Is your newsletter sign up process GDPR compliant?
Disclaimer: The content in this blog post should be used for information purposes only and is not to be considered as legal advice. Any changes to your current processes and forms should be reviewed with your legal team or advisors.
Email is one of the most popular and effective ways to market a business to potential customers around the world.
It is however important to ensure that you as a business owner are collecting and using this legally-protected personal data lawfully.
Back in May 2018, GDPR (General Data Protection Regulation), the toughest privacy law to date was put into effect by the EU. It sets new rules and obligations for businesses around the world so long as they target or collect data related to residents in the EU.
It means that if you collect email addresses, then you collect personal data. If you collect personal data from residents of the EU, the GDPR applies to you whether your business is based in the EU or not.
It’s always advisable to approach your data processing activities anyway with the strictest applicable regulations in mind.
There are two key principles that you should comply with before sending out your newsletter or other email marketing to anyone on your email list:
- You have obtained a clear and affirmative consent from them
- You allow them to easily opt-out
This means that the days of pre-ticked checkboxes, bundling consent with other agreements, use of misleading wording, silence, or inactivity as implicit consent to send marketing communication are long gone.
Let’s have a look at this through some easy examples of what NOT to do:
Both of the above examples are assuming that the person who wants to download the free guide is also agreeing to your privacy terms AND is willing to receive your newsletter either by pre-ticked boxes or simply you just stating so.
Neither of these is a GDPR compliant form.
To follow GDPR the consent must be "freely given, specific, informed and unambiguous." Requests for consent must be "clearly distinguishable from the other matters" and presented in "clear and plain language".
This means that the following two examples are wrong too:
Even if the boxes are unticked, in the left option the consent is bundled for two different things; to agree to the terms as well as to receive the newsletter. The person can't freely agree just to the terms but not to the newsletter.
In the right-hand side option then again misleading wording is being used. The first box offers consent to agree, the second box then again offers consent to disagree. This is considered as an ambiguous way to trick people to consent without realizing and does not comply with the GDPR.
So how does a compliant sign-up form look like?
On the left version, the person can sign up for a free guide but is also given the free option to consent separately both to the terms as well as to receive further emails from you related to the latest news and updates from your business.
On the right, the form is specifically about your newsletter only so giving an email on the form is giving consent to receive it. What they will receive and how often is also clearly stated above the form fields.
If you have multiple different categories of email newsletters, include a different checkbox for each category to get the clearest and most specific consent.
Make sure to place the link near the subscription sign up, or bring some attention to it, to allow people to read it if they wish to. Ideally if possible, simply have a separate checkbox to confirm that the terms have been read and agreed to.
Every email you send out should also have an unsubscribe link included, but this is usually a standard feature with any email marketing service providers anyway.
GDPR is in place to bring more transparency, confidentiality and integrity to how businesses are run and there should be no reason why you wouldn’t want to be a trustworthy company that uses your customer’s data fairly and in a lawful way. Complying to GDPR will also improve your deliverability and engagement as you'll have on your list only people who genuinely want to hear from you.
If you have a lot of email addresses already collected and don't have GDPR-compliant consent recorded for them, use a re-permission campaign. Send them an email to ask them to confirm their subscription so you can record their consent.
Even if you belong to the small exception of businesses who don't need to comply with GDPR, this will be the direction the world is going in the future and many countries outside EU have already decided to follow this law too.
You might as well be ready and show the example now.
Just remember that consent for email marketing activities is only one part of the entire GDPR puzzle. What you do with that data matters just as much as how you got it, but it'll be so much easier if you do it right from the start and get compliant now.