As online activities evolve, the importance of privacy and data protection is becoming more and more evident, along with the obligation to comply with data protection and privacy laws in all fields, such as GDPR & Email Marketing.
Nowadays, data is considered an economic asset, so it brings value and promotes innovation, as it enables businesses and new products to be developed.
However, indiscriminate use of this data can expose people to abuse, personal and economic risks. For this reason, numerous privacy and data protection laws have been established around the world, seeking to organize the way this data is processed and guarantee transparency in relations between companies and people.
Table of Contents
Data protection laws worldwide
Around 71% of countries have privacy and data protection legislation, and another 9% are already making progress in this regard. 20% of nations do not have or do not report legislation in this regard (UNCTAD, 2021).
There are laws that vary in their requirements and strictness, covering countries or economic blocs such as the United States (CCPA, CPRA, VCDPA, CPA, UCPA), China (PIPL, DSL, CSL), Brazil (LGPD), the European Union (GDPR), Canada (PIPEDA), Mexico (LFPDPPP), Japan (APPI), among many others.
In general, these laws cover aspects such as the collection, storage, use and disposal of personal data, as well as rights for data subjects and obligations for data controllers and processors.
In other words, even though there are differences between them, the focus is on guaranteeing individuals’ privacy rights.
In this article, we’re going to talk about some key aspects of GDPR & email marketing, but not only. We’ll also cover some aspects in which this regulation is similar to others, such as Brazil’s LGPD and California’s CCPA.
If you want to have access to the privacy and data protection laws and regulations available in all countries, we recommend visiting the website of the United Nations Conference on Trade and Development (UNCTAD) – click to visit
GDPR & Email marketing: data collection precautions
First of all, let’s talk about the issue that worries all email marketers: collecting email data to build contact lists.
Registration forms and landing pages: transparency and necessary adaptations
Your first task as a marketing professional is to review all your data collection points. All of them!
If necessary, make layout changes, reposition elements and get rid of some reprehensible practices, such as leaving checkboxes pre-ticked.
Among the most common data collection points to review are landing pages, pop-ups, registration totems in physical stores and even paper forms (please don’t use paper forms!).
Taking advantage of this key moment for your email marketing, ensure that email address information is also collected correctly, i.e. that only valid emails are collected. To do this, use email verification services such as SafetyMails, which removes invalid, temporary and spamtraps emails, among others. Create an account now for free.
Make your collection intentions clear on the form and on the page
At the time of data collection, the user must be clearly informed of the purpose of the data collection. In other words, they must know what you intend to do.
Obviously, the visitor knows that they are “giving away” their data in exchange for downloading a PDF with market research or for access to a free course or members’ area. This intention is explicit from the outset, but there are implicit intentions – those that, in principle, are of interest only to you, the marketer.
So say exactly what you’re going to do with the data you’re requesting. In other words, leave out those generic “we’ll keep you informed about the market” texts and go for “you’ll receive marketing messages, offers and market news”.
Make it clear what will be done with the data collected
Furthermore, be transparent about the processing and destination of the data collected, i.e. whether it will be shared with a third party for processing, where it will be stored, and for what purpose it will be used (such as profiling). Offer hyperlinks with more information about your privacy and data protection policies, as well as contact channels for resolving queries.
It is forbidden to use data for purposes other than those for which consent was obtained. If necessary, request a new explicit consent, making the new intentions clear in the authorization that must be obtained from the data subjects.
Collect data based on unambiguous consent
Never, under any circumstances, leave the permission fields previously checked when registering a new account. This goes directly against all regulations.
Permission to collect data must be free and explicit, i.e. it must be unambiguous. When you leave a field pre-marked, you are misleading the visitor and possibly obtaining their permission illegally, as well as going against good practice and respect for the consumer.
- Note that the consent checkbox is unchecked, as required by privacy and data protection laws.
Save the consent option
Organize with the IT and CRM team so that the consent given by the visitor is recorded and documented in some way, in accordance with legal requirements.
One way of doing this is by recording the date, time and IP address used.
Only collect absolutely necessary data
Only collect the data you need to carry out your work. In other words, if the telephone number is not necessary for you to fulfill the marketing objectives proposed for the data subject, then you should not obtain this data. Above all, avoid sensitive data (such as religion, ethnicity, medical data, etc.), except in cases where it is really necessary.
The GDPR, in its article 5, (1)(c), emphasizes the importance of data minimization, i.e. it makes it clear that the collection of information must be limited to what is necessary for the provision of the service. The LGPD also mentions this in Article 6, III.
