Email Security Blog

GDPR AND YOUR EMAIL CHANNEL—Four things you need to know

Agari May 17, 2018 Email Security
Fallback Featured Image

The European Union’s new privacy law, the General Data Protection Regulation (GDPR), comes into effect on May 25, 2018 and has many ramifications for any organization doing business in the EU. Essentially, the regulation defines how businesses collect and store information on their customers and other private citizens. GDPR goes beyond the current standard of the EU Privacy Directive with regulations that are both stricter and more specific.

One of the major changes for companies engaging in email marketing is how they collect and store consent. The definition of consent in Article 4(11) of the GDPR is similar to the old Data Protection Directive definition but adds some detail on how consent should be given.

The current Data Protection Directive defines consent as:

“…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”

For example, when a customer frequents a coffee shop and drops her business card into a glass bowl advertising a chance to win free coffee for a year, she is consenting for her personal information to be used in order to be entered into the contest.

In the GDPR, the key elements of the consent definition remain—it must be freely given, specific, informed and there must be an indication signifying agreement. However, the GDPR goes further by requiring that affirmative consent must also be “unambiguous and involve a clear informative action.”

GDPRHowever, this definition is only the starting point for the GDPR’s new standard of consent. For example, the essence of Article 7 states that there is a greater emphasis in the GDPR on individuals having clear granular choices upfront and ongoing control over their consent. The new GDPR standards don’t only apply to consent given after May 25th; it applies to all existing EU subscribers on a company’s email list.

For example, if a company has a database of 100,000 email addresses that were all obtained when individuals filled out a form where an opt-in box was pre-checked, those records are not valid under GDPR. Customer inaction cannot be used as an assumption of consent.

The Information Commissioner’s Office (ICO) of the United Kingdom has issued a guide on consent under the GDPR. The guide offers a consent checklist for helping companies ensure they have taken the appropriate steps for meeting GDPR standards.

Following the checklist will ensure that organizations are compliant with key GDPR provisions, including:

  • UNBUNDLED TERMS: Consent requests must be separate from other terms and conditions. Consent must not be a precondition of signing up for a service unless it is necessary for that service to be rendered. If subscribing to a newsletter, for example, is a requirement for downloading a white paper then that consent is not freely given. Wherever possible, granular options should be provided to separate consent from other processes or requests.
  • ACTIVE OPT-IN: Consent requires a positive opt-in. For consent to be valid under GDPR, a customer must actively confirm their consent, such as by checking an unchecked opt-in box. Pre-checked boxes that use customer inaction to assume consent aren’t valid under GDPR.
  • TRANSPARENT AND EASY OPT-OUT: The GDPR specifies that individuals have the right to withdraw their consent at any time and that it must be as easy to withdraw as it was to give consent. All major email laws require brands to give their subscribers the opportunity to stop receiving emails. Each promotional email sent must include a prominent UNSUBSCRIBE option. Most organizations will likely already be compliant with this regulation; however, as the GDPR deadline approaches, it’s a good time to review the company’s policies.
  • DOCUMENTATION: GDPR requires that companies keep records that demonstrate exactly what the individual has consented to. This documentation should include: who consented, when they consented, how they consented, what they were told at the time of consent, and whether they have withdrawn consent.

Email marketers know that the new EU GDPR regulation significantly changes the marketing landscape, however, it shouldn’t make accomplishing marketing objectives impossible or overly burdensome. Companies should start by auditing their current database and understanding where their contacts are geographically located and whether an audit trail of consent was captured. It’s important for organizations to know whom their contacts are, how they were acquired and if proper consent policies were followed when the data were collected. This might require enacting a re-permission initiative, which contacts subscribers and in no uncertain terms asks the subscriber to confirm that they would still like to receive emails by clicking a confirmation link in the email. This is an effective way of refreshing consent to be compliant with GDPR or removing subscribers from the mailing list.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

May 9, 2019 Patrick Peterson

Current Email Architecture Transformation Raises the Bar for Security

Enterprise email architecture is evolving, which is good new for cybercriminals. Legacy secure email gateways…

Agari Blog Image

May 2, 2019 Armen Najarian

Agari Research Finds 2020 Presidential Campaigns Vulnerable to Next-Gen Phishing Attacks

The type of email attacks that helped derail Hillary Clinton’s presidential bid during the 2016…

Agari Blog Image

April 30, 2019 Patrick Peterson

2020 Presidential Campaigns Susceptible to Nation-State Email Attacks—Agari Can Help

Three years ago, Russian operatives spear phished the email account of Hillary Clinton's campaign chairman…

Agari Blog Image

April 11, 2019 Raymond Lim

Beware of Phishing Attacks as Tax Day Looms Closer

The April 15th deadline to file taxes in the United States is almost here, which…

Agari Blog Image

March 13, 2019 Ernest Yuen

W-2 Scams Likely to Continue as Driver for Phishing Attacks in 2019

With the 2019 tax season reaching full throttle, a volatile mix of conditions could fuel…

mobile image