The GDPR and Your Email Marketing: The Time Bomb You Haven’t Heard Of

Good morning to everyone out there in Email Marketing land!

A few questions to start your day:

Do you do business in the EU?

Do you collect data in any way, shape or form from people in the EU?

Do you have a website that collects any type of data and someone in the EU could possibly stumble across it by accident and fill it out?

Do you know what’s about to happen on May 25th of this year that’s going to completely change the game?

I’ll give you a hint: it’s a law thing and it’s in the headline of this article!

That’s right! It’s the GDPR! Also known as The EU General Data Protection Regulation but you can basically call it the privacy, opt-in and data collection and storage policy to end all policies that will completely piledrive your business if you violate it.

 

ilidan

 

What’s the GDPR, you ask? Well, you’re not alone.

According to Hubspot, just 36% of marketers have heard of GDPR, while 15% of companies have done nothing, and are at risk of non-compliance.

I was one of them. I never heard of it either until last Wednesday when I accidentally saw an ad on Facebook for a Hubspot article and really, I’ve been flying around the day job like a chicken with my head cut off ever since to get us compliant.

Walk with me to understand why.

**NOTE: BEFORE WE START, NONE OF THIS IS LEGAL ADVICE!!! THE GDPR IS A VERY SERIOUS LEGAL MATTER THAT YOU SHOULD NOT TAKE LIGHTLY! PLEASE SPEAK WITH YOUR DATA PRIVACY PERSON AT YOUR ORGANIZATION OR YOUR LEGAL COUNSEL TO CONFIRM YOUR POLICIES AND IF YOU GET SUED, IT AINT MY FAULT!**

 

“GDPR? Who cares?” and “THIS IS ‘MURICA! THIS DON’T EFFECT ME!”

Ease up a little and put the flag down, there, Colonel. Yes, this WILL affect you here in America. And Asia. And everywhere else on the planet.

Now here’s why you should care. Here is the penalty for violating the GDPR:

“Companies will incur fines of up to €20 million or 4% of their global annual revenue (whichever is greater)”

Yup.

WHICHEVER. IS. GREATER.

Possibly per incident.

 

catgdpr

 

So all of you who scoffed at CAN-SPAM and giggled at the Canadian anti-spam laws and kept on buying those lists and using your customer purchase lists for your email marketing, you go right on ahead playing with fire. This is the EU we’re talking about. These are the same people that sued Google and won. A few times.

Does your business have Google-type lawyers?

I didn’t think so.

 

Ok! Ok! What Do I Need to Know?

For the purposes of this article, I’m only going to deal with things you need to know for your email marketing campaigns but I STRONGLY urge you to speak with someone in your company’s legal or data privacy team for details but this is basically the nutshell version of what you need to know:

All email marketing campaigns must now be the following:

Unbundled: When you ask for somebody to opt-in to your lists or anything else in terms of their personal data, put that BY ITSELF and not piled in with a long list of general terms and conditions. Also, you know how you used to use those email addresses from your customer purchases to start sending marketing blasts to? Yeah, well, not anymore.

According to the law, “Consent will not be assumed as a result of a customer signing up to a service, unless that service specifically requires it.” and guess what, making a purchase is NOT consent to be added to a marketing mailing list. You do it, you’re in violation.

Active opt-in: So all those sign-up forms you have where you have already checked the ‘Yes! Put me on your mailing list!’ box for people so if they don’t want to get your emails, they have to uncheck it? Yeah, you’re going to have to undo ALL of that.

With the GDPR, a person must take a specific action to opt in, not unchecking an opt-in box is not good enough.

Granular: If you’re collecting a bunch of different data from a person, you have to tell them details. The whys, whats, and wherefores. You also need to tell them the difference between data you’re collecting in different areas of the site or forms and what you’re going to do with it.

This is designed to make sure that people have control over what data they give you and they know what you’re doing with each thing.

Named: You now have to tell people the name of the “data-handling organization” (meaning your business name), and the names of any third parties, subsidiaries or anyone else that information will be shared right up front in your opt-in details.

Also, you can’t just be like “Your data will be shared with other clothing stores.”, nope, you have to NAME NAMES. (eg: Your data will be shared with TJ Maxx, Macy’s and Jimbob’s Casa de los Duds).

Evidenced: You need to keep good, quality records of people actually opting-in to you. Yeah, don’t ask me how short of implementing a double opt-in on all of your lists.

Easy to withdraw: You need to make it as easy as humanly possible for people to opt-out whenever they want. No jumping through hoops, no “yes, but..”, none of that. they said they don’t want your stuff, you stop sending. Period. End of story. If that takes a poor sap on your marketing team monitoring the unsubscribe boxes all day, then that’s what it takes.

Also, pro tip: People can opt-in to you for only a limited time. Be aware.

 

billymore

 

No imbalance: Real talk: I haven’t really figured this one out 100% myself yet so I’m going to provide the direct quote here and you take away from it what you will.

“Marketing teams will have to work to ensure that there is no power imbalance between the data subject and the organization. This might manifest itself, for example, in marketers reminding data subjects about what they have given consent to, and regularly asking for consent to be renewed or reconsidered. Ultimately, the data subject must free and in control of their data, even though they have consented its use to an organization.”

Yeah – if you figure that out, let me know. To me, it sounds like you have to periodically remind people they gave you permission to store their data but who’s really going to do that?

User Revoking Consent: When someone says ‘take me off your list’ there had better be someone there to DO IT.

IMMEDIATELY.

I’m not at this time sure if a simple ‘manage your subscriptions’/unsubscribe link will cut it but I’m assuming NO because of the EU’s “Right to be Forgotten” law stating basically that unsubscribing isn’t enough, when someone says ‘get me gone’, you have to completely delete that person’s information from your system and not just have an orphaned contact floating around your email system.

Talk to your legal team/data privacy people for this one but as for my company, i’m telling them to fully delete all data from anyone who wants to opt-out. Better safe than slapped with a 20 million euro fine because we JUST HAD TO HAVE Billy’s email address in our database.

 

Oh WOW! Is There More to This??

And how, my guy, and how.

 

facts

 

What I covered was just how this will effect your email marketing. I didn’t even touch on how this will effect your eCommerce shopping cart process or your other sign up forms (eg: full audits to make sure you’re being compliant with the data minimization clause in there), how this is going to affect your cookies and tracking on your site, your social media marketing (thank goodness there isn’t a huge change there!) or your overall IT policy.

Look, this is a huge deal. Some companies are even hiring Data Privacy Officers to prepare for this.

DO NOT MESS AROUND WITH THIS ONE.

Learn everything you can about the GDPR and be compliant…while the odds might be minuscule that the governing body of the European Union is going to come after Johnny from Muskogee’s T-Shirt website for non-compliance, they totally could if they wanted to. Why run the risk?

Also, just think: what if the US decides to go this route in the future? What about if the Asian countries do it? Just be ahead of the curve now and get on track with this.

Oh, also:

THIS LAW IS RETROACTIVE!!!!!

Meaning that if you have a current database full of people from the EU right now that you’ve been sending emails to, it doesn’t matter if you got that address before that law went into effect. If you continue to use that address or house that data after the 25th and someone complains, you’re done. You’re subject to the penalties as well.

I probably should have led with that fact, huh?