GDPR Compliance for Small Businesses: Email Marketing

Buzz. Buzz.

You pick up your phone and tap the push notification. Your email app opens and reveals two unread messages in your inbox.

No, you did not finally get that email from your boss congratulating you on your latest success. And it isn’t your mom sending you an e-gift certificate to Amazon.

Instead, it is an email promotion for 15% off dog leashes from a national pet retailer. However, you don’t remember shopping from them, let alone subscribing to their email list. Delete.

The second message is from Lucy’s cupcake shop. While you love Lucy -- and of course, cupcakes -- you never did subscribe to her monthly newsletter. Now you feel somewhat violated that she added your email address without your permission. Delete.

This misuse of data and lack of transparency are among the many reasons why consumer data security remains in the spotlight. It is also why consumer protection is a priority for governing agencies and regulators, and why Europe established digital privacy legislation.

Overview: What is GDPR?

The European General Data Protection Regulation, better known as GDPR, is the result of the organized efforts by the European Union (EU) to regulate data and governance for data protection.

If your business is located in the EU, if you conduct business within the EU, or if you cater to an EU audience, you need to ensure compliance and GDPR consent for email marketing. In short, the requirements for compliance boil down to two specific actions: secure people’s data, and make it simple for those people to exercise control over their data.

GDPR was originally enacted by the EU in 2012 through the efforts of the European Commission. They set plans for data protection reform across the EU to prepare the region for the digital age.

In May 2018, the GDPR put forth a new set of regulations that sent companies into a slight panic. Marketers experienced more confusion about the changes than what parents are experiencing teaching “new math” to their fourth-graders during pandemic homeschooling.

How does GDPR affect email marketing campaigns?

The most recent changes impacted local content and targeted email marketing campaigns. Specifically, the GDPR changes were meant to reduce spam and avoid mass email marketing using black hat practices and information collected without permission.

The email privacy regulations require that email marketers use only data that was collected with explicit permission from the owner. The method of obtaining the information must be documented (with companies bearing the burden of proof) to show consent. Emails must also use encryption or another way to ensure that sensitive consumer data is transmitted securely.

To comply with GDPR, even as a small business, you may need to do any or all of the following:

• Refine your security implementation and processes.
• Review data supply chains (how you collect, store, and use data).
• Create new (or tweak existing) consent procedures.

Since no company wants to run the risk of forking over hard-earned dollars due to GDPR non-compliance fines, you may want to consider a re-permission email marketing campaign.

6 best practices to create a GDPR re-permission campaign

A re-permission email campaign is a way to refresh and update your subscribers’ email consent. This will keep your lists clean and give you a chance to be compliant with the law. As a bonus, it may also give your subscribers a chance to opt-out, which contrary to what many may think, is a good thing if they are no longer interested in your content.

So how should you launch a successful re-permission campaign to meet GDPR standards? Here are some best practices that will help you out.

1. Determine your approach and scope of the re-permission campaign

The foundational aspect of GDPR in relation to email campaigns is consent. Meaning, did the consumer offer consent, and was their email address (and any other data) collected knowingly, freely, and with explicit and documented permission?

Consider how you created your email list and grew your segments:

• Did you always practice permission-based email marketing?
• Did customers opt-in or even better, double opt-in, to receive your emails?
• Do customers know and understand the type of data you collect and how it is stored and used?

You want to identify where your practices were not compliant. Then, determine how many subscribers need to offer consent and how that will impact your business. From there, you can create an email blast with specific messaging that will prompt your customers to understand your mission and opt back in.

2. Make the message have meaning

Yes, you want to make sure subscribers update their consent so you can continue to market and send emails. However, what is the benefit for your audience? Answer that age-old marketing question of “what’s in it for me?” and encourage them to take action.

Craft a message with meaning and has a sense of urgency that will prompt action. Here are some examples of email marketing content that will achieve both:

• “Please review our new email policy so you can keep receiving our emails and saving!”
• “Check your email preferences so you can decide which emails you want to receive.”
• “Update your preferences so you can be 100% into our deals and get all the great stuff you really want in your inbox.”
• “Get 15% off a single purchase when you update your preferences.”

Subject line from Macy’s double opt-in email campaign. Image source: Author

Macy’s double opt-in email campaign body copy. Image source: Author

These messages highlight the benefits for the subscriber and recommend taking action.

3. Configure the email campaign on the back end

Whether you decide to use an email marketing software platform such as HubSpot or another provider, make sure the back end of your campaign is set up properly.

A few things to remember:

• Create a list of those who have not interacted with your email campaigns in quite a while and create a segment so you can use a different message to that group.
• Ensure you have a process to remove the contacts who choose to opt-out.
• Track the analytics and set up a reminder campaign for those who do not open or take action.

4. Use a multi-touch approach

Your email re-permission campaign may perform well -- or it may not. However, you will still need to have updated consent to continue emailing your subscribers without being in violation of GDPR. Therefore, let’s avoid using the one-and-done approach.

Consider adding a call-to-action to update preferences and opt-in onto regular emails. Create a special call-out to get users’ attention. The more a subscriber sees the message, the more likely they may click and consent.

You might also consider placing the option for subscribers to update their email preferences on your website. Consider adding a banner or lightbox on your site asking if the visitor subscribes to your email and/or needs to update their profile. This may feel a bit more intrusive, but when done with creativity and great copywriting, it will seem less “in-your-face” than one may think.

Ensure GDPR compliance from here on out

While the re-permission campaign is a great start to cleaning your list, interacting with your audience, and building trust, you must ensure compliance moving forward.

This means that when you send any future email blast, go through the compliance checklist, which includes asking the following questions:

• Was the recipient data collected in compliance with all email privacy laws?
• Is personal and sensitive information protected and secure?
• Does the email include content that complies with the email unsubscribe law?

Stay compliant. Stay marketing. And stay out of the way of GDPR non-compliance penalties.