References for this topic:
- GDPR: Articles 5, 6, 7, 12 and 32.
- LGPD: Articles 6, 7, 8, 9 and 46.
- CCPA: Sections 1798.100, 1798.110, 1798.120.
Data storage precautions
If you think that by reviewing your data collection policies you are already bringing your email marketing into compliance, you are mistaken. We also need to talk about the storage of this data.
You need to ensure that the data you have obtained is kept confidential and that it is only accessible by those who really need it.
If we are talking about sensitive data, then the level of security and privacy changes: it is essential that information on health, religion, politics, data on minors, among others of this nature, is subject to even stricter protection processes.
Data storage, if done by a contracted platform, must also comply with privacy and data protection laws. Have you read your suppliers’ terms of use and privacy and data protection policies?
Use best practices to guarantee data security
Laws require companies to implement appropriate technical and organizational measures to protect personal data against:
- Unauthorized access
- Destruction
- Loss
- Alteration
- Disclosure
Note that the text mentions not only technical measures, in which we could talk about complex processes and software, security and privacy frameworks, in an endless text on this aspect alone.
There are also organizational measures. Therefore, the philosophy of privacy and data protection needs to be developed internally. The clean desk policy (which requires employees to keep their work areas free of sensitive or confidential information, ensuring data protection and privacy) is just one of them. Developing comprehensive documentation and training teams is also part of the organizational measures.
Therefore, maintain direct and constant contact with your company’s Data Protection Officer in order to always be in line with best practices and how to make your processes safer and more compliant with the law.
Data anonymization and pseudonymization
Data anonymization is recommended by most data protection laws. So it’s no different with GDPR & email marketing, i.e. if data can be stored in such a way that it can no longer be linked to a specific individual, so much the better.
Pseudonymization is an alternative practice to anonymization. Here, data that would allow an individual to be identified is replaced by an artificial identifier, or pseudonym. For example, hospital and other health service databases should be pseudonymized in order to protect people’s health record information as much as possible, ensuring their privacy even in the event of a leak.
How long can I keep the data? Forever?
No! The data retention period must comply with the law or be clearly established in the company’s policies, always taking into account the principle of transparency and limited retention.
In other words, companies can only retain personal data for as long as is required by legal obligations or for as long as is necessary to fulfill the purposes for which the data was collected. Always stay in touch and in tune with your CRM manager.
References to this topic for research:
- GDPR: Articles 4, 5, 15, 16, 17, 24, 32, 33.
- LGPD: Articles 12, 16, 18, 46 and 50.
- CCPA: Sections 1798.105, 1798.120.
GDPR & Email Marketing: be careful when using data
As we saw earlier, care must be taken when collecting personal data, respecting the wishes of the data subject (the person), collecting only the data necessary to provide the service, being transparent about its use and making a commitment to protect this information (under severe penalties from the regulatory bodies in the event of non-compliance).
Taking another step towards transparency and respect for the consumer in relation to data and compliance with data protection and privacy regulations in the field of email marketing, let’s talk about the preferences of the data subject.
Always respect the holder’s personal communication preferences
When a visitor (the data subject) gives permission for data to be collected, we can say that they are doing so through an exchange: the data for a pdf, or a subscription to a newsletter, or access to a trial period in a SaaS system, etc.
However, when we talk about GDPR & email marketing (and also the LGPD and CCPA), there are clauses that say we must respect the data subject’s communication preferences. In other words, we must allow them, the user, to set their own preferences. That seems very fair.
How about a Preference Center?
To facilitate this decision-making process, companies have created “Preference Centers”, where the user can “turn on or off” their communication preferences in email marketing (and also SMS, Push notifications, etc.), such as opt-in and opt-out preferences for marketing emails.
Here’s an interesting example from the Litmus website, where you can choose which types of communications you want to receive when you sign up.
Another, more complete example can be seen on CNN’s website:
- A list of all available newsletters is displayed on the screen. Each newsletter covers a different CNN section, with its own frequency of delivery, etc.
- The bottom of the screen shows the visitor how many newsletters they have selected in total.
- In addition to the privacy notice showing the purpose and what will be done with the data (including that it may be used by affiliates), there is a field for the visitor to enter their email address.
- The button to subscribe to these selected services.
After this initial registration, the user can change the number of newsletters, increasing or decreasing them as they wish.
Right to opt-out and update data
Still talking about the preferences of data subjects, we couldn’t fail to mention the unsubscribe option in all emails sent, as well as the preference center itself.
Remember that the unsubscribe option is mandatory in emails. And an unsubscribe is better than a spam complaint!
