Emails and GDPR – 11 Questions to Answer

On May 25, 2018, the General Data Protection Regulation (GDPR) took effect in the EU. Before this, there were many concerns as to the impact GDPR would have on email marketing. Some predicted adverse consequences and total disruption of existing marketing strategies. The rules have changed de facto, and you’ll have to pay daunting fines for their violation. But the devil is not as black as he is painted. Therefore, we collected the 10 most asked questions for GDPR email compliance and answered them.

What is GDPR all about?

Personal data protection is what the GDPR focuses on. Personal data is any information that can explicitly or implicitly identify an individual. This may include:

  • name
  • location
  • addresses (mail, email, IP, etc.)
  • bank details
  • gender
  • religious beliefs
  • ethnicity
  • political opinion
  • biometric data
  • web cookies
  • contacts
  • device IDs
  • and pseudonymous data

GDPR lays out rules and principles of personal data protection. It’s aimed at the way companies collect, store, or use the data. There is no direct emphasis on email or email marketing. However, the mailbox of a company contains lots of data that can be deemed personal: names, email addresses, conversations, and much more. Therefore, an email is a valuable asset that must be in compliance with GDPR requirements. This includes email marketing, antispam activities, as well as email encryption and safety.

Question #1 – What is the biggest headache for an email marketer under the GDPR?

Short answer: Email consent

Where in the GDPR is this covered: Article 6, 7

Long answer:

According to the EU Data Protection Directive (Directive 95/46/EC), data should not be disclosed without the data subject’s consent. GDPR expanded this statement and elaborated requirements for collection and storage of users’ consent. Details are laid out in Article 6, but the key points are the following:

  • Your request for the user’s consent must be understandable and clearly distinguished
  • The provided consent must be freely given by an individual for a specific purpose without any ambiguous representation
  • The provided consent can be withdrawn by an individual at any time

In terms of email marketing, this entails an increased focus on how you handle users’ email consent. The best GDPR-compliant practices are, as follows:

  • Affirmative opt-in forms – As an example, check out this opt-in form by Mural:

At the same time, opt-in boxes must not be pre-ticked. According to GDPR Recital 32:

Silence, pre-ticked boxes, or inactivity should not constitute consent. 

  • Email consent must be separated from other options or services, such as privacy notices, terms and conditions, and so on. You can request consent for a particular purpose and specify this explicitly.
  • An opt-out option is a MUST. You are to provide a free and convenient way for users to withdraw consent – unsubscribe. In this aspect, GDPR is similar to the CAN-SPAM act. For example, this is how Slack implements this requirement:
  • Keep records of all collected email consents. This is not a nice-to-have practice, but a mandatory one. According to GDPR Article 7, “…the controller should be able to demonstrate that the data subject has given consent to the processing operation”. If you collected the opt-in consent, you must be able to prove details of who, when, and how they consented.

Question #2 – To send, or not to send emails to the existing email list

Short answer: Send if you can prove there is email consent

Where in the GDPR is this covered: Article 4, 6, 7, 9, 22

Long answer:

Mailtrap.io began to take measures to ensure full compliance with GDPR far before it came into effect. We even shared the details in the blog post, “How Mailtrap is Getting Ready for GDPR.” Before GDPR, our customer base included over 300K email addresses. These were users who signed up for Mailtrap services and agreed to receive transactional emails like product updates, changes in billing plans, and other important notes. We did not, however, request explicit consent to send marketing emails to them. So, shall we reconfirm or can we send emails without it?

  • First, GDPR applies to all signups no matter when they provided their personal data. If you can prove that you have an unambiguous consent record of the existing email list, then you are GDPR-compliant
  • Second, make sure that the consent applies to both transactional and marketing emails. This really matters because the GDPR is aimed at preventing users from receiving unwanted marketing emails. Using transactional emails for marketing purposes is also a dead-end. Sooner or later, some of your customers may report this to the data protection authority. If they conclude that your transactional emails look more like marketing ones, you’ll be fined.

In the case of Mailtrap, we had consent for sending transactional emails only. So, sending marketing emails without re-engaging our email list would be a violation of the GDPR.

Question #3 – Email retention policy – what is it for?

