- How does GDPR impact email marketing?
- The new era of permission-based marketing
- 4 ways email marketing has changed under GDPR
The General Data Protection Regulation - aka GDPR.
It's a term that strikes fear into the hearts of marketers across the world.
And it's not without good reason!
- 1 in 3 B2B marketers were expecting their lead conversion rates to drop.
- 40% of marketers believed GDPR would significantly disrupt their existing strategy.
- More than half (51%) of all marketers anticipated that their mailing lists would get smaller.
But, it’s not like we could ignore the new privacy law either!
The consequences for not complying are enough to make any marketer go “weak at the knees”, with fines of up €20 million or 4% of your global turnover – whichever is higher!
In fact, marketing teams at Honda and FlyBe have experienced fines from the UK’s Information Commissioner’s Office (ICO) around their use of email data – and GDPR promised to clamp down even stronger!
More recently is the news that global brands are now facing eye-watering fines, such as:
- British Airways are facing fines of up to €200 million for a data breach that occurred in September 2018
- Marriott International are expected to be fined in the region of €99 million for a data breach between 2014 and 2018
So, how can your business avoid these hefty fines?
We’ve updated our own internal processes in order to make our marketing activities GDPR-compliant.
Based on our own experience - and the removal of thousands of email addresses - we’re sharing what we have learned to show you how you can keep your mailing list GDPR-friendly and use email marketing in this post-GDPR world.
How does GDPR impact email marketing?
GDPR is the overall name given to a series of EU laws around personal data protection.
GDPR takes existing data protection laws and updates them for the digital age.
However, aside from a digital makeover, the biggest change to the EU data protection comes in terms of their reach. Not only do these laws apply to organizations based in the EU, but they also apply to anyone who stores or processes data on an EU citizen.
But, what is personal data?
According to the official GDPR website, personal data can be “anything” – from a name or a photo, to medical information or a computer IP address, etc. – but for the purpose of this article, we’re going to focus on personal data being an email address.
There are more than 269 billion emails sent every day (with this number expected to reach 333 billion emails by 2021!).
A study by Return Path found that 53% of these are promotional emails.
That’s a lot of emails.
And with that kind of volume, it’s easy to see why email is a hot topic for GDPR regulators as you and your company are required to have consent (or another legal basis) in order to send these types of emails.
Now, even if you’re one of the many B2B companies that don’t use email marketing, if you send out an email to a group of recipients, then it could be considered email marketing – even if you’re sending it from our own personal Outlook account.
So, it’s important you understand how you might be affected!
To make sure your email campaigns don’t land you in GDPR hot water, we’ve outlined some of the changes or processes you’ll need to put in place to comply with the new privacy laws.
The new era of permission-based email marketing
With GDPR, a lot of statements are “open to interpretation”, which means technology vendors have been reluctant in providing clear answers.
If you’re tired of getting vague responses from companies you do business with, then this article is for you, as we aim to answer most of your GDPR and email marketing related questions.
But first, we’ll start by addressing the elephant in the room:
(Just to be clear, we're addressing prospects in this article, not customers. You can continue to send your customer marketing campaigns in the same way you have done pre-GDPR).
1. Obtaining (re)permission from legacy contacts
One of the biggest questions when it comes to email marketing and GDPR is legacy contacts and if you can still continue to contact people who were added to your mailing list prior to 25th May 2018.
So, can you still communicate with existing subscribers?
If your mailing list includes people who have explicitly opted-in to receive marketing emails from you prior to May 25th, 2018, then you can continue to communicate with them – providing you have their consent.
As a company, you will need to make an important legal assessment.
It goes like this: you may assume that you have a legitimate interest to continue to communicate through email with those people who had earlier explicitly opted-in (even though you do not have proof) and, they have a possibility to opt out of receiving emails from you.
However, if your mailing list includes subscribers (excluding customers) that were automatically opted-in – whether through a pre-checked box or via a purchased mailing list, then you will need to obtain consent from them again.
According to the GDPR website;
[If]…your company/organization obtained consent from clients a few years ago using a system of pre-ticked boxes online, it’s now clear that this manner of obtaining consent will not be valid as of 25 May 2018. [Therefore], your company/organization will have to obtain consent again if it wishes to continue processing the data.
Not sure how to regain consent?
It’s simple. Just ask!
Seeking permission and storing a record of it are the cornerstones of the General Data Protection Regulation. To make sure you’re on the right side of GDPR with your existing subscribers, consider running a campaign to encourage users to re-opt-in to your list – also known as re-permission campaigns.
Sending a re-permission campaign is a great away to update your existing records.
