Introductory Note: This article is not meant to be a source of legal advice & we will not be going into detail about the components of the General Data Protection Regulation.
Please remember that federal laws in regards to email marketing are only created to limit abusive behaviors. From our perspective, compliance with these laws does not cover all of the “best practices” that you should be using in your email program.
The General Data Protection Regulation 2016/679 (GDPR) is a European initiative that was put into place to protect the personal data and privacy of all individuals within the European Union (EU) & European Economic Area (EEA). GDPR also includes the export of personal data outside of the EU and EEA areas.
If you reside in the EU or EEA and are sending commercial emails or if you are sending commercial emails to contacts in the EU or EEA, you must adhere to four key requirements. Let’s learn about these requirements.
- You must provide contacts with requests for consent. This must be separate from commercial email messaging.
- In this messaging, your organization and any third parties who rely on the contacts consent, must be identified clearly and accurately.
- Note: When obtaining consent, pre-checked boxes do NOT count.
- You must keep records that detail the request for consent. These include:
- What information was shared in the request for consent
- When the consent was obtained from the contact
- How the contact consented
- Your contacts can opt-out of receiving commercial emails from you at any time. These requests need to be honored promptly.
- Data Erasure: this allows contacts the right to be forgotten. Any Personal Identifiable Information (PII) distributed by a person or organization must halt and you cannot process the contacts data. Data that is no longer relevant to the original reason for processing or the contact withdrawing consent is included in this condition.
- Penalties for violating GDPR can range from up to 20 million Euros to 4% of your organization’s total worldwide revenue. This is determined by whichever total of these two is higher.
This must be met before sending commercial emails.
- If a child is under the age of 16, parental consent must be obtained.
- Member states are able to lower the age to 13 under GDPR.
When GDPR rolled out back in May of 2018, we implemented a few features that will help our clients who work with EU citizens stay compliant. These can be found in the Form Builder and in any Campaign setup page.
Within the Form Builder, you are able to insert a GDPR consent checkbox for your contacts to provide consent. Remember, this must be left unchecked.
Within the Campaign builder, you will notice a GDPR checkbox. If you check this box, it means that the campaign will only send to contacts who have the GDPR Consent Field on their contact detail set to True.
- Do not check this box unless you are actively using the GDPR consent field.
In Net-Results, contacts do not have this field set automatically. This is because per GDPR, contacts must give explicit consent for that field to be set to “Yes”
Want more information on GDPR? Check out the European Commissioners Website here.