Newsletter and GDPR

If you have customers or subscribers from the EU and want to send them a newsletter by email, you must comply with the EU General Data Protection Regulation (GDPR). Newsletters and GDPR – what do you need to know before preparing your mailing? How does GDPR affect email marketing and how to send GDPR-compliant newsletters?

What is GDPR?

GDPR, is an EU privacy law that regulates how companies can process or share ‘personal data’ belonging to EU residents.

Personal data is defined in Article 4 as:

“1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;”

Legal grounds for processing personal data under the GDPR

In order to collect and process personal data belonging to individuals protected by the GDPR, there must be a legitimate and lawful reason to do so. This usually means that you can only collect it if you can justify it on one of the following grounds:

– you have the consent of the person concerned to collect their data,
– the data are necessary for the performance of a contract between you and the person,
– the data are needed to comply with a legal obligation,
– the data are necessary to protect the vital interests or security of the person concerned,
– the controller – i.e. the company processing the data – needs the information to perform a task in the public interest,
– the controller needs the data to pursue its own legitimate interests or those of a third party.

With regard to newsletters, this means that personal data can only be processed for marketing purposes if there are legitimate grounds for doing so.

Who must comply with GDPR?

You are required to comply with the GDPR if you sell goods or services to EU residents or if you collect personal data belonging to EU residents. And although the UK is no longer an EU member state, compliance with the GDPR still covers UK residents.

It does not matter where your business is based or how much personal data you collect. If EU residents interact with your business, you must comply with GDPR.

So if you are wondering about the relationship between the Newsletter and GDPR, the EU law applies to shipping to EU + UK countries.

What does this mean in the context of email marketing?

– If you are email marketing to someone, that means you have at least their email address (and possibly their name), and that means you are processing personal data and must comply with the GDPR.
– Marketing is not necessary and is not required to conclude a contract, so you must rely on another lawful basis for processing.
– In most (if not all) cases, you need someone’s consent to send newsletters or share data with third parties, such as business partners.

Let us now consider how to create GDPR-compliant newsletters.

As already mentioned, GDPR requires consent before marketing messages can be sent. According to Article 4, consent is only valid if:

“a freely given, specific, informed and unambiguous indication of intent by which the data subject, either by a statement or by a clear affirmative action, consents to the processing of personal data relating to him or her“.

In practice, this means the following:

– individuals must not feel compelled to give their consent,
– you must be clear about your objectives so that individuals know what they are consenting to,
– the user should take a positive, affirmative step to give consent, such as clicking a checkbox next to the ‘I agree’ statement,
– it should also be clear how people can revoke consent or change their communication preferences.

With this standard of consent in mind, let’s take a look at how to create GDPR-compliant newsletters.

#1 Inform the user about the use of e-mail addresses

Individuals need to understand what type of content you want to send them, otherwise the consent is ‘uninformed’. Before collecting any personal information for email marketing purposes, the user must be made aware of the type of emails that will be sent to them. The user needs to know what to expect.

Here are some examples of how to do this.

In summary, you should include a statement or list of exactly what you will be sending to users who sign up to your email newsletter. Not only does this help to ensure compliance with GDPR, but it also makes your subscription more attractive. Transparency of business is of great value to web users.

#2 Explain that subscription is optional

For consent to be valid, it must be voluntary. This is emphasised in Article 7, which states that companies must not make customers feel that they have to consent to marketing in order to receive goods and services:

(32) Consent should be given by means of an unambiguous, affirmative action which expresses, relating to a specific situation, the data subject’s freely given, informed and unambiguous consent to the processing of personal data relating to him or her and which takes the form, for example, of a written (including electronic) or oral statement.

For example, before Starbucks customers open a Rewards account, they can also sign up to receive emails with product offers, but there is no explicit suggestion that registration for these newsletters is required:

It is important to give users options, and in no way require them to agree to receive emails if they do not wish to do so.

#3 Obtain clear and explicit consent

Under the GDPR, consent cannot be implied. It must be explicit and unambiguous. In practice, this means that the person must do something positive and affirmative to indicate that they want to receive your newsletter.

The best way to get explicit consent is to use checkboxes or buttons that the customer has to engage with in some way to show that they agree. These checkboxes should be set to ‘off’ by default so that customers have to take a positive action if they want to consent to receiving newsletters.

Customers who wish to create an account with the Adidas online shop have the option to consent to personalised marketing, which may include newsletters. Again, the user must take an affirmative action by clicking the box, otherwise it is assumed that they do not consent:

Adidas also informs customers of their right to stop data sharing or opt-out at any time.

#4 Periodically renew requests for consents

It is good practice to ask for consent again if a significant period of time has elapsed since the person gave consent, or you want to use their data for a new purpose (even if it is a similar purpose).

