GDPR: Email Marketing Compliance Update and FAQs
As you are no doubt aware, the EU’s GDPR regulations come into force May 25th. These are a big deal, and affect every online web site, regardless of whether the site or the business it serves is in Europe.
A great way to think about GDPR is that it’s “Y2K for Privacy” – it’s a big deal potentially affecting everyone, but if we all do the work required, we’re all going to be OK. GDPR enforces what ought to be best practice in your online marketing anyway: Get permission, treat people with respect. Looked that way, it’s not so hard to comply with.
The good news is that we at FeedBlitz are ready, and have the tools to enable you to be compliant. We’ve always required dual opt-in for new subscriptions, for example, and so proof of consent for existing subscribers is already there. We’re also not treating our GDPR as “done” once it comes into force (in this aspect it’s very different from Y2K). GDPR compliance, building a privacy first app, and improved processes are all ongoing efforts here.
FeedBlitz’s GDPR Resources
Our knowledge base (KB) article on GDPR will be the primary place where updates will be posted. We’ll update this post with changes as and when they’re made.
Our privacy statement is here, you can manage your personal cookie settings here, and site owners can review cookies that FeedBlitz places here. We recommend that FeedBlitz clients should link to all three of those URLs (privacy, personal privacy settings, cookies) in their own privacy pages.
You can add a compliance / verification question to your list for our “classic” forms, and you can add GDPR-related compliance options to your FeedBlitz SmartForms by dragging in the relevant GDPR widget in the forms designer. We recommend using the radio instead of the checkbox version on SmartForms, as radio buttons force the visitor to actively decline as well as actively accept, whereas checkboxes allow consent to be declined passively. Studies have shown that requiring an active decision on the form, in either direction, yields higher opt-in rates.
FeedBlitz clients who don’t have a compliance question in place for classic forms will see default text added on May 24th, just to be safe.
You can export all a subscriber’s data, including opt-in date and the IP creating the subscription, at any time. We’ve added easy options for subscribers (and our publisher clients) to remove additional data (e.g. Name) if you have it.
When subscriber data is deleted to comply with a “right to be forgotten” request, it becomes unavailable in the app on an individual basis. This is a new option for publishers in the subscriber pages.
We’ve significantly enhanced per-subscriber audit trails within FeedBlitz. Starting late February we now track much more detail about how a subscriber joined a list and the data contained in those interaction(s).
Data Processing Agreements (DPAs) and Privacy Shield
We are closing out these processes for European clients to be confident that we meet all their needs. If you need a DPA please contact FeedBlitz support.
Disclaimer: We are not lawyers! So these are our opinions, and not legal advice.
Do I have to repermission my lists’ current European subscribers?
We don’t think so, no, as long as you acquired them using dual opt-in (which we at FeedBlitz require for new subscriptions). If you used a third party service that used only single-opt in, you should consider re-permissioning them, and only emailing those who opt-in again.
Should I remove non-responsive European subscribers?
One way to think about permission is that if someone is not engaging with your mailings, they’ve effectively revoked their consent. Remember, the GDPR says that consent is only valid for the duration. Not engaging means, at least in the subscriber’s mind, that the duration is basically over, even if they haven’t gone to the effort of unsubscribing. With that in mind, we certainly feel that it’s a good idea to keep list quality up by removing the chaff, regardless of where the subscriber is resident. It is certainly prudent to try to repermission or even cull non-responsive subscribers before May 25th.
Do I need to have a consent checkbox on forms?
The emerging consensus is yes you do. And that’s absolutely the most conservative way to approach GDPR compliance for new subscriptions.
That said, if the form’s purpose is only to get an email subscription, and the form unambiguously says something like “Click here to get my email newsletter” then it is our view that clicking the “Subscribe” button counts as consent to be contacted (because what else would that button do, exactly?) as part of the dual opt-in verification process. Completing dual opt-in activation provides consent for regular mailings.
So why all the kerfuffle about checkboxes?
Because when the form is not about email marketing, but you need to supply an email address to complete the transaction, in a pre-GDPR world that would be all that was needed for you to be added to that site’s email marketing barrage. The consent checkbox approach is to stop this somewhat skeevy behavior. You need to be clear about what it is you’re going to get when you hand over your email address (or phone number etc.).
So say you have an e-commerce site, and you require an email to send the receipt to. Under GDPR:
- You may NOT then add that email address to a newsletter, funnel or other email marketing campaign.
- You may ONLY use that address in the context of that transaction (permission is valid only for the process for which it was given).
Unless – there is a checkbox on your checkout form that says something like “I agree that <your site> can contact me with offers” and that box is checked.
So I can put a checkbox on a form and I’m GDPR compliant?
Yes, if and only if that checkbox is not checked by default. Default consent is one of the practices expressly forbidden by the GDPR.
Don’t checkboxes lower opt-in rates? I want turbo-charged list growth!
Yes, checkboxes reduce opt-in rates because the default option becomes “I do not consent” (and again, remember, we’re talking about forms here where the primary objective is not an email subscription, as I observed above). That is certainly less than ideal.
So, don’t use checkboxes to acquire consent.
If you’re going “huh?” at this point, remember that although GDPR requires that you get consent, it doesn’t specify how. So, instead of a consent checkbox, use a pair of required radio choices. One to consent, one to decline. Do not select any by default, and make the radio required. The visitor must actively decline, or actively consent. This is entirely consistent with the GDPR’s goals, you’re being completely transparent, you are simply not allowing a default choice. This approach yields opt-in rates that are comparable to forms with no consent options at all.
FeedBlitz SmartForms have a GDPR widget that does all this for you. Just drop it in, edit the copy, and save the form.
Does GDPR mean I must stop personalizing or targeting my list?
Not at all. If you have the data and are sending relevant personalized emails with it, then that’s fine. GDPR says, however, that you can only use personal data (and an email address counts) for the purposes it was given to you for. So if you are running a deal list, for example, and you know that this subscriber is interested in, say, camping gear, then you can absolutely target them with an email about a special on camping gear. It’s within the scope of the consent that was granted.
Should I re-evaluate the data I collect on subscribers?
Absolutely. The less data you keep on someone, the less likely you are to run afoul of the GDPR’s penalties. One of our largest clients used to collect emails and names, for example. Now they are changing that to just email, and are scrubbing the list of name data. It reduces their risk.
This matters because GDPR wants to keep your knowledge about what someone does online separate from knowing who they are in real life.
Consider: If you know someone’s birth date it’s a lot easier to take that data and work out exactly who they are than if you know their birth month. From an email marketing perspective, however, you can give someone a special deal for their birthday on the 1st of the month (and give them time to exercise it) and it’s going to be just as effective as emailing them on their birthday. But your risk from a privacy perspective is significantly lower, because you know so much less about the recipient. You don’t want to collect so much information on someone that you can figure out who the actual person is from the data you have.
Can I use single opt-in and be GDPR compliant?
No. No. No. Not at all. Nope. Stop it. No.
Without dual opt-in you cannot say the individual consented, no matter how many boxes they check or radio buttons they select on the form, because you’ve no idea if the person filling in the form is the owner of the email address they gave you. Single opt-in is a terrible email marketing idea anyway prone to risk from spam traps and spam bots; the GDPR carries extreme risk if you don’t use dual opt-in by May 25th. Just say no to single opt-in.
For bloggers, in particular, this means that you need to check your all plugins on your site, and all your email acquisition processes, to ensure that the addresses are validated and that you have proof of consent.