Emails and GDPR
On May 25, 2018, the General Data Protection Regulation (GDPR) took effect in the EU.
Table of contents
- Question #1 – What is the biggest headache for an email marketer under the GDPR?
- Question #2 – To send, or not to send emails to the existing email list
- Question #3 – Email retention policy – what is it for?
- Question #4 – Did the GDPR get rid of spam and doom email marketing?
- Question #5 – Will I get penalized for poor email safety measures?
What is GDPR all about?
Personal data protection is what the GDPR focuses on. Personal data is any information that can explicitly or implicitly identify an individual. This may include:
name
location
addresses (mail, email, IP, etc.)
bank details
gender
religious beliefs
ethnicity
political opinion
biometric data
web cookies
contacts
device IDs
and pseudonymous data
GDPR lays out rules and principles of personal data protection. It’s aimed at the way companies collect, store, or use the data. There is no direct emphasis on email or email marketing. However, the mailbox of a company contains lots of data that can be deemed personal: names, email addresses, conversations, and much more. Therefore, an email is a valuable asset that must be in compliance with GDPR requirements. This includes email marketing, antispam activities, as well as email encryption and safety.
Question #1 – What is the biggest headache for an email marketer under the GDPR?
Short answer: Email consent
Where in the GDPR is this covered: Article 6, 7
Long answer:
According to the EU Data Protection Directive (Directive 95/46/EC), data should not be disclosed without the data subject’s consent. GDPR expanded this statement and elaborated requirements for collection and storage of users’ consent. Details are laid out in Article 6, but the key points are the following:
Your request for the user’s consent must be understandable and clearly distinguished
The provided consent must be freely given by an individual for a specific purpose without any ambiguous representation
The provided consent can be withdrawn by an individual at any time
In terms of email marketing, this entails an increased focus on how you handle users’ email consent. The best GDPR-compliant practices are, as follows:
- Affirmative opt-in forms – As an example, check out this opt-in form by Mural:
At the same time, opt-in boxes must not be pre-ticked. According to GDPR Recital 32:
Silence, pre-ticked boxes, or inactivity should not constitute consent.
Email consent must be separated from other options or services, such as privacy notices, terms and conditions, and so on. You can request consent for a particular purpose and specify this explicitly.
An opt-out option is a MUST. You are to provide a free and convenient way for users to withdraw consent – unsubscribe. In this aspect, GDPR is similar to the CAN-SPAM act. For example, this is how Slack implements this requirement:
- Keep records of all collected email consents. This is not a nice-to-have practice, but a mandatory one. According to GDPR Article 7, “…the controller should be able to demonstrate that the data subject has given consent to the processing operation”. If you collected the opt-in consent, you must be able to prove details of who, when, and how they consented.
Question #2 – To send, or not to send emails to the existing email list
Short answer: Send if you can prove there is email consent
Where in the GDPR is this covered: Article 4, 6, 7, 9, 22
Long answer:
Mailtrap began to take measures to ensure full compliance with GDPR far before it came into effect. Before GDPR, our customer base included over 300K email addresses. These were users who signed up for Mailtrap services and agreed to receive transactional emails like product updates, changes in billing plans, and other important notes. We did not, however, request explicit consent to send marketing emails to them. So, shall we reconfirm or can we send emails without it?
- First, GDPR applies to all signups no matter when they provided their personal data. If you can prove that you have an unambiguous consent record of the existing email list, then you are GDPR-compliant
- Second, make sure that the consent applies to both transactional and marketing emails. This really matters because the GDPR is aimed at preventing users from receiving unwanted marketing emails. Using transactional emails for marketing purposes is also a dead-end. Sooner or later, some of your customers may report this to the data protection authority. If they conclude that your transactional emails look more like marketing ones, you’ll be fined.
In the case of Mailtrap, we had consent for sending transactional emails only. So, sending marketing emails without re-engaging our email list would be a violation of the GDPR.
Question #3 – Email retention policy – what is it for?
Short answer: To protect against possible break-in of employee mailboxes
Where in the GDPR is this covered: Article 5, 17
Long answer:
Data erasure is one of the main data protection principles laid out in GDPR. The essence of this is that companies can store personal data of individuals no longer than it is necessary. The storage period should be set up according to the reason why the data is needed for processing. For example, you’re processing CVs while looking for candidates for a certain position. Once the candidate has been found, you don’t have to get rid of all the processed CVs at once. On the other hand, storing personal data (from CVs) for 5+ years without any update would be irrelevant.
There are exclusions for when companies can keep the data for a longer period. Those include archiving or scientific purposes, law restrictions, and other reasons. In these cases, the appropriate data security measures are obligatory.
In terms of GDPR and emails, the companies have to focus on the amount of data their employees’ store in their mailboxes. For this purpose, they need to establish an email retention policy that will regulate frequency, volume, and other aspects of email data erasure. The idea is to minimize the adverse consequences of a data breach in the case of a mailbox break-in.
Question #4 – Did the GDPR get rid of spam and doom email marketing?
Short answer: No, it did not
Where in the GDPR is this covered: Article 5, 6, 13
Long answer:
Someone expected significant changes after May 25, 2018. There were predictions for the demise of spam. GDPR was introduced as a hero that beats outlaws spreading malicious emails. But the hard-driving requirements were meant to protect personal data rather than combat spammers. You can see the outcome by yourself – our spam folders have not emptied. Maybe, we should wait till the email consent-centered regulation will help. Who knows?
Another prediction referred to the sunset of email marketers. Oppositionists introduced GDPR as an anti-email marketing document. However, it’s only meant to facilitate a customer’s email experience. Yes, GDPR stimulates companies to be more attentive to how they work with data. Those who are OK with that, survive; others don’t.
Question #5 – Will I get penalized for poor email safety measures?
Short answer: GDPR non-compliance may be a costly mistake
Where in the GDPR is this covered: Article 82, 83
Long answer:
Let’s say, you’ve experienced a data breach because of your employee’s negligence, mailbox break-in, or anything else. Mostly, this happens due to the lack of security measures and policies that could have prevented a data breach. GDPR is not aimed at punishing anyone for poor email safety measures alone. A penalty for GDPR non-compliance will be a result of many internal problems with security and a lack of understanding of GDPR principles.
The GDPR established the following fines for violation of the rules:
€10 ($11.2) million, or 2% of global revenue, whichever is higher. This fine covers the less severe infringements regulated by the following Articles: 8, 11, 25-39, 41-43.
€20 ($22.3) million or 4 percent of global revenue, whichever is higher. This fine covers the more serious infringements regulated by the following Articles: 5, 6, 7, 9, 12-22, 44-49.
In both cases, you’ll have to pay compensation for damages.
At the same time, the threshold of €20 ($22.3) million is not ultimate. At the beginning of 2019, the French data privacy body, CNIL, imposed a €50 million ($57 million) penalty to Google. The official reason was “for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”
Data protection regulators in each EU country are entitled to administer fines themselves. That’s why the UK Information Commissioner’s Office could penalize British Airways for £183 ($230) million. The reason was the 2018 data breach that compromised 500K consumers.
To read more, check the original Mailtrap Blog.