GDPR and Email Marketing: What will change on May 25, 2018
Posted: Thu Dec 26, 2024 9:55 am
The countdown has begun! As of May 25, 2018, all companies processing the personal data of European citizens will have to comply with the new European regulation on data protection: the GDPR. Companies using emailing as part of their marketing strategies are particularly concerned by the GDPR, which strengthens users' privacy.
How will GDPR impact features like segmentation and personalization, which are key to any email marketing strategy? Will some email practices disappear, while data collection and use are now subject to stronger provisions? Find out what will change in less than a year for email marketers.
What is the relationship between GDPR and Email Marketing?
Email marketing is based on the collection and processing of data from your germany telegram data customers and prospects. A significant portion of this data is personal , since it most often involves the user's name and email, but also information that can range from age to interests, including data as specific as browsing or purchasing behavior.
This personal data makes it possible to segment and target users differently, in particular by personalizing the emails sent to them, both in terms of content and design or the timing of sending.
The GDPR, or General Data Protection Regulation of the European Union, sets out the rules for the collection and processing of this personal data, in order to strengthen the rights and privacy of individuals .
For email marketing, many of the "rules of the game" will change, including strengthened rights of access, rectification and oblivion. Marketers and companies in general are affected on several levels: the GDPR defines precisely how they can obtain, use and store personal data.
Consent and collection of personal data
The GDPR requires marketers to obtain explicit consent from users before sending them commercial messages. This provision applies to both B2C and B2B: a natural person's professional email is considered personal data (for example: [email protected] , unlike [email protected] which does not require consent).
Free and clear consent : The request for consent must be formulated in a clear and accessible manner, and explain how the personal data collected will be used . Opt-out practices are therefore excluded (they were already excluded in France for individuals and non-professional addresses), as is passive opt-in (the famous pre-ticked consent box, also disapproved by the CNIL). Only active opt-in is permitted. The request for consent must be separated from the approval of the general conditions.
Granular and nominative consent : If personal data is used for multiple purposes, the company must request separate consent for each use . The goal: to give the user maximum control over how their data is used. In addition, the identity of the company using the data and those of all third parties with whom the data will be shared must be specified.
Documented consent : The sender must be able to prove that they have obtained consent from the customers and prospects to whom they send their commercial emails . The same goes for prospect lists: you must be able to provide evidence that the users' consent was obtained by the company from which you purchased the list.
Increased protection of children : Parental consent is required to process personal data of minors under 16 years of age for online services . Member states of the European Union may set a lower age, but this may not be lower than 13 years.
Data collected before the GDPR came into force may still be used if you have obtained explicit consent from users and can prove it.
In addition, the user must be able to withdraw his consent as easily and quickly as he gave it (in particular by unsubscribing from your newsletter, etc.)
Storage and security of personal data
The GDPR also aims to strengthen the secure storage of personal data and the right of citizens to request the erasure of their data. The main measures that are likely to change your personal data storage habits are:
You must store evidence that you have obtained users' consent to use their email and be able to provide it upon request;
The “right of access” : your customers and prospects can ask you whether their personal data is used, how and for what purpose. If they request it, you must provide them with a copy of their personal data free of charge, in an electronic and readable format ;
The “right to be forgotten” : users have the right to request the permanent erasure of any personal data. In this case, you must remove the data from your system, without leaving any trace of the information;
The “right to portability” : data can be retrieved by the user, who has the right to transmit it freely to third parties;
“Protection by design” : the GDPR reinforces this concept, by requiring the implementation of technical and organizational data protection measures from the design stage of products and systems;
In the event of a security breach, “likely to affect the rights and freedoms of individuals” whose data you have collected, you must report it to the protection authority within 72 hours of its discovery . The nature of the breach, the number of people affected and the “likely consequences” must be indicated in the notification. In the event of a high risk to their privacy, you must also inform your users within a reasonable time;
The GDPR encourages companies to collect and store only data that is absolutely necessary for the purposes for which it is processed . The controller of personal data must also restrict access to it only to those who need it for the said processing.
How will GDPR impact features like segmentation and personalization, which are key to any email marketing strategy? Will some email practices disappear, while data collection and use are now subject to stronger provisions? Find out what will change in less than a year for email marketers.
What is the relationship between GDPR and Email Marketing?
Email marketing is based on the collection and processing of data from your germany telegram data customers and prospects. A significant portion of this data is personal , since it most often involves the user's name and email, but also information that can range from age to interests, including data as specific as browsing or purchasing behavior.
This personal data makes it possible to segment and target users differently, in particular by personalizing the emails sent to them, both in terms of content and design or the timing of sending.
The GDPR, or General Data Protection Regulation of the European Union, sets out the rules for the collection and processing of this personal data, in order to strengthen the rights and privacy of individuals .
For email marketing, many of the "rules of the game" will change, including strengthened rights of access, rectification and oblivion. Marketers and companies in general are affected on several levels: the GDPR defines precisely how they can obtain, use and store personal data.
Consent and collection of personal data
The GDPR requires marketers to obtain explicit consent from users before sending them commercial messages. This provision applies to both B2C and B2B: a natural person's professional email is considered personal data (for example: [email protected] , unlike [email protected] which does not require consent).
Free and clear consent : The request for consent must be formulated in a clear and accessible manner, and explain how the personal data collected will be used . Opt-out practices are therefore excluded (they were already excluded in France for individuals and non-professional addresses), as is passive opt-in (the famous pre-ticked consent box, also disapproved by the CNIL). Only active opt-in is permitted. The request for consent must be separated from the approval of the general conditions.
Granular and nominative consent : If personal data is used for multiple purposes, the company must request separate consent for each use . The goal: to give the user maximum control over how their data is used. In addition, the identity of the company using the data and those of all third parties with whom the data will be shared must be specified.
Documented consent : The sender must be able to prove that they have obtained consent from the customers and prospects to whom they send their commercial emails . The same goes for prospect lists: you must be able to provide evidence that the users' consent was obtained by the company from which you purchased the list.
Increased protection of children : Parental consent is required to process personal data of minors under 16 years of age for online services . Member states of the European Union may set a lower age, but this may not be lower than 13 years.
Data collected before the GDPR came into force may still be used if you have obtained explicit consent from users and can prove it.
In addition, the user must be able to withdraw his consent as easily and quickly as he gave it (in particular by unsubscribing from your newsletter, etc.)
Storage and security of personal data
The GDPR also aims to strengthen the secure storage of personal data and the right of citizens to request the erasure of their data. The main measures that are likely to change your personal data storage habits are:
You must store evidence that you have obtained users' consent to use their email and be able to provide it upon request;
The “right of access” : your customers and prospects can ask you whether their personal data is used, how and for what purpose. If they request it, you must provide them with a copy of their personal data free of charge, in an electronic and readable format ;
The “right to be forgotten” : users have the right to request the permanent erasure of any personal data. In this case, you must remove the data from your system, without leaving any trace of the information;
The “right to portability” : data can be retrieved by the user, who has the right to transmit it freely to third parties;
“Protection by design” : the GDPR reinforces this concept, by requiring the implementation of technical and organizational data protection measures from the design stage of products and systems;
In the event of a security breach, “likely to affect the rights and freedoms of individuals” whose data you have collected, you must report it to the protection authority within 72 hours of its discovery . The nature of the breach, the number of people affected and the “likely consequences” must be indicated in the notification. In the event of a high risk to their privacy, you must also inform your users within a reasonable time;
The GDPR encourages companies to collect and store only data that is absolutely necessary for the purposes for which it is processed . The controller of personal data must also restrict access to it only to those who need it for the said processing.