There is no good answer as to how long you should wait before re-consenting someone, but you might consider obtaining new consent after a year or two. For example, if you have someone’s email address for marketing purposes but want to use it for another purpose, you may need that person’s consent again.

#5 Ensure transparency when sharing data with third parties

Do not share personal data with third parties without the consent of the person concerned. If you plan to share data with third parties, make this clear at the time of data collection. Otherwise, consent is not informed or voluntary.

So if you plan to use email databases for remarketing activities in Meta Ads campaigns, include such information in the privacy policy.

Abercrombie & Fitch, for example, invites people to select other related brands they want to hear from when they subscribe to A&F. An individual must give explicit consent for each brand by clicking a checkbox:

The Privacy Policy should also include details of any third parties to whom data may be shared, as there is a chance that these companies will contact customers.

As long as you provide a link to your Privacy Policy at the time of registration and someone confirms that they agree to their data being processed in accordance with your Policy, they are consenting to their data being shared with third parties. However, you may wish to consider adopting the same approach as A&F to improve transparency.

#6 Enable withdrawal of consent

Each newsletter should include an option to opt-out, unsubscribe or stop receiving marketing emails. To promote transparency and accessibility, use plain language and make sure it is obvious what a person needs to do to unsubscribe.

It is also good practice to inform recipients before they sign up to a newsletter that they can unsubscribe at any time. The wording should be unambiguous and the steps to take to unsubscribe should be clear.

Read also: 12 reasons to hire an advertising agency instead of creating an in-house department

#7 Include consent in the privacy policy

The Privacy Policy sets out how personal data will be processed, protected, stored and shared. If you intend to send newsletters or use data for marketing purposes, you should clearly state this in your Privacy Policy for transparency.

You should also include a link to the Privacy Policy on any pages or banners that require consent to receive marketing messages so that users can read it.

Make sure that marketing is included in your Privacy Policy and that subscribers have a chance to read it before agreeing to receive newsletters, otherwise consent may be invalid.

#8 Process personal data on the basis of legitimate interest

Under Article 6 of the GDPR, companies may process personal data if they have a ‘legitimate interest’ in doing so. A company may therefore try to rely on legitimate interest, rather than consent, as a basis for processing personal data. However, this is not recommended.

Individuals have the right to object to their data being used for marketing purposes (Article 21 gdpr). Your legitimate interests cannot outweigh an individual’s objection and therefore, if someone objects, you cannot use their data for newsletters.

EU privacy and electronic communications legislation means that companies typically need to obtain consent before using personal data for marketing communications. So, even if you can invoke a legitimate interest under the GDPR, other applicable privacy laws may prevent you from doing so.

You should always obtain clear and explicit consent before sending marketing emails, including newsletters. Otherwise, you may be in breach of EU privacy laws.

#9 Tips for ensuring compliance with RODO

Newsletters and GDPR, how do you make sure they are compliant? Here are some final tips to bear in mind:

Minimise the amount of data you collect: Do not collect more data than you need for a given purpose.

Limit your purposes: Process data only for a clear and specific reason and obtain renewed consent if you want to use the data for a new purpose.

Be transparent: Be transparent about how data processed for marketing purposes is used and ensure that you have a lawful basis for using such data.

Obtain explicit consent: obtain unambiguous, clear and informed consent whenever you want to use personal data for marketing purposes. Do not try to invoke legitimate interests, for example.

Make it easy to opt-out: Offer newsletter recipients a simple and clear way to opt-out of your newsletter and do not send them any further correspondence unless they agree again.

#10 Newsletter and GDPR – what penalties?

Under the GDPR, companies face potentially heavy fines and other penalties if they fail to process personal data lawfully.

All fines must be proportionate, in accordance with Article 83. The relevant authorities must take into account, for example, whether this was an intentional breach, the nature of the incident and whether this is the company’s first breach.

How much are the fines for non-compliance with the GDPR? Fines are capped at €20 million for serious offences. However, although most fines will be lower, there can still be significant reputational damage.

Summary

Any business collecting personal data belonging to EU and UK residents – including email addresses – must comply with GDPR. The good news is that creating GDPR-compliant newsletters is simple.

Newsletter and GDPR, what to bear in mind?

Explain to users what it means to subscribe to your newsletter.
Make sure subscribers know what information you collect from them and for what purpose.
If you share personal data collected for email marketing purposes with third parties, inform subscribers.
Get clear and informed consent before using data for marketing purposes.
Include a simple way to unsubscribe in each email newsletter.
Include marketing activities in your Privacy Policy.

We can help you audit and evaluate your data protection activities. Say Hello 🙂

Latest Posts

Happy Parrots

Latest posts

Data protection trends in e-commerce for 2024

Rafal Golan | 2024-01-09 19:33:37

Threads Application - what is it and how does it differ from X?

Karolina Małysz-Czyż | 2024-01-08 21:23:42