Be careful with data segmentation
Of course, you can carry out data segmentation for your campaigns. In fact, it’s one of the most fundamental guidelines of email marketing, as you can see in our article that gives you an excellent strategic roadmap for your email marketing actions.
However, even data segmentation is now governed by the GDPR in email marketing, as well as the LGPD.
How is this done? Well, in these laws there is what we can call “segmentation limitation”. In other words, the segmentation and personalization of campaigns must be based on minimally necessary data and, above all, discrimination or invasive practices are prohibited.
Of course, this criterion can be considered subjective. For example, if it is used to segregate, it could be considered discriminatory. But if, on the other hand, it is used to protect, it is considered legitimate.
An example: a Catholic school is going to send a religious message to its contact list, which is made up of the parents of its students. In this case, segmenting the contact group based on their declared religion could be a legitimate use of segmentation. However, making an offer of an excursion for students, where only those who are Catholic will enjoy a discount to the detriment of students from other religious denominations, is an example of illegal segmentation, as it is discriminatory based on religion. Always be on your guard.
Beware of segmentation and automated decisions
If customer data is used in automated decision-making processes (segmentation and personalization of offers), the holders must be informed of this and given the possibility of a manual review. Yes, this is foreseen not only in GDPR & email marketing, but in all data activities.
What’s more, these decisions must not constitute any kind of discrimination or adverse impact on data subjects.
GRPR & Email Marketing: is it possible to share data with third parties?
Sharing personal data is permitted by regulations such as the GDPR, LGPD and CCPA, for example. But that doesn’t mean you can do it freely.
On the contrary, this type of practice (data sharing) is subject to strict rules, especially depending on the purpose for which the data is being shared. This practice needs to be aligned with the execution of a contract. In some cases, it is possible to use the justification of legitimate interest as a legal basis, but this requires careful evaluation together with your Data Protection Officer.
When we talk about GPDR & email marketing (and even the LGPD and CCPA), this includes rules for sharing between companies and also international data sharing.
Data sharing in email marketing for service provision purposes
If data sharing is necessary for the performance of a service contract, this is provided for and permitted by data protection laws. For example, we are talking about the transfer of data to suppliers or partners who assist in the provision of that service, such as when a system uses a third-party service for secure data upload.
Since we’re talking about GDPR & Email Marketing, here’s another example: when a visitor allows you to collect their personal data on a form, this information is usually stored and processed by a system you’ve hired, such as an email marketing platform or CRM, right? This is already data sharing!
However, although this procedure is permitted, the data subject must be aware of it in order to comply with the principle of transparency and consent.
Another important aspect is that the partner to whom the data is shared must also comply with data protection laws and become responsible for the privacy and protection of the data received.
And finally, these partners are only allowed to use this data for the fulfillment of the requested service and cannot use it for other unauthorized purposes.
Data sharing for marketing purposes
Sharing data for marketing purposes is permitted, but only with the explicit consent of the data subject. In other words, you need to make sure that you have two separate consents: one for your collection and processing of personal data and another for any sharing with partners.
Here again, transparency is important: try to inform which partners will receive this shared data, in order to obtain a greater number of consents.
It is therefore very important to make this option very clear (what we call unambiguous consent) and also to provide an option to revoke this consent, as this is also a right of the data subject under the law.
Opt for compliant email marketing platforms (and add ons)
When you hire email marketing platforms and any other platforms and services that may have access to personal data, they need to comply with privacy and data protection laws.
Together with your company’s Personal Data Officer, find out about the compliance of these companies, their terms of use and privacy and data protection policies, any certifications and keep an inventory of service providers.
Never contract services of a dubious nature that could collaborate with illegal sales and data leaks.
To learn more about this topic, we recommend:
- GDPR: Articles 5, 6, 7, 9, 12, 20, 21, 22 and 28.
- LGPD: Articles 6, 7, 8, 9, 11, 18 and 22.
- CCPA: Sections 1798.120, 1798.140(v), 1798.100, 1798.105 and 1798.145(a).
Rights of personal data subjects
When taking the GDPR into account for email marketing or any other data protection laws, such as the LGPD and CCPA (on which this post is based), remember that you are dealing with a precious asset: personal data. The company is now subject to a series of legal obligations. These include full compliance with the rights of data subjects, i.e. the people who have given consent for their data to be used.
Here are some examples of data subjects’ rights that you should know about:
- Right of access: data subjects have the right to request confirmation of the existence of processing of their personal data and to access this data, as well as to know how and why their data is being processed.
- Right to correction: this is the right of individuals to request the correction of incomplete, inaccurate or outdated personal data.
