GDPR Compliance for Newsletters

If you have EU customers or subscribers and you wish to send them newsletters by email, you must comply with the EU's General Data Protection Regulation (GDPR).

Below, we consider how the GDPR affects email marketing and how you can send GDPR-compliant newsletters.

The GDPR and Personal Data

The GDPR is a privacy law out of the EU that regulates how businesses can process or share "personal data" belonging to EU residents.

Personal data is defined in Article 4 as:

"any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, culture or social identity of that natural person"

Legal Grounds for Processing Personal Data Under the GDPR

To collect and process personal data belonging to those protected by the GDPR, you must have legitimate and lawful reasons for doing so. Typically, this means you can only collect personal data if you can justify it on one of the following grounds:

• You have the person's consent to collecting their data
• The data is necessary to complete a contract between you and the individual
• You need the data to comply with a legal obligation
• The data is required to protect the person's vital interests or safety
• The controller - that is, the company processing the data - needs the information to perform a task in the public's interest
• The controller needs the data to further its own legitimate interests, or the interests of a third party

The grounds are set out in full in Article 6:

In terms of newsletters, this means that you can't process personal data for marketing purposes unless you have legitimate grounds for doing so.

Who Must Comply With the GDPR?

You're bound to comply with the GDPR if you sell goods or services to EU residents, or if you collect personal data belonging to EU residents. And although the UK is no longer an EU Member State, GDPR compliance continues to extend to UK residents for the time being.

It doesn't matter where your business is based, or how much personal data you collect. If EU residents interact with your business, then you must comply with the GDPR.

What does all this mean in the context of email marketing?

• If you're sending someone marketing emails, then you have, at a minimum, their email address (and possibly their name).
• Because you are processing personal data, you must comply with the GDPR.
• Marketing is not necessary, and it's not required to complete a contract, and so you need to rely on another lawful basis for processing.
• In most (if not all) cases, you need someone's consent to send newsletters or share their data with third parties e.g. business partners.

Let's now consider how to create GDPR-compliant newsletters.

Implementing GDPR Compliance for Newsletter Marketing

As noted, the GDPR requires consent before you can send marketing communications. Under Article 4, consent is only valid if it's a:

"freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"

In practical terms, here's what this means:

• Individuals must not feel pressured or coerced into giving consent.
• You must make your purposes clear so that individuals know what they're consenting to.
• Someone should take a positive, affirmative step to give consent e.g. clicking a checkbox next to a statement that says "I Agree."

It should also be clear how people can revoke consent or change their communication preferences. With this standard of consent in mind, let's break down how to create GDPR-compliant newsletters.

1. Inform the User How You Will Use Email Addresses

Individuals must understand what type of content you wish to send them, or else the consent is not technically "informed." Before collecting any personal data for newsletter marketing, give notice about what type of emails you will send the person so they know what to expect.

Here are some examples of how to do this.

Etsy makes it clear that signing up for emails means receiving messages about product offers and gift ideas:

Customers signing up for Rogue Fitness emails are informed that they'll receive newsletters about product releases and brand news:

Finally, Gymshark is a great example. The company sets out, in a visually engaging but simple format, what people can expect if they consent to marketing emails:

In sum, you should include a statement or list of what exactly you will be sending the users who sign up for your email newsletter. Not only does this help with GDPR compliance - It makes your subscription more attractive.

2. Make it Clear That Subscribing is Optional

GDPR consent must be freely given in order to be valid. This is emphasized in Article 7, which states that businesses cannot make customers feel that they must consent to marketing in order to receive goods and services:

As an example, before Starbucks customers open a Rewards account, they can also sign up for product offer emails, but there is no suggestion that signing up for these newsletters is required:

It's important to give users options and in no way require that they agree to receive your emails if they don't wish to.

3. Get Unambiguous and Express Consent

Under the GDPR, consent cannot be implied. It must be express and unambiguous. In practice, this means that a person must do something positive and affirmative to indicate they wish to receive your newsletter.

The best way to get express consent is to use checkboxes or buttons which the customer must engage with in some way to show they're happy to consent. These checkboxes should be set to the "off" position by default so that customers must take a positive action if they're happy to opt-in to newsletters.

Here's a good example from MyProtein. The company informs customers about the types of newsletters it wishes to send, and there is a clear choice between opting in and opting out:

Customers looking to set up an Adidas account have the choice to opt in to personalized marketing, which can include newsletters. Again, the user must take affirmative action by clicking the box or else it's assumed they do not consent:

Adidas also informs customers of their right to stop sharing their data, or opt-out, at any time.

4. Periodically Re-Request Consent

It's good practice to re-request consent if:

• A significant amount of time has passed since the person gave consent, or
• You wish to use their data for a new purpose (even if it's a similar purpose)

There's no right answer as to how long you should wait before re-permissioning someone, but you might consider getting fresh consent after a year or two. And if, for example, you have someone's email for marketing reasons but you want to use it for a different purpose, you may need their consent again.

