If you send emails, there's a new privacy law you need to know about. The words "privacy law" probably don't generate a lot of excitement, but trust us, this is a big deal.
Europe is about to launch its General Data Protection Regulation (GDPR), which aims to protect consumers and their personal information in an ever-growing digital age. What does that have to do with you?
It means you'll likely have to change some of your marketing tactics.
The new law is stricter than other regulations we've seen and goes into effect on May 25. To prepare, here's what you should know:
What is GDPR?
GDPR is Europe's new privacy law that takes a hardline on consumer privacy and forces brands and marketers to comply with strict consent and data collection rules.
Before GDPR, Europe had patchwork laws in place. Each member state basically did its own thing. Now, the 28 members states that make up the European Union all have one, unified privacy law.
The law is strict, and the language used to explain the new rules offers a no-nonsense, we-mean-business tone.
Who will this effect?
If you send email to anyone in Europe – you're affected. We're talking about sending an email to anyone in:
- Czech Republic
- United Kingdom
Should I manage European contacts differently or update my entire email marketing strategy?
The new law is for European consumers, but how do you know if a subscriber is in Europe? Great question.
Under the new law, you'll have to ask. If subscribers are located in Europe, you'll have to segment European contacts out and manage your messaging differently with this subset of clients.
Or, you can make changes to your email marketing tactics across the board to ensure you're in compliance. It will take some time, yes, but it's the safest play.
Given our dependence on digital channels, stricter privacy laws are almost inevitable. More countries are likely to follow suit. Europe's new regulations go into effect just months after Canada updated its law dealing with commercial emails.
To stay ahead of the curve, we suggest updating your email marketing strategy so every customer is complaint with the new law – no matter where they are.
What specific changes do marketers have to make?
Let's get down to brass tacks. In order to bring your email marketing into complaisance with GDPR, here’s what you should do:
Require subscribers to opt-in
Every customer you reach out to has to consent to your emails. That means you'll need an opt-in practice in place.
For instance, if you meet potential clients at a tradeshow and exchange cards, you can't add them to your email list without implied consent.
Many marketers already adhere to an opt-in strategy, where only subscribers who voluntarily join your email list are contacted. If you don’t have one in place, you’ll need to set one up.
Get rid of all pre-checked boxes on forms
GDPR has some strict requirements regarding consent. The customer has to willingly opt in to your list, which we just discussed, but any use of pre-checked boxes that automatically add a customer to your email list is prohibited under GDPR.
For example, if a customer makes a purchase online and there’s a pre-checked box that automatically subscribes him or her to your email list, you’re in violation of the new law.
Any effort to "sneak consent," like with pre-checked boxes, is not allowed. Customers have to willingly give consent to receive your emails.
Explain how data is used
During the email signup process, you also have to explain to subscribers how you plan to use their data. If you plan to track their purchases and buying behaviors with the intent of selling tailored products, you have to say so.
The GDPR makes it clear that consumers must understand exactly how a company will use their information, and if the consumer finds the practices troublesome they have the right to opt-out of your list.
Don’t automatically add contacts to your email list
A lot of marketers use gated content or webinar sign ups as a way to grow their list. When a customer wants to download your white paper, he or she gives up their email address in exchange for the paper. Most marketers add those emails to their overall list and start nurturing these new leads.
Under GDPR, you can’t do that. If a subscriber gives you their information for something specific like access to a white paper, that’s the only purpose you can use it for. You send them the paper and that’s it.
You can’t add their name to your email list and start sending them email. Why? Again, it goes back to consent. The subscriber didn’t give you consent to send emails on a regular basis.
But, there is still a legal way to grow your list in this situation. When you offer gated content or a webinar, you can add an additional field to the form that asks customers if they’d like to join your email list. If the subscriber checks the box, you can add them to your overall list.
In addition, you'll need to explain how you'll use their information during your email relationship.
Delete customer data if requested
If a subscriber wants to opt-out of your list, he or she can unsubscribe. That's common practice, but the GDPR takes things one step further.
If a customer no longer wants to interact with a brand, he or she has the "right to be forgotten," under the European law. In other words, brands must be willing to remove any data they have on that person.
So, a customer's purchase history, website tracking and location, for example, must be removed from your database if there's no legitimate reason to retain it.
This will likely require a conversation with your IT department. You'll need a plan to remove data if requested.
Keep better records
When a subscriber joins your email list by giving consent, you need a record of that.
If you break any of the rules under the GDPR, it's up to you to show authorities that you did have consent to send emails and that you did explain how their personal information is used.
Pinpointe customers should use our opt-in forms as we log the IP address and time stamp the consent form so you’ll be in compliance.
While Pinpointe’s opt-in forms can add to your records, you’ll still want to talk with your IT department to work on additional measures to collect and store consent forms properly.
Update existing contacts
The new rules apply to every contact on your list, not just the ones that join from this point forward. Your old contacts aren't "grandfathered in" with hopes of better practices in the future.
Even if you got explicit consent from your existing contacts, you probably don't have a record of it and you probably didn't spell out your data collection plan.
That means you'll have to get explicit consent from every one of your subscribers and discuss how their data is used.
Of course, before you launch such an effort, make sure you have a plan to collect and store consent forms so you don't have to repeat this process.
Notify customers of data breaches
If your servers are hacked, data is stolen, or any kind of breach happens that jeopardizes the safety of customer data, you have to notify customers of the situation within 72 hours.
This safeguard seems like common sense, but big name companies in the U.S. have taken a lot of flack for not telling customers about digital security breaches in a timely manner.
Equifax, for example, waited for two months to notify customers when customer files were breached in July of 2017. The Securities and Exchange Commission issued tighter restrictions to force American companies to report data breaches in 2011, but there's no specific timeline.
The GDPR makes companies accountable, forcing them to tell customers about a breach within a designated time frame. In this case, 72 hours.
What if you decide not to comply with GDPR?
If you don't follow the news rules, you could face some hefty fines. According to the GDPR, companies that aren't in compliance can be fined up to €20 million or 4% of your total global annual turnover, whichever is greater.
The fines are likely high to motivate companies to act. Authorities don't want the new privacy law taken as a suggestion, and see the fines as a "do-it-or-else" ultimatum that forces businesses to take it seriously.
How will the GDPR be enforced?
Enforcement for a law like this is tough, but there are checks in place to see that companies comply.
The authorities will likely rely on subscribers to report abuses. That will likely serve as a starting point for authorities to investigate and see how far and how big the abuse is.
Big companies that fail to comply will certainly be scrutinized, but that doesn’t give small companies a free pass. Stricter privacy laws will be part of the marketing landscape now and in the future, so being able to adapt to regulations like this will become the trademark of a reliable, professional marketer.
Change is never easy, but in this case, it's necessary. Complying with privacy laws, no matter what country issues them, is crucial to the success of your marketing abilities.
Take some time to understand how the GDPR will affect your marketing tactics and get a team of people together to implement changes. Make a plan, set deadlines, assign tasks and upgrade your marketing techniques to ensure you're ready for the GDPR to take effect in late May.