Simple steps to help you GDPR-proof your email list
You’ve probably heard it tons of times – the money’s in your email list. And it’s totally true. From getting loyal followers and increasing sales to up-selling and keeping current customers happy, building a strong email list can help your business grow and thrive like nothing else. But strict new EU regulations (called GDPR) are seriously changing up the rules of the email marketing game.
If any of your subscribers are EU citizens (no matter where your business is actually located), you’ll need to ensure your email marketing is GDPR-compliant before May 25, 2018, or risk stiff fines. Yikes, right?
But don’t panic! Even if you’ve never heard of GDPR before, this post will help you get up to speed and protect your business in a couple of simple steps.
What is GDPR and how does it affect me?
GDPR stands for the General Data Protection Regulation. It’s basically a new set of EU rules that govern how businesses can gather and use personal data such as subscribers’ email addresses.
But what about if your business isn’t located in the EU?
Unfortunately, GDPR rules still apply to you, even if you only have a few EU-based subscribers or customers. If you’re scrambling to get your email signup forms GDPR–ready, don’t worry, you’re not alone. In fact, more than half (52%) of all businesses are unsure about the potential impact of GDPR and 57% of retailers are not GDPR-ready.
But just what is so challenging about this new regulation?
It all comes down to a major shift in the concept of “consent”. The new standards for what constitutes consent are much stricter than what was acceptable pre-GDPR. Under GDPR, a simple email opt-in doesn’t cut it anymore.
Instead, you now have to be able to prove that you’ve received “clear and affirmative” consent before you can collect someone’s email address and send them messages. This rules out previously acceptable forms of opting in, like pre-ticked consent boxes and failure to definitively opt out of receiving marketing communications.
What constitutes consent under GDPR?
In the past, consent only required you to receive confirmation from people that they were willing to get marketing communications from your business.
With GDPR though, both the way in which consent was asked for and the way in which it was given matter. (For a more in-depth view, check out this GDPR review)
Here are some important changes you need to know about:
Consent must be clear and affirmative, as well as “freely given, specific, informed, and unambiguous”:
It can’t be bundled together with other terms and conditions. In keeping with the requirement that it be specific and freely given, consent must be independent and granular. If you’re like most businesses, you currently offer value-packed content like guides, checklists or eBooks to people in exchange for an opt-in to receive newsletters or other email marketing. From a marketing standpoint, this is an awesome way to draw in potential subscribers and provide them with more content, based on the offer they downloaded.
Unfortunately, under GDPR, this is no longer considered freely given consent.
In other words, subscribers must consent to receive your newsletter because they actually want it, not because it’s a pre-requisite to getting the checklist or eBook they really do want.
Let’s check out two examples of the right and wrong way to receive independent consent:
Note that on this sign-up form, an individual isn’t forced to download additional marketing communications if they don’t want to. They can simply download the checklist without opting into anything else if they wish. This helps to fulfil the requirement for freely given consent.
In the example above, the subscriber has to sign up to receive a newsletter they may NOT want in order to get the checklist they DO want. This makes the consent given invalid under GDPR.
Always provide granular options for people, allowing them to download or sign up for only what they want.
The (very) rare exception is in cases where it’s necessary to receive email consent in order for you to render a certain service. It’s best to always clarify that this is the case before proceeding.
Consent should not be passive:
Passive consent, such as an individual failing to uncheck an already checked box, is not considered valid under GDPR. While this may be good marketing, (passive consent options tend to garner higher opt-in rates on forms) it can place your company in non-compliant territory.
This also applies to any form of passive consent, including inactivity, silence, or failure to actively opt out.
Let’s look at examples of active (correct) and passive (incorrect) consent below:
In the example above, the individual has to check the sign-up box themselves, meaning that they actively consent to receive the communications offered.
Here, you can see that the sign-up form has a pre-checked box. This puts the onus on the individual to stop and uncheck the box if they don’t agree.
Under GDPR this is considered passive opting in and is not an acceptable form of consent. For this reason, steer clear of pre-ticked forms, opt-ins through silence or inactivity, and any other form of consent by default.
While double opt-ins were once the gold standard of consent, they’re not enough under GDPR:
But GDPR goes one step further:
You’ll also need to be able to prove that you’ve told people how you’ll use their personal data and that they’ve agreed to your terms. This proof will need to be stored and presented in case any question of non-compliance comes up. Using a CRM that automatically saves a copy of all opt-in forms for you can make this step a little easier.
Past consent is not exempt:
This news is the source of most businesses’ GDPR-related headaches.
GDPR comes into effect on May 25, 2018 but that doesn’t mean that you can continue to market to contacts previously gathered before that date in a non-compliant way. Its regulations apply to both existing and new data, so past data gathered in a non-compliant manner can still land you in hot water.
Legitimate interest may not be enough:
Many businesses agree with the need to receive explicit consent but feel that, in some cases, proof of legitimate interest may be enough.
For example: If your e-commerce business’s subscribers gave their original consent in a non-compliant manner but then proceeded to open and engage with your messages, wouldn’t that serve as proof they are legitimately interested?
And wouldn’t your business then be justified in continuing to market to them?
The short answer is “not really”. Unfortunately, GDPR doesn’t allow using legitimate interest when marketing to individuals, so I would err on the side of caution. While this could represent a major cut to your existing contacts list, it’s well-worth it to avoid falling foul of the regulation.
