The European Union’s privacy law, General Data Protection Regulation (GDPR), went into effect on May 25th, 2018. At the time, many wondered what GDPR means for email marketers. And fortunately, GDPR didn’t kill email like the doomsayers predicted. But one thing that still might cause you headaches? How to collect and store email consent.
GDPR raises the bar to a higher standard of consent for subscribers based in the European Union (EU), meaning how you’ve collected consent from EU subscribers in the past might not be compliant anymore.
And even now that the United Kingdom (UK) has formally left the EU, GDPR after Brexit hasn’t changed too much. The UK has created their own UK GDPR, which is essentially the same as the EU GDPR except that it applies to UK residents only. Details are covered in the Guide to the UK GDPR from the UK’s Information Commissioner’s Office (ICO). For simplicity’s sake, I’ll refer to both as just GDPR unless referencing one specifically.
So the real question is: What does all this mean for email consent from your EU and UK subscribers?
How to keep email consent compliant with GDPR
GDPR requires that brands collect affirmative consent that is “freely given, specific, informed, and unambiguous” to be compliant. The ICO has also provided a comprehensive guide on consent under GDPR. If you’re not ready to dive into the full 39-page guide just yet, here’s a breakdown of the five most important things you must know about email consent under GDPR—with plenty of examples of how we put them into action here at Litmus.
1. Get consent from a positive opt-in, not pre-ticked boxes
For consent to be valid under GDPR, a customer must actively confirm their consent, such as ticking an unchecked opt-in box. Pre-checked boxes that assume consent if people don’t uncheck them aren’t valid under GDPR.
“Silence, pre-ticked boxes or inactivity should not constitute consent.”
In the screenshot above, we show an example of how we use unchecked, opt-in boxes at Litmus to get consent. If the box was pre-checked, that wouldn’t comply with GDPR.
2. Keep consent requests separate from other terms & conditions
Email consent must be freely given—and that’s only the case if a person truly has a choice of whether or not they’d like to subscribe to marketing messages. If subscribing to a newsletter is required in order to download a whitepaper, for example, then that consent is not freely given.
Under GDPR, email consent needs to be separate. Never bundle consent with your terms and conditions, privacy notices, or any of your services (unless email consent is necessary to complete that service).
“When assessing whether consent is freely given, utmost account shall be taken of whether […] the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
In the same screenshot above: When someone downloads an ebook or other content from Litmus, there’s an unchecked box to get on our email list. But signing up for emails is optional—you can always download the ebook without subscribing to our emails.
However, in this example below, we have an email subscription form in the footer of the Litmus website. The box is still unchecked, but the red asterisk denotes that consent is required.
Why? Because email consent is necessary to complete the service. In other words, this specific service is to send you our emails, and we can’t do that unless you opt in.
3. Make it easy for people to withdraw consent—and tell them how to do it
“The data subject shall have the right to withdraw his or her consent at any time […] It shall be as easy to withdraw as to give consent.”
All major email laws, including CASL in Canada and CAN-SPAM in the U.S., require brands to give their subscribers the opportunity to opt out from receiving emails. Each promotional email you send must include an option to unsubscribe.
If you are already compliant with current Canadian, American, or European email laws, you may not have to change much when it comes to this requirement for GDPR compliance. Still, this is a perfect time to revisit your current opt-out process to ensure you’re following unsubscribe best practices:
- Don’t charge a fee.
- Don’t require any other information beyond an email address.
- Don’t require subscribers to log in.
- Don’t ask subscribers to visit more than one page to submit their request.
In the footer of every promotional email from Litmus, we include an option to opt out from receiving emails. This makes unsubscribing easy should a subscriber ever lose interest.
It’s also worth pointing out that an unfriendly unsubscribe experience is also a major driver of spam complaints. Half of U.S. consumers say they’ve reported a brand’s emails as spam because they couldn’t easily opt out, according to our Adapting to Consumers’ New Definition of Spam report. So putting up opt-out barriers not only jeopardizes your legal compliance but can also hurt your deliverability as well.
4. Keep evidence of who consented, when, and how
GDPR sets the rules for how to collect consent and also requires companies to keep a record of those consents.
“Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”
In some countries, the burden of proving consent has always been the responsibility of the company that collected the opt-in. For many other marketers, however, this requirement is a new challenge to tackle.
Keeping evidence of consent means you must be able to provide proof of:
- Who consented
- When they consented
- What they were told at the time of consent
- How they consented (e.g. at checkout or via Facebook form)
- Whether they have withdrawn consent
If someone signs up to receive updates from Litmus, they get an email asking them to confirm their subscription (read more on the pros and cons of double opt-in here). If they then click the link in the opt-in confirmation request email, our email service provider records that action. With that, we can look at each individual subscriber, see when they opted in, and what form they used to do so.
5. Review your consent practices and existing opt-ins
It’s been a few years since GDPR went into effect, but if your email list is just crawling out of hibernation, you’ll need to check your consent practices and existing consent data.
“Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation.”
Even if you’ve been compliant for some time now, it’s always good to regularly review your process and subscribers’ consent.
GDPR applies to all existing EU and UK subscribers on your email list no matter when they got added—even if it was before GDPR was around. If your existing subscribers gave you consent in a way that’s already compliant with GDPR—and if you kept record of those opt-ins—there’s no need for you to re-collect consent from those subscribers.
If your existing records don’t meet GDPR requirements, however, you have to take action:
- Audit your existing email list. Figure out who on your email list already provided GDPR-compliant consent, and ensure you have a clear record of those consents.
- Implement a re-permission program. For any of your contacts for whom you don’t have GDPR-proof consent—or if you’re unsure about whether or not their consent is compliant—you’ll have to run a re-permission campaign to refresh that consent. Or remove those subscribers from your mailing list.
And while consent doesn’t expire, it’s likely to degrade over time. It also depends on context: If someone gives consent to receive a back-in-stock email, for example, the expectation is that consent expires once they receive that notification. No more emails to that person.
At Litmus, we use a re-permission program periodically to help keep our email lists clean. It includes very explicit language asking the subscriber to confirm they’d still like to get our emails by clicking a confirmation link in the email.
Re-permission campaigns are a powerful way to update existing contact records to ensure GDPR-compliant consent, but they do require detailed planning and execution. Remember: If you require updated consent for GDPR compliance, but your subscriber fails to engage with your re-permission campaign, you must remove them from your email list.
Curious about this year’s email trends?
Add your voice to our 2021 State of Email survey to help us discover and share the latest insights, like what your peers are doing about email opt-ins and privacy.
Your subscribers’ consent should always be treasured
Your email subscribers are your most valuable audience—treat them that way. While these GDPR consent measures must be made for your EU and UK subscribers, every subscriber deserves to be treated with respect. Establish and continue to build trust with your subscribers. And if they ever want to leave? Let them go.
This post provides a high-level overview about email consent under GDPR, but is not intended, and should not be taken, as legal advice. Please contact your attorney for advice on email marketing regulations or any specific legal problems.
Originally published on January 22, 2018, by Bettina Specht. Last updated on March 8, 2021, for clarity and with new information.