Of course, you could take the same route as JD Whetherspoon and delete your entire email database (more than 650,000 subscribers!). But, instead, we encourage you to run re-permission campaigns to anyone on your mailing list that didn’t explicitly opt-in.
If you do send out a campaign and your subscribers do not take any action (i.e. they do not open the email), then you will have to remove them from your mailing list.
Remember, you can only send email campaigns to subscribers that have opted-in and any email campaign you send, including re-permission campaigns, should not be sent to subscribers that have previously opted out.
Now, you might think that by sending out re-permission campaigns, you’re saying goodbye to your entire mailing list.
Can you really expect your existing subscribers to opt-in, again?
That's what we wanted to find out - so, we tested it and sent out two re-permission email campaigns.
The first email was sent to all 10,000 blog subscribers.
While, the second email was sent 3 days later to those that did not open the first email.
We've lost 99% of all our blog subscribers.
Only 102 blog subscribers re-subscribed.
The rest, all 9,898 subscribers have now been deleted...
Now, this is an extreme example and it wasn't a straight forward re-permission campaign.
In fact, the goal of the campaign was to move all subscribers into a single database, rather than having two separate mailing lists in different systems. Because of this, we asked for more information from our email subscribers (including, name and company), rather than the default “Yes, I want to opt-in” one-click solution that most re-permission email campaigns offered.
Of course, not all email campaigns will end like this.
Here’s two great case studies that show that GDPR offers a real business growth opportunity.
The Royal National Lifeboat Institution (RNLI) sent out two re-permission campaigns in 2017 asking their 900,000 subscribers if they would like to continue to receive marketing communication.
Like every business, they expected low response rates and anticipated to lose up to 75% of their mailing list. Defying expectations, these re-permission email campaigns drove more than 450,000 subscribers to (re)opt-in to their mailing list (as well as tripling the average donation amount)!
2. Collecting new opt-ins and email permissions
As marketers, we’ve all been guilty of assuming that if a prospect filled out a pop-up or a web form, we can add their email address to a mailing list and start sending them email campaigns.
Well, this is no longer the case.
What this means to you is that you cannot pre-tick a box for them or hide your communication policy within your privacy statements. If you want to send emails to a prospect, they must explicitly opt-in to receive newsletters from you.
We’ve recently updated our own web forms too.
For example, the form below (left) assumed the marketing permission and agreement of our terms and conditions when a prospect has signed up for a trial. We didn’t unbundle permission and it wasn’t clear what they would receive once they agreed to the terms and conditions.
This was not GDPR compliant, and so we had to update them.
The new form (right) now gives prospects the chance to actively express permission to be marketed to and accept our terms and conditions, by ticking the relevant boxes. This version of the form is GDPR compliant.
It’s a simple change, yet it ensures we’re on the right track to being compliant.
Including a link to a privacy statement on your web forms is extremely important as you need to provide information to subscribers and prospects prior to obtaining their consent to ensure that they make informed decisions, understand what they are agreeing to and how to withdraw their consent.
Once your web forms are in order and your prospects can clearly see when they opt-in to receive marketing campaigns from you, the next step is to record their consent in a GDPR-compliant solution.
So, does this mean you need to implement a double opt-in system?
The short answer is no.
There has been a lot of confusion around double opt-in and consent and many businesses have assumed that the best way to record consent is implement double opt-in.
What is double opt-in?
Double opt-in refers to an automated email being sent out to new subscribers to confirm that their email address is correct, and they have indeed signed up to receive marketing communication from you.
The good news is that double opt-in is not a requirement under GDPR.
So, while it remains an email marketing best practice, you do not need to implement double opt-in any time soon. A digital record that is time-stamped of when the prospect signed up inside your CRM will suffice.
While at least one thing is not required by GDPR, there is still a lot of other marketing practices that will be impacted by the regulation – marketing automation and lead nurturing. Especially, if your email campaign flows are based around prospects opting in to receive them!
3. Managing automation, segmentation and decision-making
Marketing automation has dramatically changed email marketing.
It’s a way to save time, communicate regularly with specific audiences and nurture leads until they are ready to buy. All without you having to do much work!
With GDPR, you need to think very carefully about how you use marketing automation.
To begin with, you cannot send automated emails to an individual unless they give an active indication of choice to receive them. This includes lead nurturing campaigns, onboarding emails and product training material.
And even if your subscribers do opt-in, you need to re-think how you segment them!
For example, if you segment the data, then use algorithms to process it, and then make final decisions that aren’t overseen by a human – well, then you need to be careful.
Here’s a typical scenario:
You work in a software company that has segmented its data to group together late paying customers. On its own, this is fine.
