Email Security Blog

GDPR AND YOUR EMAIL CHANNEL—Four things you need to know

Agari May 17, 2018 Email Security
Fallback Featured Image

The European Union’s new privacy law, the General Data Protection Regulation (GDPR), comes into effect on May 25, 2018 and has many ramifications for any organization doing business in the EU. Essentially, the regulation defines how businesses collect and store information on their customers and other private citizens. GDPR goes beyond the current standard of the EU Privacy Directive with regulations that are both stricter and more specific.

One of the major changes for companies engaging in email marketing is how they collect and store consent. The definition of consent in Article 4(11) of the GDPR is similar to the old Data Protection Directive definition but adds some detail on how consent should be given.

The current Data Protection Directive defines consent as:

“…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”

For example, when a customer frequents a coffee shop and drops her business card into a glass bowl advertising a chance to win free coffee for a year, she is consenting for her personal information to be used in order to be entered into the contest.

In the GDPR, the key elements of the consent definition remain—it must be freely given, specific, informed and there must be an indication signifying agreement. However, the GDPR goes further by requiring that affirmative consent must also be “unambiguous and involve a clear informative action.”

GDPRHowever, this definition is only the starting point for the GDPR’s new standard of consent. For example, the essence of Article 7 states that there is a greater emphasis in the GDPR on individuals having clear granular choices upfront and ongoing control over their consent. The new GDPR standards don’t only apply to consent given after May 25th; it applies to all existing EU subscribers on a company’s email list.

For example, if a company has a database of 100,000 email addresses that were all obtained when individuals filled out a form where an opt-in box was pre-checked, those records are not valid under GDPR. Customer inaction cannot be used as an assumption of consent.

The Information Commissioner’s Office (ICO) of the United Kingdom has issued a guide on consent under the GDPR. The guide offers a consent checklist for helping companies ensure they have taken the appropriate steps for meeting GDPR standards.

Following the checklist will ensure that organizations are compliant with key GDPR provisions, including:

  • UNBUNDLED TERMS: Consent requests must be separate from other terms and conditions. Consent must not be a precondition of signing up for a service unless it is necessary for that service to be rendered. If subscribing to a newsletter, for example, is a requirement for downloading a white paper then that consent is not freely given. Wherever possible, granular options should be provided to separate consent from other processes or requests.
  • ACTIVE OPT-IN: Consent requires a positive opt-in. For consent to be valid under GDPR, a customer must actively confirm their consent, such as by checking an unchecked opt-in box. Pre-checked boxes that use customer inaction to assume consent aren’t valid under GDPR.
  • TRANSPARENT AND EASY OPT-OUT: The GDPR specifies that individuals have the right to withdraw their consent at any time and that it must be as easy to withdraw as it was to give consent. All major email laws require brands to give their subscribers the opportunity to stop receiving emails. Each promotional email sent must include a prominent UNSUBSCRIBE option. Most organizations will likely already be compliant with this regulation; however, as the GDPR deadline approaches, it’s a good time to review the company’s policies.
  • DOCUMENTATION: GDPR requires that companies keep records that demonstrate exactly what the individual has consented to. This documentation should include: who consented, when they consented, how they consented, what they were told at the time of consent, and whether they have withdrawn consent.

Email marketers know that the new EU GDPR regulation significantly changes the marketing landscape, however, it shouldn’t make accomplishing marketing objectives impossible or overly burdensome. Companies should start by auditing their current database and understanding where their contacts are geographically located and whether an audit trail of consent was captured. It’s important for organizations to know whom their contacts are, how they were acquired and if proper consent policies were followed when the data were collected. This might require enacting a re-permission initiative, which contacts subscribers and in no uncertain terms asks the subscriber to confirm that they would still like to receive emails by clicking a confirmation link in the email. This is an effective way of refreshing consent to be compliant with GDPR or removing subscribers from the mailing list.


Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

December 17, 2019 Armen Najarian

Email Security Predictions 2020

Spoiler alert: When it comes to email security and the fight against business email compromise…

Agari Blog Image

November 19, 2019 Suela Vahdat

BEC Attacks on the Rise in Europe: 2019 Email Threat Survey

Business email compromise (BEC) scams, phishing campaigns, and other targeted email attacks happen all over…

Agari Blog Image

November 4, 2019 Doug Jones

Microsoft Office 365 + Secure Email Cloud: All You Need in a Cloud-First World

You’ve heard the statistics… more than 70% of all business users will be provisioned with…

Agari Blog Image

November 1, 2019 Ramon Peypoch

Why I Joined Agari: First Impressions, Fast Growth, and the Fight for Email Security

Think back to the offer letter you received for your current position. More likely than…

Agari Blog Image

October 29, 2019 Armen Najarian

2020 Election Survey: 60% of Voters May Reject Candidates Who Fall Victim to Phishing

With the 2020 US presidential election only 12 months away, a new survey of registered…

mobile image