It’s said that time passes quickly when you’re having fun. The GDPR on email marketing was not exactly fun; however, the last couple of years have flown by swiftly.
But what happened?
GDPR was among the most discussed topics in the year. May was the month that it was searched more than Beyonce and Kim Kardashian, which indicates that it must have been very important (and it remains)!
While GDPR received lots of criticism from larger corporations with worries that it could destroy an ecosystem of digital technology, the main issue was how it would affect small and medium-sized businesses that simply wanted to send out emails for their patrons.
Many years have passed, and it’s been found that GDPR didn’t have the disastrous effects people were hoping for. In many ways, GDPR benefited the marketing of email more than it did harm to it.
We, at MyEmailVerifier (the most accurate email verification service in the world), roll on according to GDPR compliance, and we’re proud too!
Here’s a brief overview of what took place and what it can mean to your marketing emails.
Why GDPR is a positive thing
GDPR was announced publicly two years prior to its implementation, and yet the majority of people remained ignorant of the law until a few days or weeks prior to the deadline. Given the vast magnitude and complex nature of the GDPR, the procrastination of a large number of people caused an uproar and a state of confusion for lawyers, companies, and even experts on data protection.
The 2018 GDPR Compliance Report found that only 40 % of companies were GDPR-compliant before the May 2018 deadline.
Despite the confusion and the criticism, the GDPR, in its essence, is beneficial for all. Technology has changed our lives for the good, and one of the main reasons for the potential of the digital age is your personal information.
Your data today is a valuable asset you willfully trade for goods and services. It must be secured to protect it. It is unlikely that you would lend your car keys to someone else without having a valid agreement. This is the same for your personal information.
GDPR guarantees that every person who is the owner of the data they own has legitimate rights that all others must recognize. It is good news for marketers who use email. When you take care to protect the privacy of individuals, the results will go up.
How did GDPR impact marketing via email
There was a great reason why everyone was so convinced that GDPR would destroy marketing via email by reducing their email lists and making it almost impossible to attract new subscribers. Did you think that way?
Let’s face it, your list of email addresses may have shrunk when you implemented the GDPR opt-in procedure. But a shorter list doesn’t truly mean your list anyway suffered. The ones who remain are your faithful audience. They will be the ones who read your emails and go to your site (or take action).
Every person must create their lists in a proper manner through obtaining consent. With an acceptable standard (and GDPR fines to be avoided! ), In addition, the number of people who abuse email will decrease over time. When email marketing GDPR practices improve all over all industries, and the sweet conversion power will also increase.
But not without headaches.
Although your email’s effectiveness will improve, GDPR isn’t without challenges. One aspect that can cause the most trouble is the collection and storage of the consent of subscribers.
The GDPR on email marketing raised the bar, with specific requirements regarding the collection of consent, such as:
- Consent should have to be “freely given, specific, informed and unambiguous”;
- Consent requests must have the ability to be “clearly distinguishable from the other matters” and must be presented using “clear and plain language”;
- The data subjects are able to revoke their consent at any time they wish, and you must respect their decision.
- Documentary evidence must be kept of your consent.
Another cause of confusion revolves around the respect for the various rights to data, like portability, access and ability to erase, etc.
4 GDPR rules to be aware of
Marketing through email is among the main source of GDPR-related complaints. To prevent the risk of GDPR complaints and the GDPR penalty for non-compliance, Here are the steps to ensuring a GDPR-compliant email marketing campaign.
1. Transparency is always the winner
Be aware that you should clearly mention which third-party companies you use to send out emails as along with any other business procedures.
2. Subscribers’ make requests
Do not ignore your subscriber’s request. Be respectful of their right to privacy, including the ability to respond to their concerns.
3. Checkboxes and explicit permission
Checkboxes aren’t an absolute requirement if you need consent for a particular reason. Also, you don’t have to include a checkbox in order to offer an offer that is free. Make sure to clearly declare your lead-generating offer provided in exchange for signing up for the mailing list. Checkboxes are required to obtain consent to two or more distinct things, for example, the sending of a newsletter or for advertising.
Do not forget to include the link to your Privacy Policies in your opt-in forms. Subscribers can review the details of how you manage personal information.
Examples of GDPR sanctions
European privacy agencies have issued a number of hefty penalties for GDPR violations since the regulations started to be implemented in May of 2018.
Google was hit the hardest with a record amount of 50 million EUR that shocked the entire community of data protection. France’s regulator for data protection (CNIL) discovered that Google had violated GDPR by two methods: exaggerating the dissemination of essential information and also by explaining its data processing practices in a way in which it could be described as “too generic and vague.”
