Crafting GDPR-Compliant Newsletters: 6 Essential Steps for Your Marketing Strategy
Email newsletters remain a powerful tool for marketers to stay connected with customers and prospects. For brands, newsletters can increase sales, keep customers in the know concerning new offerings, and improve brand loyalty.
However, asking your customers or prospects to sign up for your newsletter is considered a form of private data collection. Hence, if your email subscribers are from the EU or your newsletters are aimed at an EU audience, your email newsletter must comply with the GDPR.
General Data Protection Regulation is a set of privacy laws that came into effect on May 25, 2018. Any company that collects, stores, transfers, or processes data from EU citizens is mandated to comply with GDPR guidelines. Failure to do this may result in fines of 4% of total annual revenues and capped at €20 Million.
Besides the hefty fines, your subscribers need to believe in your ability to protect their privacy rights, effectively increasing brand trust. Therefore, the benefits of GDPR newsletters go beyond being legally compliant with the set laws.
In this article, we’ll take a deep dive covering the complete GDPR checklist for email newsletters and six steps you can take to comply.
1. Be Unambiguous When Requesting Consent
Your data collection practices should be unambiguous for your email newsletter to be GDPR-compliant. The first step to achieving this is to make all your statements easy to read and understand. Avoid any complex jargon, legalese, and long-winding statements that might otherwise confuse your users.
Your subscribers should know exactly what they are consenting to. It should also be explicitly stated on the consent form what the data obtained will be used for. Thus, if your customers subscribe to a newsletter, the consent box should be explicitly limited to a newsletter subscription and not, for example, selling the data to third parties.
All opt-in boxes should be unchecked and not preselected to maintain GDPR compliance, unlike the one below:
In the above example, apart from the check, the form is GDPR compliant since the subscriber expressly provides their names and email address. Furthermore, an opt-in box allows the user to provide affirmative consent for the website to store their information.
When building an email list, it's crucial to understand that content marketing plays a vital role because it answers your audience's questions and fosters trust. Therefore, you should also ensure that the sign-up offer is transparent right from the start. As exemplified in the above case, the website owner effectively communicates the type of content subscribers will receive upon signing up for the newsletter or promotional emails, encompassing product information and exciting new offers.
This last point has to be emphasized concerning GDPR newsletters. If you have any other products that you want to offer your subscribers during the sign-up process, you need to separate their opt-ins by using different checkboxes. TheGuardian.com is an excellent example of a company that does email marketing with GDPR compliance exceptionally well.
In the above image, you can see The Guardian segregates the various newsletter and service offers with different checkboxes.
Under the GDPR privacy law, you must offer users different opt-in boxes for different products to obtain unambiguous consent. So, a subscriber cannot sign up for, say, “Events & Masterclass” only and then receive emails about “Holidays and Vacations.”
2. Maintain Consent Records
Under the new GDPR laws, besides explicit and informed consent, it is also vital that you maintain consent records. This should start immediately after your users sign up for your GDPR newsletter and end when they opt-out or unsubscribe from your newsletter or email marketing campaign.
But what exactly is proof of consent? And how exactly do you maintain records of consent? Let’s start with the first question.
According to Securiti.ai, proof of consent is an audit trail that consists of the data subject identifier, consent date/time, source of opt-in, cookie categories, and consent status, among other specifics.
The screengrab below summarizes what the proof of consent audit trail consists of.
Besides this, the audit trail can also include what offers the customer signed up for at the time of consent, for example, newsletters, marketing emails, latest offers, etc.
So, how do you maintain records of consent? This depends on whether the records of consent are cookie-based or app-based. Cookie-based consent is based on keeping track of visitor activity on your app.
App-based consent is usually managed on an app itself. This app could be something like accounting software or a CRM such as Zoho CRM. Check out the image below for an example of consent management on Zoho CRM.
Maintaining records of consent is, in many ways, a technical challenge that not everyone may be comfortable with. An app such as iSenseLabs' Consentmo app is one way to make your workflow easy.
For example, if you are running a Shopify store, you can integrate the iSense app to maintain GDPR compliance by displaying compliance pages and maintaining (or even exporting) consent records.
3. Provide an Email Opt-In Option
We already covered email opt-in previously in this article. But let’s expound on what opt-in means in greater detail and the different types of opt-in.
Single opt-in requires users only to submit primary information, such as their names and email addresses, to subscribe to GDPR newsletters. The examples shared above have mostly depicted the single opt-in method.
In the double opt-in method, the user submits their primary information, but they must also confirm their sign-up through email validation. In this case, if the user clicks on the “subscribe” button, they receive a link in their email asking them to validate their subscription.
Check out an example of double opt-in through email validation in the screengrab below.
With opt-in, you need to make it as clear as possible what the subscribers are getting from you. For example, if you are an e-commerce business, this may include your newsletter, a new product catalog, and other special offers.
Consent should not be bundled, for example, by lumping T&Cs, privacy notices, and your email newsletter together. Instead, each item should have separate checkboxes.
4. An Unsubscribe Request Option
Part of maintaining GDPR-compliant newsletters is providing a clear and visible unsubscribe option in your emails. The unsubscribe process should be free (not charged), limited to a few simple steps, and login information should not be requested.
The unsubscribe option is usually at the footer of the email newsletter. The link should redirect to an unsubscribe page, like the one shown below.
On the unsubscribe page, you can provide a means for users to manage their subscriptions. For example, your users should be able to choose which products they want to unsubscribe from. In the case of Adidas, users can unsubscribe from blog articles or newsletters.
For users who subscribed to your newsletter before 25 May 2018 and have yet to renew their subscription, your ESP may help you to bulk unsubscribe them. You may also use a re-permission campaign to sign them up for your now GDPR-compliant newsletter.
Likewise, you should verify that all of the newsletter subscriptions were valid. Someone may end up on your email list, for example, by mistakenly subscribing. Or, if their identity is stolen and the victim’s details are used to sign-up, you may end up with a contact that hasn’t really consented to your newsletters.
To ensure compliance with all your email contacts, you can send a link to confirm their subscription again and only use those addresses that click on your link.
5. Transparent Data Collection and Management Processes
GDPR rules require that you inform users about your data collection processes in a clear, unambiguous, and straightforward way. This extends beyond data collection to include data transfer, processing operations, sharing, and transfer between cross-services.
For example, suppose you are a digital marketing agency that uses cookies to customize customer experiences. In that case, you should clarify in your cookie policy that you use collected data in that way.
You should also do this if you are a business that shares user data with third-party services and apps. For example, through an API plugin to Facebook or Shopify.
You can clearly express your data collection and usage practices through your Terms and Conditions and a comprehensive privacy policy. Typically, these also appear with links at the footer of your email newsletter. The privacy policy and T&Cs should be clearly laid out on your website either in a downloadable format or have a dedicated webpage.
6. Ensure Data Security
Data security is an essential part of maintaining GDPR compliance. The first principle of data security is to collect only what you need.
Therefore, you shouldn’t collect phone or social security numbers if you only need a name and email address. The more data you collect from subscribers, the more at risk your data security becomes.
Data security also means auditing your data handling processes. This should include auditing any third-party providers you share that data with.
For example, if you share your subscribers' email data with a CRM, have you made sure that they are GDPR-compliant as well? You can check the privacy policies and data handling practices of third parties to ensure that they are GDPR-compliant.
In Conclusion
Providing GDPR-compliant newsletters is beneficial not just for keeping you out of the cross-hairs of privacy regulators and hefty fines. It also helps you manage cleaner and more trustworthy email marketing efforts.
GDPR-compliant newsletters should comply with certain standards, and we have outlined the steps you can follow to achieve this.
These include providing clear and express consent approval, maintaining consent records, and providing email opt-in options. You should also provide a clear unsubscribe option on your email newsletter footer, ensure transparent data collection processes, and tighten up your data security practices.
Maintaining GDPR compliance will go a long way in making customers and prospects gain confidence in your ability to respect, maintain and protect their privacy rights.
About Michal Leszczyński
Michal is immersed in developing, implementing, and coordinating all manner of content marketing projects as the Head of Content & Partnerships at GetResponse. He has 10-plus years of expertise in online marketing with a Master of Science Degree in Strategic Marketing and Consulting from the University of Birmingham (UK). Michal is the author of more than 100 articles, ebooks, and courses for both GetResponse and renowned websites like Crazy Egg and Social Media Today.