The Email Marketer’s 4-Step Guide to GDPR Compliance

Email marketing is a tried-and-true strategy for increasing conversions, and with a $38 return on investment for every dollar spent, it’s no wonder that this strategy holds fast as a mainstay component of any good marketing plan.

However, successful email marketing campaigns are built on contact lists and consumer data – increasingly regulated commodities to acquire. Come May, the collection, storage, and use of that information could put companies at risk for millions of dollars in legal penalties.

Businesses around the world are scrambling to comply with the impending General Data Protection Regulation (GDPR) before it takes effect on May 25, 2018.

Intended to reshape the way that user data is gathered and processed, the GDPR dictates strict rules of conduct for businesses who collect information from consumers. Share on X

The European Union-based regulation applies to businesses located within the EU, as well as those that target citizens or residents of the EU. On the global platform that is the digital world, few are safe from the painful penaltiesalong the lines of 4% of a company’s annual revenue – threatened by non-compliance of the GDPR.

The portals through which millions of bits of consumer data are passed, marketing departments are feeling the frenzy more than anyone to adjust their strategies and take cautious steps along the lines drawn by the GDPR. To avoid bank-breaking fines and lofty legal consequences, email marketers need to evaluate, update, and renovate their engagement strategies.

But how?

Here are five steps that you should take in order to tailor your email marketing strategies and avoid breaking the company bank on GDPR penalization.

Kim Cooper
Director of Marketing, Amazon Alexa

Single Grain enables us to increase our impact without increasing our headcount

Help Me Enhance Email Engagement

Step 1: Refine the Scope of Your Data Collection  

Not long ago, the go-to practice for collecting data was to cast a net and see what information could be reeled in. Marketers would index piles of user information without rhyme, reason, or discretion – but times have changed.

Email marketers will now need to implement a strategy of data minimization in which every single piece of information that is collected from users has an explicit purpose and justification. Share on X

Although this may sound daunting, the adjustment is both necessary and beneficial.

Minimize Data Out of Legal Necessity

Under GDPR guidelines, data processing is only acceptable on the grounds that it can be justified as a necessary requisite to accomplish a specific goal.

Article 5 of the GDPR states that personal data can only be “collected for specified, explicit and legitimate purposes.” Those purposes are:

  • The vital interest of the individual
  • The public interest
  • Contractual necessity
  • Compliance with legal obligations
  • Unambiguous consent of the individual
  • Legitimate interest of the data controller

If your data collection doesn’t meet any of these criteria, it’s time to stop.

With GDPR penalties in the ballpark of 20 million euros, no one can afford to be careless about collecting unnecessary information.

Shed the Weight of Useless Data Targets

Gathering and storing droves of unnecessary data is a burden on your business. Now – under the pressure of the GDPR – it’s the perfect time to re-evaluate what data you’re getting your hands on and why.

According to Fulcrum Tech, most email marketers can limit the scope of their data collection to the following key points of consumer information:

  • Email addresses
  • Purchase history
  • Email clicks
  • Delivery data (# of delivered emails)
  • Percentage of mobile users
  • Leads and sales attribution channels
  • Website visits and clicks
  • Customer preferences

The bottom line is that the information you collect should be essential to the achievement of your marketing efforts and serve to enhance the customer experience. Once you’ve determined what that means for you, it’s time to get your users’ permission.

Further Reading:

Step 2: Stop Assuming Consent

Gone are the days of obtaining customer consent with:

  • Pre-ticked boxes
  • Automatic opt-ins
  • Hidden options
  • Incentivized opt-ins
  • Hidden privacy policies

According to Article 7 of the GDPR, consent to gather and use consumer data is only legally achieved through a freely given, affirmative action performed by the user. Passivity and inaction no longer cut it when it comes to customer permission.

Put simply – consent can no longer be assumed.

Not only do you need to get permission from your contacts – past, present, and future – to keep them on your contact lists, but you also need to get consent to your privacy policy. By granting consent to these, users acknowledge and accept your collection and processing of their information.

So, how do you get permission to collect the data that your email marketing campaigns rely on to succeed?

Be direct with your users and ask them to perform an explicit action that grants consent. This puts them in the driver’s seat while keeping you on the right side of the GDPR. Share on X

Consent mechanisms can be installed on your website via a clickwrap modal, on a sign-up page, or in an email sent directly to your contacts.

Provoke a Response with Clickwrap

Clickwrap modals are pop-ups or full-screen windows that appear on your website and require the user to take action before continuing to access the content of your site. Use the pop-up to ask consumers if they want to receive emails from your company and provide a box to check or a button to click if they would like to offer their consent.

Maximize the effect of your clickwrap by also using it to notify your visitors of your privacy policy and provide a link to that policy. While a lot of companies choose to advertise their privacy policy through a browsewrap banner – a footer message that allows users to browse the site without acknowledging the policy – this strategy is not compliant with GDPR standards as there is no demand for affirmative consent.

