What you Need to Know about Email Compliance in 2019 and Beyond

A lot of recent content has been devoted to email consent, privacy considerations, and data collection.  While the first anti-spam laws have existed for well over a decade, legislation to protect the public’s personal information is a new twist that’s gaining momentum — and quickly.

We first saw inklings that privacy would become a major legal consideration in laws that were written to protect anyone with an email address from receiving spam messages in their inbox.  Most marketers are probably familiar with Canada’s Anti-Spam Legislation, CASL (Canada, 2014) and Controlling the Assault of Non-Solicited Pornography And Marketing CAN-SPAM (US, 2003). The primary purpose of each of these laws is to empower recipients to easily identify the senders of email communications and easily unsubscribe if they wish to do so.

CASL also specifically mandates solicitive emails only be sent to those individuals who provide their consent to receive communications — or, in marketing terms, opt-in.  Certainly these laws laid the foundation for consumer protection related to email communications, but they don’t speak explicitly about an individual’s rights and protections related to data collection or storage.

More recent laws, such as the General Data Protection Regulation, GDPR (EU, adopted in 2016) and California Consumer Privacy Act, CCPA (California, 2018), purport to tackle that exact facet of consumer protection. Because these two new pieces of legislation are very similar to each other, it is a good indicator that the security they afford the public is likely to become standard protocol in the near term.

Key differences between original anti-spam laws, such as CASL, and privacy protection laws, such as the GDPR, have to do with data protection and the definition of privacy.

Both the GDPR and CCPA define privacy and personal data as any information that relates, describes, can be linked to, or can be used to identify to a consumer, person, or household. Seemingly disparate pieces of information that can collectively be used to identify a particular person also constitute personal data. This can include someone’s name, address, email address, IP address, credit card number, or basically anything that you would enter on any form that you submit on the internet.

In today’s world, where hacking and identity theft are legitimate threats, companies who collect an individual’s personal data need to be held to account for the systems they implement and maintain in order to store that data. The GDPR and CCPA aren’t saying you can’t collect private information. But they are saying you must do so in adherence to their law.  This means you must explicitly inform website visitors of the following details:

1. That you are, in fact, collecting their data
2. Exactly what data you are collecting
3. A listing of all of the systems and tools where you are storing it
4. What you will use their information for
5. Statement and agreement that you are not collecting their data for reselling purposes and will say no to any inbound requests to do so
6. That you will provide any individual with access to their data upon request
7. That you will entirely delete personal data upon request
8. That you require parental consent for data collection of minors (but note that the definition or “minor” varies)

The law stipulates that financial penalties can be levied for non-compliance of these laws. While the exact fines can vary widely, they can be steep. The GDPR, for example, has structured their fees in terms of the severity of the offense. For example, you could be fined less if your records aren’t in order as compared to complete negligence of the law.  However, the GDPR states that an organization meeting the qualifying criteria below can expect fines of up to 4% of their annual global turnover, or up to €20M:

1. Is based in the EU
2. Is not based in the EU but endeavors to sell goods and/or services to individuals based in the EU and has more than 250 employees or utilize web tools to track cookies and IP addresses.

California’s privacy law also differentiates between intentional and unintentional violations, but can fine up to $7,500 or $2,500, respectively, for every individual violation. Your company will qualify for these penalties if you meet one of the following criteria:

1. Achieves gross annual revenues in excess of $25 million.
2. Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
3. Derives 50 percent or more of annual revenues from selling consumers’ personal information.

In other words, we all have an ethical obligation for compliance, but a financial obligation as well if you meet the criteria for each law outlined above.

Future Email Compliance Considerations 

There are a number of considerations to keep in mind, not only for these existing laws but for new laws that are likely coming in the future.  There are a few things that you can — and should — do right away.

First, create segments of your marketing list to identify individuals who are not in the United States and have not opted-in to your mailings. You should begin suppressing this segment from your marketing and other communications. Hopefully, you already have this data for the individuals on your list and ideally, you’re already suppressing those in the EU.

It’s also possible that you need to add criteria so you know where individuals are located. Since the GDPR is retroactive, it’s advisable to go ahead and delete any data that was submitted by anyone based in the EU, and suppress anyone who you aren’t certain about. Even emailing to inquire as their location could be a violation of the GDPR.

Given the directive to inform website visitors about your collection of their data, you will need to make some changes to your website, too, particularly all of your website forms.  The GDPR says that implied opt-in form fields aren’t good enough, so you may need to update or change the way your subscription management works.

For example, if you are funneling all form submissions to your marketing list, even if they don’t actually confirm an opt-in checkbox, you should end that practice.  Instead, make sure that a subscribe field is visible on all of your forms. The user should have to actively select “Yes” or “Subscribe” (or some similar variation) in order to be incorporated into your mailing list. You also need to make sure that it’s clear what the visitor is opting into, which may mean that you need to make some changes to the field label and text.

Opt-In Language Example

Remember the list of things both laws now require you to advise website visitors of?  That’s best included in your privacy notice or policy. If you already have one on your site, make sure that visitors are required to agree to it in advance of submitting a form.  We placed a checkbox with a popup modal window containing the entirety of our notice on our forms.

Privacy Notice Example

Another option is to implement technology that allows you to show these fields conditionally (i.e. only when a visitor identifies themself as an EU visitor who needs to agree to these terms).  Our team built a privacy manager plugin that does exactly this, among other things, which allows non-EU visitors to submit forms with a little less friction. You can read more on our specific take on the GDPR and your website forms in another of our articles here.

The other website change you should make is installing a cookie manager tool.  There are many such tools available depending on what CMS and marketing automation tools you use. Many marketing automation softwares offer their own cookie consent tools. However, if you don’t have a marketing automation system (or don’t like the option yours offers) there are tools like Cookie Consent to manage this functionality on your site.

A cookie notice is important because it informs all visitors right away of the fact that they are being cookied, or tracked. This means that it’s, therefore, possible that some of their private information is being collected even if they haven’t submitted a form yet.

In addition to the legal requirements and best practices mentioned here, we’re planning to keep a close eye on new privacy laws. We expect these trends to become more popular, so don’t be surprised to hear about new legislation that iterates on these themes.  Staying informed and being proactive are your best bet to maintaining compliance. In the meantime, here’s a list of resources we’ve found helpful, and that we will plan to look to for future updates:

Litmus

Campaign Monitor

Act-On