GDPR

General Data Protection Regulation (GDPR)

On May 25th, the new privacy law for the European Union (EU), known as the General Data Protection Regulation (GDPR) will be immediately enforceable. This regulation will greatly simplify the privacy laws in the EU which while good news for email marketers, it will also be the strictest law globally.  It will require that any marketer with EU consumers data will need to comply with this law, regardless of where they are headquartered. 

GDPR Overview

There have been many articles published on this topic in the past year but we wanted to make sure you were aware of some of the required changes.  This article from Litmus on the Top 5 things you should know about GDPR provides additional information that may be helpful as you finalize your compliance with this law. 

GDPR requires that brands collect affirmative expressed consent that is “freely given, specific, informed and unambiguous” to be compliant.

To be compliant with GDPR, you must have Expressed Consent from all EU consumers before May 25th or you will need to stop emailing them.  The Information Commissioner’s Office has provided consent  guidance that you may want to have your legal team review to determine how your organization will decide to comply.

Compliance

Many email marketers are choosing to send a re-permissioning email to capture expressed consent from EU consumers.  Re-permission email examples can be found online, and some examples can be found on this article from Litmus.

It is important to note that pre-checked opt-in boxes, often part of purchase transactions, are not compliant with GDPR.  If you have ever used a pre-checked box or other implied consent-based approach to build your email list, you should work to gain expressed consent from your EU consumers before May 25th.

This law applies to any company, in any country, that has data from EU consumers

Although you ultimately are responsible for compliance with GDPR, as you are with CASL, and CAN-SPAM, Ascent360 will be providing the following fields to help you comply:

  1. Email Permission Status – this field will be set to either a Yes or No, indicating if the consumer is contactable. It will be populated with a Yes, only if Expressed Consent has been given by the consumer. 
  2. Date of Expressed Consent – will show on what date express consent was provided.
  3. First Source – will indicate what form was completed by the consumer when providing expressed consent.

If you would like to simply stop marketing to EU consumers as of May 25th, please let your Account Manager know as we can change the GDPR Permission Status on known EU consumers to No.

Q & A

  1. Should I remove the pre-checked box from the bottom of my transaction confirmation page?
    1. To comply with GDPR, you cannot email EU consumers who have not expressly opted in, and therefore, a pre-checked box would not be in compliance.
  1. My business is not located in the EU, do I still need to comply?
    1. Yes, if you have any EU consumer data.
  1. Can I email EU consumers after May 24th to gain consent if they have already given me implied consent?
    1. You would be in violation of the law if you emailed an EU consumer after May 24th.
  1. What if I don’t know if a consumer lives in the EU, in other words, they are using a gmail.com domain name and they haven’t provided me with their mailing address?
    1. Some organization are choosing to add them to the re-permissioning campaign while others are choosing to assume they are not EU consumers
  1. Can I still use EU consumer email addresses for targeting in Social Media platforms like Facebook?
    1. You should only use EU email address data if you have expressed consent and this type of usage is covered within your privacy policy.
  1. Should I delete all EU consumer data from my systems if I don’t receive expressed consent by May 25th?
    1. You should talk with your attorney to decide how you would like to handle EU data.
    2. Are changes needed to my privacy policy?
    3. You should have your legal team review your privacy policy to determine if changes are needed.

Disclaimer

This information is intended to provide a high-level overview about compliance with GDPR, but it is not intended as legal advice.  As with all new laws, you should contact your attorney for compliance advice specific to your organization.