If in doubt, always re-permission someone.

5. Be Transparent About Third Party Data Sharing

You should not share personal data with third parties without the affected individual's consent. If you plan to share data with any third party, make this clear at the point of data collection. Otherwise, consent is not informed or freely given.

Abercrombie & Fitch, for example, invites people to choose which other related brands they wish to hear from when they subscribe to A&F. The individual must give express consent to each brand by clicking a checkbox:

You should also include details of any third parties you may share data with in your Privacy Policy, as there's a chance these companies will contact your customers.

So long as you provide a link to your Privacy Policy at the point of sign-up, and someone confirms they're happy for you to process their data in line with your Policy, they have consented to third party data sharing. However, you may consider taking the same type approach as A&F to improve transparency.

6. Enable Users to Withdraw Consent

Every newsletter should include an option to opt-out, unsubscribe, or no longer receive marketing emails. To promote transparency and accessibility, use simple language and make sure it's obvious what the person must do to unsubscribe.

Collectif customers, for example, can click on the link at the bottom of the newsletter to unsubscribe or tailor the type of communications they receive:

It's also good practice to inform people before they sign up for your newsletter that they can unsubscribe at any point. The wording should be unambiguous, and the steps to take to unsubscribe should be made clear.

Here's an example from Abercrombie & Fitch. Before customers sign up for email marketing, they're advised that they can unsubscribe by following the instructions in the emails they receive:

Note also that customers must give express consent to marketing emails by clicking the checkbox.

7. Address Consent in Your Privacy Policy

Your Privacy Policy sets out how you process, protect, store, and share personal information. If you intend to send newsletters, or use data for marketing purposes, this should be clearly stated in your Privacy Policy in the interests of transparency.

Here's an example from Walmart's Privacy Notice. The company may use personal information for targeted advertising and marketing, as described in the clause below:

You should also include a link to your Privacy Policy on any pages or within any banners seeking consent to marketing emails so that users can read it.

Make sure marketing is covered in your Privacy Policy, and that subscribers have a chance to view it before agreeing to receive newsletters, or the consent may be invalid.

Personal Data Processing on Legitimate Interest Grounds

Under Article 6 of the GDPR, businesses can process personal data if they have a "legitimate interest in doing so." A business, then, may attempt to rely on legitimate interest rather than consent as a grounds for processing personal data. This is not advisable, however.

• Individuals have the right to object to you using their data for marketing purposes (Article 21 of the GDPR). Your legitimate interests cannot override the person's objections, and so, if someone objects, you can't use their data for newsletters.
• EU e-privacy laws mean that businesses are typically expected to get consent before using personal data for marketing communications. So, even if you could rely on legitimate interest grounds under the GDPR, other applicable privacy laws may prevent you from doing so.

Always get express and clear consent before sending marketing emails, including newsletters. Otherwise, you could fall foul of EU privacy laws.

Tips for Ensuring GDPR Compliance

To ensure that your newsletters are GDPR-compliant, here are some final tips to bear in mind:

• Minimize the data collected: Don't collect more data than you need for a given purpose.
• Limit your purposes: Only process data for a clear and specific reason, and get renewed consent if you wish to use the data for a new purpose.
• Be transparent: Be transparent about how you use the data you process for marketing purposes, and ensure you have lawful grounds for using such data.
• Get clear consent: Get unambiguous, express, and informed consent whenever you wish to use personal data for marketing reasons. Do not attempt to rely on e.g. legitimate interests.
• Make it simple to opt out: Offer a simple and clear way for newsletter recipients to opt-out of newsletter marketing, and do not send them further correspondence unless they opt back in.

Penalties for Non-Compliance

Under the GDPR, businesses face potentially steep fines and other penalties if they fail to process personal data legally.

All fines must be proportionate, according to Article 83. The relevant authorities must consider, for example, whether it was a deliberate violation, the nature of the incident, and whether it's a company's first violation.

Fines are capped at up to 20 million Euros for severe offenses. However, although most fines will be less than this, you could still face significant reputation damage.

Summary

Any business collecting personal data belonging to EU and UK residents - including email addresses - must comply with the GDPR. The good news is that it's simple to create GDPR-compliant newsletters.

• Inform your subscribers so they understand what signing up for your newsletter means.
• Ensure that subscribers know what information you are collecting from them, and for what purpose.
• If you share personal data collected for email marketing with third parties, make this clear to subscribers.
• Get clear and informed affirmative consent before using data for marketing purposes.
• Include a simple way for people to opt out or unsubscribe in every email newsletter.
• Cover newsletter marketing in your Privacy Policy.