GDPR Compliance & Email Marketing [Opt-In, Consent & More]
GDPR requires marketing emails to get consent. How do you do that? We’ll cover how to obtain consent and how to keep your emails GDPR compliant.
Are emails GDPR compliant? The answer is usually no. Emails by their nature contain personal information which subjects them to GDPR compliance. To be compliant, email recipients need to give consent and emails need to be encrypted.
What Is GDPR and How Does it Relate to Email?
The General Data Protection Regulation (GDPR) framework is a security compliance standard for the European Union intended to protect consumers and their data. More specifically, GDPR was created to help consumers take control of their data and how they are contacted through digital marketing channels like email.
With that being said, GDPR impacts how businesses email their customers for marketing purposes:
- Any business collecting, storing or using customer data must protect that data. So, if you use email to collect data from customers, or if you store data collected via email, then you need to protect it (typically with an encryption algorithm).
- Businesses collecting data can only retain it “no longer than necessary than is necessary for the purposes for which the personal data are processed.” That is, businesses can’t hang on to customer data into perpetuity: they must only retain data for as long as it’s being used for reasonably well-defined business purposes.
- GDPR Article 17 outlines the “right to be forgotten”, which simply dictates that the consumer has the right to demand and control the erasure of their data from a company’s system. According to GDPR, this is binding and non-negotiable.
- There are only 6 lawful conditions under which a business may use a consumer’s data: consent, performance of a contract, legitimate interest, a vital interest, a public interest or a legal requirement.
Consent is an incredibly important part of GDPR and email. Specifically, GDPR defines several aspects of consent for the use of consumer data, including:
- The consumer has given free, unambiguous consent for the use of that data
- Requests for consent must be clearly defined and marked, and look different than other correspondence like bills
- The consumer may withdraw consent at any time
- Children under 13 cannot give consent without the permission of their parent
That being said, GDPR doesn’t block email marketing, it simply provides more protections for how companies can market to individuals using their personal data.
How Does GDPR Relate to CAN-SPAM?
The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act is a law in the United States that regulates email marketing and consumer protections. While there are similarities between the laws, there are also significant differences, including:
- Opting in or opting out. CAN-SPAM is an “opt-out” law, which means that a company can send you unsolicited emails so long as they provide a way for the consumer to opt-out of receiving more (usually through a link or form). GDPR, on the other hand, requires not only consent but clearly defined forms or documentation of that consent (or an “opt-in”) before sending emails.
- Opt-out time frames. Under CAN-SPAM, businesses have 10 days to remove users from a mailing list once those users opt-out. Conversely, businesses under GDPR must promptly remove the user from a mailing list.
- The right to be forgotten. The right to be forgotten is part of GDPR. There is no right to be forgotten under U.S. law, which means that most businesses have no legal obligation to delete user data upon request.
Some U.S. laws are a bit less stringent than GDPR (excepting California’s Consumer Privacy Act, or CCPA, which is roughly on par with GDPR), and as such email marketers in the EU have more obligations to protect user data and heed the requests of consumers who want to keep their data off your systems. However, U.S. companies doing business in the EU must abide by GDPR, which means meeting these requirements or facing the same penalties.
How Can I Make My Emails GDPR Compliant?
For the purposes of this article, we can break down the impact on email and compliance between how data is handled and how you can actually reach out to your customers.
The obvious factor for making your email compliant with GDPR is consent. You must have a clear method of gaining consent, and you must have a record that consent was given freely. What that means is that any email strategy or system used for marketing that wants to remain compliant should have a clear and unbroken audit trail between when the user gives consent up to the moment you send them an email.
This is also true for any requests to delete data. For GDPR, your business must promptly respond to any request for deletion. If you don’t, you could face fines of up to 20 million Euros or 4% of your annual worldwide revenue, whichever is higher.
In terms of data protection, you must employ encryption whenever user data is transferred or stored for business purposes. This means that to make your emails compliant, you must either:
- Encrypt any email that contains personal information (which could mean any email sent must be encrypted), or
- Utilize a messaging system that leverages secure servers and links to keep private information out of public emails.
Note that the latter approach doesn’t forgo the need for encryption, but it does reduce the surface for which encryption is necessary (a server or cloud environment rather than every single email). This also means that the receiver won’t have to use the same encryption method that you do if you are just directing them to a secure server with proper authentication controls.
The Kiteworks Platform and GDPR Compliance for Emails
Maintaining compliance with GDPR is easy and reliable with the Kiteworks platform. Our platform provides the critical auditing and security you need to protect consumer data and record important information regarding consent:
- Encrypted email and storage: With the Kiteworks platform, you can set up local, encrypted email messaging for users and then send them links over public email. This way, you can avoid costly and inefficient email encryption while providing high-level security support for user data through server encryption and user access management controls.
- Unbroken audit trails: When a user gives consent, your Kiteworks system will create a clear, unbroken audit trail from the point of consent to the current date. This way you can document when and where consent was given for email correspondence. Additionally, this audit trail can also provide evidence for security purposes, including who is accessing user data on your system.
- Unified dashboards: From a centralized dashboard, you can monitor and respond to different security and recording issues, including items like when a consumer requests a data deletion or revokes consent.
- Integrated tools and software: Kiteworks utilizes integrated Microsoft O365 tools that connect right to your desktop workstations. With the Kiteworks platform and Office, you can create clear and compliant consent forms to manage consumer emails and protections.
To learn how Kiteworks ensures GDPR compliant emails, schedule a custom demo of Kiteworks today.