The General Data Protection Regulation (GDPR) is a privacy law that has stringent requirements for the privacy practices of certain websites and how businesses collect, use and disclose the personal data of residents of the European Union.
While you may have been collecting emails and sending newsletters to your customers or potential customers for a long time, you must follow the rules that GDPR imposes on newsletters or you could face high penalties for non-compliance. In this article, we will discuss how you can send newsletters properly in accordance with GDPR.
Obtaining consent;
The first step of sending email newsletters is collecting the actual emails. Most websites do this by having a newsletter form where individuals provide you with their names and emails. GDPR states that data minimisation is integral to smart data management practices so you should ensure that your newsletter signup form collects only the personal data that you actually need. For example, if you refer to first names only in your newsletters, then you may not need to collect last names. Furthermore, a physical address isn’t necessary to send an email so you should refrain from collecting this type of data as well.
It may surprise you, but GDPR, by default, prohibits the collection, use and disclosure of personal data unless an exception (also called a legal basis) applies. Processing of data for email newsletters usually takes place under the consent legal basis, meaning that the individual has consented to the processing of his or her data for specific purposes. GDPR defines consent as “any freely given, specific, informed, and unambiguous indication of the individual’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.”
While we could spend hours discussing consent under GDPR, here are the main aspects of consent that you need to be aware of:
- The individual must have a real choice as to whether to allow the processing of their personal data;
- You must clearly state that the emails will be used for the purpose of email marketing;
- If you plan on using emails for additional purposes, you must state that and obtain consent for each purpose;
- You must provide the individual with enough information to make an informed decision (discussed below); and
- The individual must take an affirmative action showing that they are agreeing to you processing their data. This means that silence, pre-ticked boxes, or inactivity are not appropriate ways to get consent under GDPR.
Providing adequate information to the data subject
Under GDPR, data subjects have the right to receive transparent information about a particular website’s privacy practices. While GDPR contains a multitude of disclosures that need to be made in a Privacy Policy, it requires the following minimum disclosures for consent to be informed:
- Your identity;
- The purpose of the processing operations (e.g. sending email newsletters);
- What data will be collected and used (e.g. emails);
- The fact that the individual has the right to withdraw their consent at any time;
- Information about the use of personal data for automated decision making; and
- Whether you plan on disclosing data to parties in third countries or to international organizations. If you plan to do so, you must disclose information on the possible risks of data transfers to countries without an adequacy decision and of appropriate safeguards.
Note that your Privacy Policy must also disclose whether you plan on sharing the data with third parties and if so, you must state what third parties you plan on sharing the data with. Companies that undertake email marketing usually share that data with email marketing services such as MailChimp or Constant Contact and such practices must be stated in the Privacy Policy. Finally, since email newsletters are considered direct marketing under GDPR, you must also include a direct marketing disclosure.
The rights of data subjects
GDPR protects the privacy of individuals by providing those individuals with certain privacy rights. The following is a list of rights that are the most relevant to the processing of personal data for sending email newsletters:
- Right to transparent information - your Privacy Policy must contain the proper disclosures discussed above;
- Right of access - the individual has the right to access the personal information that you hold about them and to receive additional context for how you use that data;
- Right to rectification - the data subject can ask you to correct their data if it is incorrect;
- Right to restrict processing - the individual can ask you to stop using their data for certain purposes, including for direct marketing; and
- Right to withdraw consent - if you are processing personal data on the legal basis of consent, the individual can withdraw consent at any time. If the individual withdraws consent, then you must stop processing their data immediately.
If you want to send email newsletters without running afoul of GDPR, you must ensure that you obtain consent for using data for this purpose, provide individuals with transparent information about your privacy management practices, and respect the privacy rights of individuals. While this may seem strict, you should think about it this way - you may receive more engagements when your list actually wants to actively receive your emails and participate with your brand.