7 thing you must know to send marketing emails even without consent and stay GDPR compliant


Error message

  • Deprecated function: Function create_function() is deprecated in geo_filter_obfuscate() (line 149 of /var/www/incomaker.com/https_102/public_html/sites/all/modules/geo_filter/geo_filter.module).
  • Deprecated function: Function create_function() is deprecated in geo_filter_obfuscate() (line 149 of /var/www/incomaker.com/https_102/public_html/sites/all/modules/geo_filter/geo_filter.module).
  • Deprecated function: The each() function is deprecated. This message will be suppressed on further calls in _menu_load_objects() (line 579 of /var/www/incomaker.com/https_102/public_html/includes/menu.inc).

When it comes to GDPR, many people still think it means a disaster for email marketing. A couple of months ago, I was really amused by one of our competitors who recommended to delete most of the mailing lists and start almost from scratch if you haven't consented from your contacts and even claimed that it will help your marketing effort!

In fact, the situation is much more favorable and if you didn't do really harsh things like buying databases of millions of addresses and send them mass emails offering blue pills, you can most likely continue as usual.

Cold emailing is a very effective marketing instrument. If done reasonably and within the legal frame, it is not more annoying than any Google or Facebook ad. In this article, I will explain how to use email marketing and cold emailing and stay compliant.

How to send GDPR complicant marketing emails in the EU?

Do you need to follow GDPR?

The answer is clear if your company is based in the European Union. GDPR is a mandatory regulation for all European companies. However, even if you are based in the USA or anywhere else in the world, it does not mean that you can ignore GDPR. GDPR is not about emails or addresses, GDPR is about personal data. It was adopted to protect the personal data of European citizens, hence even if you reside outside the European Union, but you target European customers, you have to care about it. European customers do not mean just the citizens of any European country, but also non-residents located in the EU. Even if you are a tourist from South Africa visiting Paris, your personal data including email addresses are currently protected under GDPR.

If you are not a European company and are sure that you have no personal data of European customers in your database, you don't need to care about the European regulation. However, there is most likely a local regulation regarding marketing emails you have to follow. E.g. CAN-SPAM Act in the U.S.

Do you send marketing emails?

Strange question, right? What does mean marketing emails and are there also any "non-marketing" ones?

Yes, in terms of emails we talk about:

  1. personal emails
  2. transactional emails
  3. marketing emails

Personal emails are one-by-one emails, typically sent from a human to a human. Answering your customers' inquiries is a good example. Transactional emails are automated emails sent from your system to your contacts that carry an information related to a customer's transaction. If you send invoices by email or the notifications about orders fulfillment, account balances or any other information related to the service provided to your customer, you are sending transactional emails. Under GDPR, transactional emails are mostly covered by the principle of "legitimate interest". If you deal with the customer, it is simply necessary to send them an invoice. You do not need any consent for it and you can process their personal data for this (and only this) purpose. Marketing emails are the rest. Your promotions, offers, proposals, newsletters. You often have to have a consent for sending them to your customers.

Hack No. 1: add some promo into your transactional emails. Transactional email stays transactional even if you place there a banner or some other marketing information. Moreover, as transactional emails have a higher open rate, it is much more likely that it will be read. As long as it is true transactional email and you don't send it just for the sake of promotion, you can use it.

In the next part, you will see how you can legally send your marketing emails even without consent.

How to send marketing emails without consent?

You have an email database that you collected over years, but you didn't explicitly ask for consents. Should you delete it? Nope. There is not just GDPR, but also other valid norms and regulations that you should take into consideration. E-Privacy Directive (2002/58/EC) (ePD) is an EU directive on privacy and data protection that is implemented into national law of European countries (by the way, a new European regulation, so-called ePrivacy Regulation is expected to come into effect in 2019). Individual countries implemented the E-Privacy Directive into their legislation and most of them (except Cyprus, Italy, and Poland) chose some opt-out system for the email communication with current or potential customers. This means that you can send marketing emails to contacts who are your customers (bought a product or service from you) or potential customers (e.g. negotiated about the deal).

