Currently, spam regulations in the European Union (EU) differ from country to country. However, the EU’s new privacy law, the General Data Protection Regulation (GDPR), will provide formal and consistent privacy rules across the EU. The GDPR is a new set of rules designed to give European citizens more control over their data. It aims to simplify the regulatory environment for business so both citizens and businesses can fully benefit from the digital economy. You will be impacted by the GDPR if you are marketing to European subjects. Meaning, by collecting and storing data from individuals within any of the nations comprising the European Union, you’re at risk. The regulation applies regardless of where you are based, and even applies to companies that are not intentionally marketing to European subjects. Failure to comply with the regulation could result in fines of up to €20 million, or 4% of your company’s total global annual turnover (whichever is higher). The GDPR has binding legal force, and will be immediately enforceable as law in all EU member states on May 25, 2018.
Here we’ve outlined how the GDPR impacts the forms on your site and your email marketing strategy:
With the GDPR in place, marketers will only be allowed to collect data and send emails to people who’ve agreed to their data being processed and opted in to receive messages. As such, it will be illegal to collect data from individuals who have not explicitly given consent to their personal data being collected by submitting a form on your site. Additionally, emailing visitors from the EU who have filled out an alternative form on your site (like a contact form), but not explicitly opted in to receive your marketing emails is in violation of the GDPR. Pre-checked opt-in boxes are in violation of the GDPR and should not be utilized. The form must inform subscribers about your company and provide information on your intended purposes of collecting their personal data. The GDPR not only sets the rules for how to collect consent, but also requires companies to keep a record of these consents.
Below we’ve provided a list of changes you should make to the forms on your site for compliance with the GDPR:
- Include a required field for permission to collect and store personal data. The field should link to your privacy notice and require the visitor open your privacy notice to confirm consent.
- The privacy notice needs to include the reasons why the visitors’ data is being collected and information on what the data will be used for. This includes IP addresses and cookie data. It is also very important to include a clear and accessible option for visitors to retrieve their data and or be forgotten.
- Include a required ‘Country’ field on all forms that are not subscription forms (i.e. contact us, webinar registration, past webinar download, etc.)
- Present an unchecked opt-in box to all visitors outside of the U.S.
- Include language about what the visitor is opting in to, being honest and clear about what they should expect to receive from you.
- Determine how you want to handle gated content. Under the GDPR, an individual’s consent cannot be required to receive a good or service, which means you can’t require they give you their information for access to your content. This means you should either give access to European visitors for free or block them completely from gated content. Note that this is not the case with webinars, which require certain personal data, like an email address, in order to deliver the service.
- Store all consent forms in your CMS and marketing automation system as a record of when and how you received consent from the individual.
- Have a way to retrieve and purge data from all the systems you store data. This is important for compliance if an individual were to ask for their data or exercise their right to be forgotten.
Under the GDPR, marketers will only be allowed to send email to people who’ve opted in to receive messages. If your database includes subscribers whose permissions haven’t been collected according to the GDPR’s standards, you should not email to those contacts past May 25th, 2018. The regulation applies even if you are uncertain of the contact’s country. To ensure you do not accidentally violate the GDPR, we recommend completing the following steps:
- Create segments of leads that are not in the US (or have no country identified) and have not opted in
- Consider purging this data before May 25th, 2018
- Suppress against this segment when sending email blasts moving forward
- If you’re utilizing automated programs, you’ll want to make sure that any European leads that have not opted in are excluded from the program
- Exclude these leads by using an early exit rule or conditional branch that cross references the segment you created
- If you have a large database of European leads that have previously opted in you’d like to continue marketing to, we recommend you set up a repermissioning campaign before May 25th, 2018.
- You may also want to consider setting up a double opt-in process. Double opt-in is not a requirement under the GDPR but it is one of the best ways to prove consent obtained under the GDPR.
The GDPR is broad in scope, and successful compliance will vary between organizations. The changes we’ve outlined in this article are for informational purposes. Neither this blog nor our advice can be used as legally binding advice. To ensure compliance please consult your own legal team for counsel.
For more information on the GDPR, check out the links below: