter centred around our monthly theme, plus our latest blog posts.