Short answer: To protect against possible break-in of employee mailboxes

Where in the GDPR is this covered: Article 5, 17

Long answer:

Data erasure is one of the main data protection principles laid out in GDPR. The essence of this is that companies can store personal data of individuals no longer than it is necessary. The storage period should be set up according to the reason why the data is needed for processing. For example, you’re processing CVs while looking for candidates for a certain position. Once the candidate has been found, you don’t have to get rid of all the processed CVs at once. On the other hand, storing personal data (from CVs) for 5+ years without any update would be irrelevant. 

There are exclusions for when companies can keep the data for a longer period. Those include archiving or scientific purposes, law restrictions, and other reasons. In these cases, the appropriate data security measures are obligatory. 

In terms of GDPR and emails, the companies have to focus on the amount of data their employees store in their mailboxes. For this purpose, they need to establish the email retention policy that will regulate frequency, volume, and other aspects of email data erasure. The idea is to minimize the adverse consequences of a data breach in the case of a mailbox break-in.

Question #4 – Did the GDPR get rid of spam and doom email marketing?

Short answer: No, it did not

Where in the GDPR is this covered: Article 5, 6, 13

Long answer:

Someone expected significant changes after May 25, 2018. There were predictions for the demise of spam. GDPR was introduced as a hero that beats outlaws spreading malicious emails. But the hard-driving requirements were meant to protect personal data rather than combat spammers. You can see the outcome by yourself – our spam folders have not emptied. Maybe, we should wait till the email consent-centered regulation will help. Who knows? 

Another prediction referred to the sunset of email marketers. Oppositionists introduced GDPR as an anti-email marketing document. However, it’s only meant to facilitate a customer’s email experience. Yes, GDPR stimulates companies to be more attentive to how they work with data. Those who are OK with that, survive; others don’t.

Question #5 – Will I get penalized for poor email safety measures? 

Short answer: GDPR non-compliance may be a costly mistake

Where in the GDPR is this covered: Article 82, 83

Long answer:

Let’s say, you’ve experienced a data breach because of your employee’s negligence, mailbox break-in, or anything else. Mostly, this happens due to the lack of security measures and policies that could have prevented a data breach. GDPR is not aimed at punishing anyone for poor email safety measures alone. A penalty for GDPR non-compliance will be a result of many internal problems with security and a lack of understanding of GDPR principles. 

The GDPR established the following fines for violation of the rules:

  • €10 ($11.2) million, or 2% of global revenue, whichever is higher. This fine covers the less severe infringements regulated by the following Articles: 8, 11, 25-39, 41-43.
  •  €20 ($22.3) million or 4 percent of global revenue, whichever is higher. This fine covers the more serious infringements regulated by the following Articles: 5, 6, 7, 9, 12-22, 44-49.
  • In both cases, you’ll have to pay compensation for damages.

At the same time, the threshold of €20 ($22.3) million is not ultimate. At the beginning of 2019, the French data privacy body, CNIL, imposed a €50 million ($57 million) penalty to Google. The official reason was “for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” 

Data protection regulators in each EU country are entitled to administer fines themselves. That’s why the UK Information Commissioner’s Office could penalize British Airways for £183 ($230) million. The reason was the 2018 data breach that compromised 500K consumers.

Question #6 – How do you craft a GDPR-compliant email?

Short answer: A GDPR-compliant email must be encrypted and contain explicit opt-in and opt-out options

Where in the GDPR is this covered: Article 5, 25, 34

Long answer:

A GDPR-compliant email includes the following aspects:

  • encryption
  • affirmative opt-in option
  • explicit opt-out option

According to Article 5, personal data shall be processed in a manner that ensures appropriate security. In terms of email marketing, this entails encryption as the most viable measure. At the same time, it is not required, and every company is free to opt for their own data security practices. For more on this, check out our guide to email encryption.

Above, we highlighted how the opt-in and opt-out options inside the email should look. You may encourage users to subscribe to your services but you cannot induce them to do it. The email consent must be freely given. The opt-out option is a user’s right to withdraw his or her​ consent. This must be free and easy to accomplish without any additional information required (except for an email address). The list-unsubscribe header might be a good solution for that.

Question #7 – What are the restrictions for data profiling?

Short answer: Give respect to users’ rights to allow or disallow profiling

Where in the GDPR is this covered: Article 22, 19

Long answer:

Data profiling is the concept of using data for assessing individual-related aspects like behavior, preferences, etc. In terms of email marketing, this relates to sending personalized and targeted email campaigns. GDPR did not ban data profiling but affected it in some way. To be GDPR-compliant, you have to respect users’ right not to be subjected to a decision based on automated processing or profiling. Also, data subjects have the right to:

  • Object to the profiling 
  • Request the halt of profiling 
  • Be informed of profiling
  • Be forgotten as a profiling subject
  • Have their profiled data removed 
  • Get a copy of their profiled personal data

Also, keep in mind that profiling on children is not allowed .

