Back in December 2017 I wrote about the new data protection rules in the article: Are you ready for the new General Data Protection Regulation (GDPR)? Since then, I’ve had multiple queries from clients about data protection and, in the last few weeks, the hugely relevant story has come to light about illegal data scraping by Cambridge Analytica and other 3rd parties through Facebook. The fall-out from Facebook is continuing (I’m fully anticipating that Google will soon come under scrutiny too), and most people now grasp that the new GDPR is a serious issue and that it is going to curtail some online marketing practices.
In this article – with one month to go until the new GDPR rules kick in – I will discuss the practical steps clients may need to take with their mailing lists and privacy policies. Again, I’m going to stress that my advice comes with the caveat / disclaimer that I’m no expert and that you may need expert legal advice for your particular business. Mailing lists and your privacy policy are only a small part of GDPR as a whole. If you want to check the full GDPR rules, look at GDPR-info.eu. It’s a lot of legalese to read through, though, a lot of burden for small businesses. I certainly haven’t had the time to read through the entire thing. But I have gleaned some important points, and the checks and steps I’m about to describe appear to be relevant and necessary if you have a mailing list and website.
New restricted rules for mailing lists
From 25 May onwards your mass emails must be sent only to people who have specifically asked to be on your mailing list.
You need to have proof that they opted in for marketing, newsletters etc. This could be in the form of e.g.:
They selected a check box asking to be on your mailing list when purchasing or subscribing to something.
They clicked an opt-in confirmation link auto-generated by your mailing list software, e.g. MailChimp’s double opt-in confirmation.
The above methods give proof in the form of digital reference points – usually in the form of a signup date and time in your database. You may find you can locate this proof in a database export, such as an exported MailChimp list.
Note that preselected check boxes will no longer be allowed. It now has to be an opt-in, not an opt-out selection.
Below is an example of a GDPR-compliant opt-in from John Lewis / Waitrose. It’s an opt-in field, not pre-ticked, requiring action on the part of the user, and it makes it clear what kind of marketing the user is opting into if they tick “Yes please”. For best practice, they’ve also given a “No thanks” field to make the choice absolutely clear. They’ve also given a link to their privacy notice.
You also need to offer your contacts an easy way to unsubscribe themselves from your mailing list. If you use MailChimp, Constant Contact and various other cloud mailing programs, an unsubscribe link has been standard for years. If you’re not using one of those systems, though, you need to manually add something to every single mailing.
There are other new rules governing the ease with which someone can ask for their data to be completely deleted, but I won’t tackle that element in this article, largely because I don’t know the answers! I expect standard practices will emerge for data deletion in due course.
Non-compliance after 25th May
If you don’t have proof that someone opted in for your marketing campaigns, then you shouldn’t be sending them marketing campaigns after 25th May.
Perhaps you uploaded a contact list a long time ago and can’t remember how or if you got permission. Or you’ve been assuming that because a customer bought something from you, or they are a long-term client, that they would be interested in your newsletter. Well, that may have been a fair assumption in the past, but it’s going to break the rules after 25th May if you didn’t expressly obtain their permission to be on your list.
What if you bought or were given a contact list by another organisation? Well, if you can prove that the contacts originally opted in for your specific 3rd party mailings, you may be ok. But probably safer to assume not. Definitely seek legal advice from a GDPR expert if you’re in this situation.
At the very least, if you’re not sure if what you’ve been doing so far is compliant, go through the ICO’s direct marketing checklist.
What if your existing mailing list isn’t compliant?
What many marketeers are doing at the moment is sending special opt-in mailings ahead of 25th May. So, you ask contacts to confirm that they want to remain on your mailing list. If they click the confirmation link then you will have a digital proof of opt-in and can leave them on your mailing list. This is also a good way to engage with your customers and clients, and is exactly what I’m about to do with Thameside Media’s mailing list. It may be a link in that confirmation email that brings you to this helpful article!
If the contact fails to click the opt-in confirmation link then you probably need to take them off your mailing list after 25th April, as you don’t have any proof that they opted in. Or send them a standard personal email asking for permission to keep them on your mailing list.
NB: one client has asked if we need to send out this type of opt-in confirmation to their existing mailing list. As people on that client’s mailing list have been subscribing themselves one by one over several years, and we have a record of the dates when they did so, my current advice is that we do not need to send out the type of special opt-in confirmation described here, because – as far as I can see – the client’s mailing list is already GDPR-compliant.
After 25th May, all new additions to your mailing list will need to be opt-ins. Take off any that aren’t. Don’t try to do a bulk upload or import of contacts unless you have solid evidence all these people opted in for your mailing list.
Yes, for some marketeers, this may result in a severely reduced mailing list.
What if your mailing list is partially but not fully compliant?
Some of the mailing lists I’ve seen are a mixture of contacts who have opted in and others uploaded in bulk by an administrator. In this situation you could either send a special opt-in confirmation mailing to all contacts, or you could segment the mailing so it goes only to recipients who did not originally opt-in themselves.
If your contacts opted in, but the wording of what they were opting into wasn’t clear, then send an opt-in confirmation that makes it clear what kind of communications and/or marketing they’re going to get from you.
Privacy policies
If you’re handling contact data, you will now need to publish a privacy policy that explains in simple, clearly understandable language what you’re using that contact data for. You also need to publish a privacy policy on any website using Google Analytics (that’s almost every website I’ve ever created). If your website uses cookies that are capable of identifying a user, you also need to mention them in your privacy policy.
A good solution is to write your privacy policy on a separate page, have a link to it in the footer of your website, link a cookie notice pop-up to it when a user opens the website, and also link to it from your sign-up forms.
Clients should contact me at ros@thamesidemedia.com if they need specific help to implement GDPR elements before 25th May.
Please also let me know if you think I’ve got anything wrong in this article. I’m trying to be helpful but I’m not a data protection expert!
Leave a Reply