Send out re-permission emails
Of all marketing operations, the new rules hit email marketing particularly hard. In the face of GDPR, you might be tempted to just delete your contacts and data altogether.
All isn’t lost, however. While these new requirements are certainly challenging, you can turn GDPR into an opportunity.
Savvy marketers are already going through their databases and working to salvage contacts through re-permissioning.
Re-permissioning is the process of getting a definite opt-in from your database. By sending out re-permission emails that seek clear affirmative consent from your existing contacts, you can move forward with a clean and engaged list.
Benefits of re-permission:
Will you lose some contacts after sending re-permission emails?
Almost definitely. There’s no sugarcoating that fact. Industry statistics show that re-permission opt-ins range anywhere from only 10% to 50%. But while you’ll likely end up with a lower number of contacts, getting opt-ins from contacts who do want to continue hearing from you will allow to market more confidently in the wake of GDPR. And sending re-permission emails offers your business benefits beyond GDPR compliance, including:
Contacts who are willing to opt in again are more likely to open and engage with your emails. This will give your deliverability and sender score reputation a major boost. Don’t worry about losing a couple of names on your list.
Higher conversion rates:
Your smaller list may actually be way more powerful, as every contact on it actually wants to hear from you and is actively interested in your business’s offerings.
You probably have a much better chance at turning a subscriber who has taken the trouble to opt-in again into a customer than you do with someone who may originally have passively opted in.
You’ll also spend less time and valuable resources marketing to people who just aren’t that into your content.
A clearer analytics picture:
Your current list may be larger but it probably includes a number of subscribers who aren’t genuinely interested in receiving your messages.
As a result, their lack of engagement with your emails can artificially drag down your analytics, giving you a false impression of your content’s effectiveness. While you may be doing great at converting those who are interested in your emails, you’ll still end up with a cloudy idea of your strategy’s effects.
Cleaning up your list with re-permission emails helps you gain analytics clarity.
An enhanced reputation:
Asking current contacts whether or not they want to keep receiving your emails is a fantastic way to gain trust. If you stress the fact that you want to provide real value, not just clutter up recipient’s inboxes, your brand’s reputation will definitely benefit.
Tips to keep in mind when sending re-permission emails
Start sending now:
Keep in mind that there’s going to be rush of re-permission emails from other brands in the lead up to May 2018. Many businesses are probably waiting until the last minute, still unsure of how to deal with GDPR. This gives you a head start. Staying ahead of the pack means you can get your emails sent before recipients get tired of the flood of eleventh hour re-permission messages in their inboxes.
Only contact those who have given consent:
But be sure no to send re-permission emails to those who’ve already opted out before. Current regulations require you to ensure you’re only contacting those who’ve given you consent. The alternative could mean major fines, as organizations like Honda and Flybe have learned to their cost.
Don’t use a blanket approach:
While a general template will work well for most subscribers, single out your best customers for special treatment. In select cases, try a highly personalized email. Go for relevant, targeted messaging that reminds contacts why they like hearing from you. Use first names, thank them for being subscribers, and be genuine.
Acknowledging valued customers is the best way to ensure they stay on board after GDPR.
Be clear and direct:
While GDPR is an important issue to businesses, your audience is likely less interested. Sending a clear, to-the-point email will go a long way towards ensuring your message actually gets read. A long-winded email that sounds like marketing, on the other hand, is a surefire way to get opt-outs.
Instead, focus on grabbing attention with punchy subject lines and keeping it with purposeful keywords in the brief body copy.
Remember, silence equals an opt-out:
If a recipient doesn’t open your email, (or opens it and doesn’t definitively opt-in) take them off your list. GDPR is very clear that anything less than clear and affirmative consent is not valid, so resist the temptation to reach out again.
Clarify which organizations will be relying on the consent received:
Make sure that your business and any third party organizations gaining this consent are clearly named. So for instance, if your organization “Bella Trading” and a partner company called “The Beauty Group” will be relying on the consent, both must be named.
Provide a clear opt-out:
Your message should state clearly that people have the right to opt out or withdraw their consent at any time. Include clear information about how to withdraw consent. Focus on making it as easy to opt out as it is to opt in.
Bonus: Your subscribers will appreciate it and will be less likely to opt-out if they feel like they have a choice.
I can’t stress this enough. Going forward, it will be super-vital that you protect your business by maintaining records of consent received.
Your records should also demonstrate how consent was asked for and given. If you haven’t already done so, start re-vamping processes now to prioritize the maintenance of thorough records. Everything from automatic screenshots to copies can help.
There’s no doubt that email marketing can help you take your business to the next level. Customers absolutely love hearing from their favourite brands via email, as it’s a more personalized experience.
But with GDPR right around the corner, you’ll have to make changes now to make sure that your email list is 100%GDPR-proof. Businesses everywhere are rushing to deal with this change but instead of worrying, keep your focus on getting ahead and being prepared.
Making a few important adjustments can help you protect and grow your email list, so you can actually turn GDPR into a business opportunity.
With that said, however, these regulations and the repercussions of non-compliance aren’t to be taken lightly.
If you have any questions about compliance, I’d highly recommend consulting a legal professional. Clarity about your business’s specific situation will allow you to craft long-term strategies that make the best of these new email marketing rules.
Have any questions or comments about making sure your email marketing is GDPR compliant? Share with us below!