Furthermore, make sure your opt-in mechanisms are specific. Instead of hitting users with a one-size-fits-all “I consent to my data being collected and used” box, present something along the lines of “I consent to receiving updates and offers” or “I acknowledge and consent to the practices outlined in the privacy policy above.” Let them know exactly to what they are granting their permission.

Sainsbury’s does clickwrap the right way by directing its visitors to their appropriate policies and asking for consent to their terms and conditions in addition to future outreach:

image3 1


Notice how both the “yes” and the “no” boxes are unchecked in the example above. Always let the consumer tick boxes for themselves, or you risk their consent being rendered invalid.

Bundle Sign-Up and Consent

One of the easiest ways to get affirmative consent to contact users and disclose your privacy policy to them is by adding a permission function directly at the point of data collection.

Check out how Walmart gets consent right at the source:



Notice how above the contact form there is a link to the company’s privacy policy, and below the form is an unchecked opt-in to receive emails. Walmart’s methodology here errs on the side of both compliance and customer satisfaction.

Help Me Enhance Email Engagement

Further Reading:

Step 3: Launch a Re-permissioning Campaign

A re-permissioning campaign invites your existing contacts to opt in to future participation in your email marketing by sending a mass email to your contact lists.

Obtaining the affirmative consent required to continue collecting and storing user information can benefit your business in ways beyond GDPR compliance. Boast your commitment to your users’ privacy, refine your contact list, and achieve consumer consent by launching a re-permissioning campaign of your own.

Re-engage your current email lists by sending out a one-size-fits-all permissioning email. Let your customers know that you’re amplifying your privacy measures and want to offer them control over their personal information.

Most importantly, give recipients the chance to opt in to receiving future emails – and don’t forget to leave the ‘yes’ box unchecked!

Asking users to perform this opt-in action achieves the degree of compliance that will keep your marketing efforts out of the scrutinizing eyes of the GDPR watchdogs, while trimming your audience down to an engaged base of subscribers.

Since these users are making an effort to signal that they want to receive your emails, they’re already engaging with your business. Knowing that these recipients are consenting to your efforts and not directing your emails to a spam folder can be a powerful piece of knowledge as you move forward with your marketing strategies.

Considering that “54% of marketers say increasing their engagement rate is their top email marketing priority,” what better way to kickstart that goal than by combining it with your compliance efforts?

The Guardian hit the nail on the head with a recent re-permissioning email they sent out to readers:

image2 1

The Guardian takes additional steps to bolster their compliance by giving customers a date by which they need to opt in. After that, the data of users who declined to opt in will be wiped from company servers – and safe from GDPR scrutiny.

Warning! Avoid sending re-permissioning emails to users that have already unsubscribed from your newsletters. Several companies have been fined for making this mistake.

Further Reading:

Step 4: Retool Your Old Regime

Now under the stringent reign of the GDPR, companies have to be more careful than ever about not only what information they collect and why, but how they disclose those practices to their users.

In order to optimize compliance efforts, marketers should take steps to assess and reinforce both their data stores and their privacy policy.

Perform a Data Audit

According to Techopedia, “A data audit refers to the auditing of data to assess its quality or utility for a specific purpose.” The GDPR beckons marketers to spring clean their cellars of consumer data, and toss unnecessary and non-compliant data in the trash.

Here are some dust bunnies to hunt for and sweep away for good:

  • Un-consenting customer contact information
  • Outdated emails
  • Campaign data that is no longer relevant
  • Open/click/response information not pertaining to current campaigns
  • Any data collected for reasons outside the four purposes outlined above

If you’re sitting on stacks of information that aren’t actively moving your marketing efforts forward and haven’t been properly permissioned up to GDPR standards, you’re putting yourself at risk. Save yourself future pain and present waste by clearing out your past piles of data.

Update Your Privacy Policy

Your privacy policy is the heart of your GDPR compliance efforts. To avoid the threatened fines and legal backlash of offending the directive, you need to build and present a comprehensive privacy policy that meets its lofty standards.

Given the massive amounts of consumer information that email marketers collect, the GDPR guidelines for appropriate privacy practice disclosures will likely call for renovations to your privacy policy and update notification processes.

When crafting your privacy policy, or updating your existing one, specify what information you collect as well as:

  • How you store it and for how long
  • Why it was collected
  • To what ends it might be used
  • With whom it is shared

Once you have everything updated, notify your users and get their consent to continue handling their information as outlined in your privacy policy.

Last Word on GDPR-Compliant Email Marketing

The looming presence of the GDPR is finally set to touch down on May 25, 2018. Whether it is a force to be reckoned with or an empty threat is yet to seen. However, the potential penalties are too great not to take your email marketing strategies in the direction of compliance.

Not only will implementing the above measures keep your business safe from GDPR backlash, but they’ll optimize your business operations and enhance your customer experience.

If you’re ready to drive targeted – and compliant – email campaigns, Single Grain’s email marketing experts can help!👇

Help Me Enhance Email Engagement

Write for us

Think you’ve got a fresh perspective that will challenge our readers to become better marketers? We’re always looking for authors who can deliver quality articles and blog posts. Thousands of your peers will read your work, and you will level up in the process.

Contribute to our blog