- Right to be forgotten: individuals can request the erasure of their personal data collected by a company, subject to certain exceptions, such as compliance with legal obligations.
- Right to data portability: data subjects can request to receive their personal data in a structured, commonly used and automatically readable (and facilitated) format, and to transfer this data to another controller without hindrance.
- Right to oppose: data subjects can object to the processing of their personal data in certain situations.
- Right to restriction of processing: data subjects can request the restriction of processing, with the anonymization, blocking or deletion of unnecessary, excessive or legally non-compliant data.
- Right to information: the right to be informed about the collection, use and processing of personal data, including the purpose of the processing and the legal basis for the processing.
- Right not to be discriminated against: people have the right not to be discriminated against because they refuse to provide their personal data (right to privacy), such as paying different prices or receiving inferior services.
To find out more about the rights of the holder of personal data, check out:
- GDPR: Articles 12 to 23.
- LGPD: Articles 17, 18, 20 and 21.
- CCPA: Sections 1798.100, 1798.105, 1798.110, 1798.120 and 1798.125.
About those who don’t follow these rules
Well, so far we’ve had a lot of information, rules to follow, precautions to take, but one question you might be asking yourself right now is: “why should I have to follow these rules when I see countless websites and services that don’t?”
Well, ignoring data protection regulations can result in significant fines. In the GDPR, for example, the fine can be up to 20 million euros or 4% of the company’s global turnover, whichever is greater. In Brazil, the LGPD provides for fines of up to 2% of the company’s turnover, limited to 50 million Brazilian Reais.
In addition, the company could suffer serious reputational damage. And trust is one of a company’s most valuable assets. Imagine the negative impact on a brand of news of data breaches. This can lead to loss of customers, lawsuits and difficulties in attracting new clients.
With the implementation of strict information security and data protection compliance processes in commercial and legal dealings for new business between companies, not being compliant can mean simply not being accepted as a supplier.
Compliance, awareness and training
If your company is not compliant with data protection laws, it’s time to move. If it is, maintain direct contact with the Data Protection Officer and establish fully compliant methods for your email marketing, from capturing to sending campaigns, enriching data and monitoring results.
Raise awareness and engage senior management and the organization as a whole, so that they adopt compliance measures and know the laws. Thus, with the concept of “Privacy by Design”, privacy will be a fundamental part not only of email marketing, but of all the organization’s activities.
For reference, this topic was based on:
- GDPR: Art. 83(5)
- LGPD: Art. 52
Conclusion
The demand for privacy and data protection is growing globally, and the impact of these regulations on email marketing strategies is becoming increasingly significant.
Complying with these regulations, such as GDPR, LGPD and CCPA, is not only an obligation, but an opportunity for companies to strengthen their customers’ trust and become more attractive to the market, with a solid and reliable reputation.
Success in modern email marketing depends on strict compliance with data protection regulations and the ability to adapt strategies to respect and protect consumer data. Do this and see the benefits it will bring to your business.
FAQ
Regulations such as GDPR, LGPD and CCPA directly impact the way you collect, store and use personal data in your email marketing campaigns. Ensure that all practices comply with these regulations, with explicit consent, collection of only the necessary data and full transparency about the use and sharing of this information.
Review all collection points, such as forms, landing pages and pop-ups, ensuring that they are transparent and clear about the purpose of collection, with visitors giving consent unequivocally, without deceptive practices such as pre-ticked checkboxes, and being informed about what will be done with the data.
Ensure that the information is protected against unauthorized access, loss, destruction or alteration. When using third-party platforms to store data, make sure that these providers also comply with data protection regulations. Implement appropriate technical and organizational measures to protect the information, especially in the case of sensitive data.
Sharing personal data with third parties for marketing purposes is only permitted if the data subject has given explicit consent to do so. Data subjects must have the option to revoke this consent at any time. Data sharing must always respect the principle of transparency and the specific purpose for which the data was collected.
Respecting your customers’ communication preferences is important for complying with data protection laws and maintaining a healthy relationship with your audience. Offer users the possibility of defining their preferences through a “Preference Center”, where they can choose which types of communication they want to receive and how often.
It must be done on the basis of the minimum necessary information and in such a way as to avoid any discriminatory practice. For example, segmenting a campaign based on religion in order to offer exclusive benefits or discounts to one group to the detriment of another could be considered discriminatory and therefore illegal. Segmentation should always be aimed at improving the relevance of campaigns without compromising fairness and respect for the rights of individuals. If in doubt, talk to your Data Protection Officer.