They violated the GDPR’s requirements for transparency. They also failed to establish an acceptable legal basis to process personal data to enable ad personalization, which is in violation of the GDPR’s requirement for clear and unambiguous consent for all types of processing personal information.
It’s not an initial GDPR penalty. However, it is probably the largest.
In October of 2020, the Hamburg Commission in charge of Data Protection and Freedom of Information (HmbBfDI) handed down an amount that was 35,258,707.95 EUR against clothing retailer H&M Hennes & Mauritz Online Shop.
The GDPR’s violations involve the surveillance of employees who use their personal information to determine their work and sharing sensitive personal data between the managers.
Follow the principle of minimization of data. Don’t process personal data unless there is an appropriate basis and particular reason to do so. Also, be aware of the data’s access control that is in place for the information, which certainly needs o to be implemented.
In the same year, Italian telecoms company TIM was penalized by a EUR 27.8 million GDPR penalty by Garante, the Italian Data Protection Authority (Garante), for an excessively aggressive marketing plan. A large number of people were approached without their consent and were contacted with promotional calls and unwelcome messages.
In October of 2020, The UK Information Commissioner’s Office (ICO) struck British Airways with a $26 million fine for failing to did not have adequate security measures. In the end, the airline’s system was compromised by hackers who were able to steal passenger’s personal data, including addresses, names along with payment information, and log-in information.
…And there’s more!
There were other, lesser instances across different sectors. In 2018 a Portuguese hospital was ordered to pay 400 000 EUR because its employees made use of fake accounts to access patient data. Also, a German Social network provider, “Knuddels.de,” was fined 20,000 EUR for keeping passwords for social media as plain texts. The list of violations goes on.
The effects of GDPR on other nations
GDPR set a precedent for countries outside the EU to improve their own privacy laws. It also meant that privacy laws were more pertinent following the GDPR. In today’s digital world, it’s becoming increasingly crucial to ensure that private information is secured, processed, and used to serve the right reason.
On 1-1-2020, The California Consumer Privacy Act or CCPA rolled out and was created to give CA residents–individuals who reside in California, even if they are temporarily outside of the state–more control over the personal info that businesses gather about them.
CCPA is like GDPR in that it is only applicable to companies that collect personal data from California residents.
The South African Protection of Personal Information Act (POPIA) is the most current important data privacy law that is closely modeled after the GDPR of the EU (and the Directive on ePrivacy). The law gives citizens legal rights to access their personal information. It establishes eight requirements to process data (e.g., providing consent as a legal basis) and establishes an expansive definition of personal data for the full protection of the user.
- POPIA began to take effect on July 1, 2020, and enforcement started on July 1, 2021.
- POPIA is applicable to any business or entity processing personal information within South Africa, who is located in the country or is not domiciled, but makes use of non-automated or automated methods of processing within the country.
The Act applies to anyone or business that maintains any kind of records that relate to the personal information of any person unless the records are covered by another legislation that safeguards the information more thoroughly.
The company does not have to be compliant if it’s situated in a different country than South Africa. In this regard, POPIA is not like the GDPR or Kenyan Data Protection Act, which requires you to be compliant when your company processes the personal data of the subjects within the territory. POPIA is focused on the place of processing and not the place of processing for the individual data controller.
Kenya Data Protection Act got into action on November 25, 2019, and is currently the main law governing the protection of data in Kenya. In accordance with the DPA, the controller and data controller must ensure that personal information is processed legally as well as in a fair and transparent way.
The Act governs data processing for the personal information of data subjects residing in Kenya and is applicable to processors and data controllers who are based within or outside of Kenya. The DPA is in large part modeled after the GDPR.
MyEmailVerifier Thanks GDPR.
Why are we paying GDPR a homage? It turned out that GDPR didn’t end email marketing completely. We believe it has allowed many of you to create more efficient email marketing campaigns. It also inspired other countries to improve their own laws, like those of the CCPA and POPIA, which is an excellent thing for the protection of data all over the world!
In respecting your subscribers and delivering value in every message you mail, the GDPR for email marketing adds that extra layer of recognition to remind you that your subscribers aren’t only a few numbers; they are individuals with rights.
Data is owned by the individual. If you accept that you will treat their information the same way you would expect other people to treat you as well as your data, then good things happen.
Like always, MyEmailVerifier will be there to answer your questions and help you navigate GDPR when it comes to email marketing. Just drop comments!