Question #8 – Why is the security of HR specialists a top priority for GDPR email compliance?

Short answer: To prevent the disclosure of personal data received by HRs in the case of phishing attacks or mail break-ins

Where in the GDPR is this covered: Article 88, 47, 39

Long answer:

HR specialists work with people, which include both applicants and current employees. Therefore, their mailboxes are troves of personal data. If this data leaks, many people could be harmed in a social, legal, or financial way. Their employer, in turn, will be fined by the corresponding data protection regulator for GDPR non-compliance. 

GDPR does not set specific email requirements to protect HRs or employers. However, companies should make security a top priority. This may include:

  • GDPR-compliant Internet content control filters. These won’t let your HR employees access potentially hazardous websites like those hosting malware or malicious URLs.
  • Data protection notice. A guide containing instructions on how to recognize a phishing attack and what to do in this case.
  • Data protection policy. A high-level description of organizational and technological measures for processing personal data.
  • Data retention policy. The frequency and amount of data erasure from mailboxes. 

Question #9 – Double opt-in to prove consent is a must – true or false?

Short answer: Double opt-in is a good measure but not a mandatory one

Where in the GDPR is this covered: Article 7, 8; Recital 32

Long answer:

In the GDPR Recital 32, it is stated that “Consent should be given by a clear affirmative act….” The idea is to ask users to clearly indicate their confirmation. Examples of those acts are when a user ticks a box, chooses specific technical settings, and so on. 

For a double opt-in, a user has to perform two actions:

  1. A new subscriber clicks the Submit button 
  2. A new subscriber receives a confirmation email and has to click a link or button again to confirm his or her intention.

There are many good reasons to go this way, but this is not what makes you GDPR-compliant. When you ask users whether they want to subscribe to your emails, you must also request that they confirm their consent. For this, it’s not necessary to use a double opt-in. 

Question #10 – How does GDPR restrict email marketing automation? 

Short answer: Email marketing automation is not banned but it’s better to avoid automated decision-making processes based on subscribers’ data

Where in the GDPR is this covered: Article 22

Long answer:

Email marketing automation allows marketers to save time and effort on regular activities. GDPR has nothing against this to the extent that it does not impact the subscribers’ consent. If you ask your users whether they agree to receive automated emails from you, everything is fine. But this consent must be GDPR-compliant, of course. 

Things might get trickier when you deal with automated decision-making. Let me explain. For example, you need to understand the users’ engagement. You’ve asked your subscribers and got their consent for receiving automated emails. Based on those automated emails, you got some inputs that were used to make a decision. Let’s say, you decided to adjust the subscription plan. If you ignored consideration with subscribers in this decision-making, you have stepped on thin ice. It’s non-compliant with GDPR. What you should have done is send a concomitant email to get a human reaction and then make a decision.

Question #11 – When does the GDPR apply outside Europe?

Short answer: Regardless of the location, GDPR applies to companies that process or hold the personal data of EU residents

Where in the GDPR is this covered: Article 3, 30

Long answer:

Why should a US-based startup have GDPR email compliance in mind? This regulation is all about personal data protection, so the focus is based on the location of users rather than of companies. If your products or services are marketed to EU citizens, GDPR comes into play. Let’s check out the following example:

You have a US-based moving services website. The focus is on your local area, let’s say Minnesota. It’s most likely that you use web tools for tracking cookies or the IP addresses of visitors. If you have visitors from the EU, you fall under the scope of the GDPR. 

But there are two exceptions:

  • If you’re engaged in purely personal or household activity, you are not subject to GDPR requirements. Put simply, if you collect email addresses without any money-centered goals, the GDPR does not apply. 
  • Companies with up to 250 employees are freed from GDPR record-keeping obligations specified in Article 30.

To wrap up

To deal with the GDPR, you should treat it as a challenge rather than a block. The requirements in the regulation are not hard to meet. For sure, you have to invest more effort in your activities but the outcome is worth it. On the other hand, you can ignore GDPR and leave everything as is. But do you want to ride a tiger and become an outlaw for your subscribers? I don’t think so. You can handle this! Good luck!