B2C email marketing is a great way to reach your audience. In the United States, the CAN-SPAM Act sets the rules and requirements for commercial email (see our CAN-SPAM compliance checklist for more information). But emails sent to consumers in the European Union must also comply with the General Data Protection Regulation (GDPR). This article will provide a GDPR email compliance checklist to help you follow the law.
What is the GDPR?
The GDPR sets the rules that everyone must follow when handling the data of EU citizens. It applies to any activity that involves the data of people in the EU, from collection and storage to transmission and analysis.
Companies who violate the GDPR may be subject to sanctions and fines issued by the data protection authorities in the countries involved. The maximum fine for a violation is €20 million or 4% of global revenue (whichever is higher) and sanctions include penalties like bans on data processing or public reprimands.
Avoiding the GDPR
One way to avoid GDPR requirements is to ensure you aren’t collecting and using the data of people in the EU in the first place. For example, if you use website visitor identification to collect the email addresses of website visitors who don’t convert, choose a provider that doesn’t provide data from the EU. Suppose you don’t sell to people in the EU, or you want to use more powerful tactics like visitor identification. In that case, you can use a provider like LeadPost that doesn’t include EU citizens’ or residents’ data.
Otherwise, you’ll need to familiarize yourself with the GDPR. This GDPR email compliance checklist will get you started.
Basic GDPR Compliance
To comply with GDPR, companies must implement safeguards to protect the personal data they handle. First, you must conduct an assessment to determine:
- What personal data do you deal with?
- Where do you store that data?
- How do you secure that data?
Then you must take any steps necessary to abide by the rules set by the GDPR, like:
- Obtaining consent
- Ensuring data portability
- Appointing a Data Protection Officer if necessary
- Adding or updating their privacy notice
Since this article will focus on GDPR email compliance, we won’t cover all of the guidelines, but GDPR.eu, the Horizon 2020 Framework Programme of the European Union, provides a comprehensive GDPR compliance checklist.
GDPR Email Marketing Compliance
The GDPR establishes strict requirements to protect the data of people in the EU. Commercial and non-profit companies of all sizes must comply with the regulation if they handle the data of EU citizens or residents.
GDPR Email Compliance Checklist
If you handle data of citizens or residents of the EU, there are four categories of GDPR email compliance requirements you must follow. They are:
- Encryption and security
- Email retention
- Email marketing and spam
- Organizational email security
The following GDPR email compliance checklist covers each category in more detail.
Encryption and security
To adhere to the GDPR’s requirement of “data protection by design and by default,” you must follow the data protection principles outlined in Article 5 of the GDPR.
Thanks to the latest developments in end-to-end email encryption technology, encryption is the most practical way to protect your data. But encryption is not required, as long as some other measure is in place to mitigate the damage of a potential data breach.
One alternative to encryption is pseudonymization, in which personally identifiable information is replaced with placeholder values.
According to GDPR Article 5(e), you can store personal data for “no longer than is necessary for the purposes for which the personal data are processed.” Further, the GDPR establishes a “right to be forgotten,” which means that you must provide a way for people to request that you erase any personal data you collect on them.
To comply with this requirement and limit your liability in the event of a data breach, develop an email retention policy that requires employees to delete emails when they are no longer needed. This policy should be reviewed regularly and should be recorded so that you can demonstrate that you have implemented a policy “that balances your legitimate business interests against your data protection obligations under the GDPR.”
Some email service providers have features like an expiring email option to automate some parts of the process.
Email marketing and spam
GDPR.eu makes it clear that “the GDPR does not ban email marketing by any means.” But the regulation is “pro-consumer,” which, while not necessarily synonymous with anti-business, does mean that it makes things more difficult for email marketers.
GDPR Article 6 outlines the circumstances under which you can store or use someone’s data. The typical scenarios are when:
- The person consented to the specific way or ways you’ll be using their data.
- The use is necessary to perform a contractual obligation you have to the person.
- You’re using the data at the request of the person before entering into a contract.
- The use is necessary to fulfill a legal obligation.
You’ll generally need to get consent for email marketing purposes, as mentioned in the first scenario. If you’re following an inbound marketing strategy and complying with CAN-SPAM, you’re most of the way there.
The critical difference is that GDPR requires “freely given, specific, informed and unambiguous” consent. You’re probably in the clear as long as you provide an easy way to opt-out and you only send emails to people who consent to receive them.
But “freely given, specific, informed and unambiguous” consent as required by GDPR requires additional action on your part. The request for permission must:
- Be for a specific use
- Explain how you will use the person’s data
- Be presented in easy-to-understand terms
Then, when you receive consent, you must document that the person gave it.
One other option is provided by the ePrivacy Directive, GDPR Article 13. The ePrivacy Directive allows you to use a person’s data for marketing similar products or services that you offer. But you have to make it easy and free to opt out.
Organizational email security
The final aspect of GDPR that concerns email marketing is Article 5(f), which requires that you protect the data you collect against “accidental loss, destruction or damage, using appropriate technical or organizational measures.”
Technical measures include safeguards like encryption and pseudonymization, while organizational measures are those you take to ensure that you properly train employees and put policies in place to prevent a breach.
Some of the steps you can take to show regulators you’ve implemented “appropriate” measures are:
- Requiring two-factor authentication
- Implementing email encryption
- Training employees on essential cybersecurity best practices (e.g., not opening attachments from email addresses they don’t know)
GDPR Email Compliance Takes Work, But It’s Doable
Data privacy and anti-spam laws in the US are relatively straightforward. The GDPR is more stringent and complex, but compliance is possible—and, of course, required for all organizations that market to people in the EU.
That said, there are some cases where you may decide not to target EU citizens. For example, you may find it necessary to restrict some email marketing tactics (e.g., website visitor identification and email retargeting) to US citizens. Or, if it makes business sense, you might focus your marketing efforts on non-EU countries entirely.
But if you do decide to continue running email marketing campaigns that target EU citizens or residents, this GDPR email compliance guide will put you on the right track to staying within the confines of the law.
 The Complete CAN-SPAM Compliance Checklist For Email Marketers