Opt-in - you are allowed to send the emails to the customer solely if they asked for them

Opt-out - you are allowed to send the emails to the customer, but you have to stop sending as soon as they ask for unsubscription

However, this is always limited to similar or related products or services. It means that if you have a customer who bought an iPhone from you or e.g. asked you for a price offer for the iPhone, you are in most of the countries allowed to send marketing emails on e.g. new versions of iPhones, or other mobile phones, or accessories. You are nevertheless not allowed to send them promotions for ice cream or online casinos as well as you cannot sell the contacts to third parties.

Sending to B2B or B2C - different rules

It really matters whether you send to companies or to individuals. First, although GDPR stands for "General Data Protection Regulation", in fact, it protects just personal data of living natural persons. Data of legal persons are not protected under GDPR. It has many implications, among others, it means that solely under GDPR you can freely collect and use the addresses of companies. But a company address does not mean anything @company.com. Even if the email address is on a company domain, it still could be associated with an individual natural person, and therefore it is still protected under GDPR. Just the addresses that are without any doubt general and not belong to any particular human being are exempt. Addresses like info[at]company[dot]com, sales[at]company[dot]com, etc. are usually a good example. In some other cases, it is not that clear. For example, hello[at]johnsmith[dot]name is most likely an address of a natural person (hopefully living), so it should be treated with the respect to GDPR.

As was already mentioned, GDPR is not the only law you should care about. If you want to send marketing emails, ePD is also important and then it depends on national implementation, what you can or cannot do. Most European countries protect B2C communication more than B2B (not surprisingly). It means that you can opt-out companies, but you must opt-in individuals. Exceptions exist: in Italy, the rules for B2B are more stringent than for B2C, Malta does not distinguish between these two domains. In the U.S., for comparison, there is the opt-out rule for all recipients.

Personal use

We are still talking about the use in companies. Businesses are indeed the main users of email marketing, however, even individuals sometimes send mass emails. Seasons greetings could be a good example. Don't you breach anything?

Don't worry, you can send your greetings to your grandma freely. GDPR explicitly says: "This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities." (Recital 18).

Legitimate interest

Legitimate interest is a concept within GDPR that allows you to process personal data even without a consent. We already mentioned transactional emails, what is the application of Article 6 (b): "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract". Of course, if you are selling through your e-shop, you need to know the address of your customer where to ship their orders or where to send invoices, etc. It would be silly to ask for a consent to be allowed to do so. Article 6 enumerates other cases when you can process the data without the consent, e.g. if you are obliged to do so by law, if you are an official authority, etc.

Article 6 (f) is particularly interesting: "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child." and means that you can use someone's personal data if for your legitimate interests if  your interests are not overridden by the interests of the subjects of the data. Except for the case when the subject of the data is a child it is quite a vague statement.

Recital 47 of GDPR strictly states that: "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." To verify whether we have a legitimate interest, we can pass the following tests:

  • purpose test
  • necessity test
  • balancing test

From the marketing point of view, without much doubt, dispersing information about its products and services is a legitimate interest of any business. As long as we are within a legal framework, it means we e.g. don't want to promote illegal drugs, etc. and we follow the local opt-in/opt-out rules, we most likely pass the purpose test. The necessity test should verify that the processing of personal data is necessary. Email marketing is an incredibly efficient form of communication. Particularly a small company could decide quite easily that it is a necessary marketing tool because they simply have not enough funds to pay Google for PPC. Finally, the balancing test should assure that the benefits for the target customers overweight their costs. This is usually perhaps the most tricky test as we tend to focus on benefits for us instead of the benefits for the subjects, i.e. the customers. From my experience, the most important is perfect targeting. If you offer something what is of a real value for someone, something that they are currently looking for, they will hardly complain. Web advertising like Google or Facebook PPC is by the way based on the same assumption. If you are sending suspicious offers of Cialis to millions of addresses, it is hard to prove that the benefits of the emails for the customers are greater than the cost of their time for reading and removing spam. On the other hand, if you are e.g. a startup seeking funding and you receive an invitation into an accelerator, it could be in your real interest to receive such an email.