However, if you then decide to develop an algorithm to understand which of these customers are most likely to churn and start sending automated emails to them – then you start trespassing onto the GDPR territory.
For example, if you choose to use this information to automatically adjust pricing, or change their subscription, without consultation or human approval, then this will land you in hot water with the GDPR prosecutors.
But, if you take this group of late paying customers and then use this information to proactively email them to remind them about payment and even help them through the process – then this is perfectly acceptable.
There aren’t too many public examples when it comes to using algorithms to automate decision-making, but you can start by reviewing your existing marketing automation flows and processes to ensure that no decisions are being made without human consolation.
Now, in the same way that GDPR affects marketing automation flows and new subscribers, it equally affects existing subscribers that wish to be removed from your mailing list.
4. Handling opt-outs and subscription management centers
A huge part of the regulation is how personal data is being used and how individuals can essentially ‘reclaim’ ownership of it. This ‘right to be forgotten’ is particularly relevant for email marketers.
To keep yourself GDPR compliant, you should only be sending marketing messages to prospects that have specifically opted in to receive them. But, what happens when prospects don’t want to hear from you anymore?
You need to let them unsubscribe.
This means updating your B2B email marketing templates to include an unsubscribe link.
Now, it might seem like common sense to include an unsubscribe link in your email campaigns, but our own research found that 8% of all B2B companies did not include an unsubscribe link. This is required by law, so if you haven’t included one then you really should!
To keep on the right side of GDPR, you should make it simple and straight-forward for users to opt-out of your email marketing campaigns. Unsubscribe links should be clearly visible, and not hidden inside your email marketing template.
Not sure how to word it?
Here are a few handy templates:
- To stop receiving emails from us, click here.
- Click here to unsubscribe form all [company] newsletters.
- Unsubscribe from all newsletters
- Don’t want to receive emails from us anymore?
- Tired of receiving these updates? Easily opt out here.
Once a prospect clicks the unsubscribe link, they should be able to quickly remove themselves from your email list and you should delete any email marketing related data you store on them.
Not only do you need to offer prospects a quick and easy way to opt-out or unsubscribe from an email list – but you also need to offer them ways to manage their subscriptions with you, including the type of emails they want to receive from you.
GDPR actively encourages marketers to get granular and to offer as many options to subscribers as possible, whenever possible.
The best way to do this is through a subscription management center as this way, the subscriber (aka the data subject) actively enables the subscriptions they want to receive.
The best subscription management centers allow subscribers to choose from a wide-range of emails, their frequency (daily, weekly, monthly) and even the medium (video, SMS, email), giving them complete control over how often they hear from you.
Don’t worry if your customers want to hear from you a little less frequently than you’d like. The average person receives up to 100 emails a day – so it can actually be a great way for you to cut through the noise in their inbox.
Email marketing is still the most preferred marketing channel for B2B companies.
This means that it’s important for you and your business to get email marketing right in a post-GDPR world, because it shows no signs of becoming irrelevant as a communication and marketing channel.
On the face of it, GDPR may seem complicated and perhaps a little intimidating.
But, for email marketers there are a few key areas you should concentrate on to ensure your email marketing strategy doesn’t result in hefty fines:
- Only send email campaigns to prospects that have explicitly opted-in to receive them,
- Use re-permission campaigns as a way to regain consent from existing subscribers,
- Avoid using automated decision-making processes based on subscriber’s data,
- Give subscribers the opportunity to easily opt-out of marketing campaigns,
- Offer subscribers the option to manage the type of content they receive from you.
Remember, GDPR is all about communicating with people that actually want to hear from you.
Yes, you will have to remove the group of subscribers that no longer opens your emails, but that’s OK. You don’t want them on your list anyway, right?
Individuals that have explicitly opted-in want to open and take action on your email campaigns.
This means better email marketing KPIs, including higher response rates and increased revenue. So, drop the fear that comes along with GDPR and instead, start enjoying the better marketing campaigns that will come with it!
Are you looking for a new email marketing software that has built-in CRM and GDPR functionality?
If so, then switch to SuperOffice Marketing.
With SuperOffice Marketing, you can only send email campaigns to subscribers that have opted-in to receive them. You don’t have to worry about sending campaigns to people not on our mailing list – it’s not possible!
If your subscribers wish to opt-out, they can, with ease, through our GDPR-friendly subscription management center.
Sign up for a free demo to see SuperOffice Marketing in action.
P.S. If you enjoyed reading this post, you can share it easily here!
Learn more about GDPR and the data you collect by downloading our free GDPR checklist below.
Disclaimer: The content in this blog post (including all responses to comments) is not to be considered legal advice and should be used for information purposes only.