The regulatory tide over the past few years has expanded individuals’ privacy rights on a global level and has put the onus on email marketers to be more deliberate in their handling of users’ personal data.
Canada’s Anti-Spam Legislation (CASL) and Australia’s Anti-Spam Act have already been enacted in those countries, but the biggest change is yet to come. In 2018, the European Union’s General Data Protection Regulation (GDPR) will have wide-ranging implications for all marketers, but will especially affect email marketers.
Navigating this new environment means email marketers need to reevaluate their existing data standards and adopt new ones.
Best Practices To GDPR Compliance
For companies still coming to grips with GDPR, Jon Russo, founder of B2B Fusion, recommends the following best practices:
- Appoint a ‘data czar’ who owns all aspects of data but isn’t the one doing the hands-on, day-to-day work.
- Conduct or have a third-party conduct a “data health check” on governance and data quality. “This will help illuminate all issues related to data and improve sales/marketing productivity,” Russo said.
- Talk to partners that have configured complex preference centers, double opt-in email policies and set up segmented lists to avoid improperly emailing segments that would be covered by GDPR.
CASL requires that all commercial email messages sent to or from Canada receive consent from recipients before sending messages. Such consent can be implied. If the sender has a preexisting relationship with the recipient, for instance, the communication is viewed as consensual. Australia’s Anti-Spam Act has similar stipulations and applies to emails to and from that country.
The GDPR has similar restrictions about email messages as well, but the law affects many more people — 750 million versus about 60 million for the combined populations of Canada and Australia. Neither soft opt-in or soft opt-out options are allowed. These restrictions are much more stringent that those set forth by the U.S.’s 2003 CAN-SPAM Act, which does not require that emailers permission before they send their emails.
For multinationals, a major hitch is that if a company already has a customer’s data, it will have to dump it unless it can show a “permission chain.” Peter Milla, a privacy/data protection consultant who works with Cint, said that some companies may have to dispose of as much as two-thirds of their CRM data.
The consequences of running afoul of GDPR are considerable and top out at 4% of global annual turnover for the previous year or €20 million (about US$23 million), whichever comes first.
Preparing For Compliance
While GDPR isset to take effect in May 2018, many companies are still in the process of formulating a GDPR response. A survey released in June found 61% of companies hadn’t started GDPR implementation, despite the fact that another survey from PwC found that such compliance was a top priority for 92% of companies.
David Fowler, Chief Privacy and Delivery Officer for Act-On Software, said he started GDPR compliance efforts 18 months ago. Still, he’s not sure the company will be completely compliant in April 2018. “It’s a really big ask,” he said. “There are 99 articles in the GDPR and 177 recitals based on the articles themselves. I couldn’t sit here and say we’re 100% compliant because we’re probably not.” Fowler said that GDPR has sparked a conversation in the industry about how to “do the right thing in the digital marketplace.” He said one of the chief difficulties of complying with GDPR is getting accurate information about what companies need to do. The problem is there’s too much information, rather than too little, he said.
For instance, Fowler said it’s unclear how the GDPR’s “Right to Be Forgotten” is going to work in practice. That ruling, set forth by the European Court of Justice in 2015, gives citizens the right to petition search engines to take down old internet posts that are defamatory or inaccurate and the search engines have to comply. “How do you erase data across multiple entities across organizations?” Fowler asked. “I think a lot of companies are figuring out how that’s going to work.”
Some are further along than others. Peter Bell, Senior Director of Product Marketing at Marketo, said that his company will be compliant when GDPR goes into effect “and Marketo’s services already include the functionality necessary for our customers to comply with the GDPR’s consent requirement.”
Different Regions, Different Strategies
GDPR affects all the EU and supersedes previous directives that just affected specific countries, like the German Data Protection Act.
That said, Fowler noted that the EU isn’t a monolithic body and each of the EU’s 28 countries are handling GDPR compliance outreach differently. “We’ve been paying close attention to the information commissioner’s office for the UK [for example] and they’ve done a tremendous amount of outreach,” he said.
But such outreach varies by country. Cint’s Milla, for instance, said that he would expect Germany to be much more rigorous about enforcement than, say, Italy. “In Southern European style, they don’t go looking for trouble,” he said.
Lacking a country-specific strategy, one approach is to adopt a template for Europe as a whole. Nate Skinner, VP of Marketing for Salesforce Pardot, said GDPR will prompt marketers to be more strategic about their communications and earn their right to keep communicating with customers. For instance, he recommends delivering emails with personalized headlines that will deliver offers that meet users’ interests.
“This will have the dual effect of letting users know it’s an ad, while also giving them dynamic offers based on their interests,” said Skinner. Another tactic is to give users the opportunity to opt out of specific offers but still receive ones that they’re interested in. “Be creative and helpful to users so that they have a positive experience with your brand,” he said.
Skinner said that rather than showing opt-in language and checkboxes on every form globally, email marketers should deliver the opt-in messaging dynamically based on the user’s location. “This creates a more streamlined experience for the user and keeps your forms as short as possible,” he said.
To be on the safe side, some, like MailJet, a Paris-based email service provider, suggest using a double opt-in (in which the recipient confirms her email address) as a default.
The enormity of GDPR can make starting a compliance effort difficult. Milla said that the first thing that companies need to do is familiarize themselves with the facts of the regulation. The most salient fact is that it applies to anyone operating in the EU. Looking at GDPR in broad strokes, the biggest change is that consumers have more control over their personal data and the onus is on businesses to get consent before carrying out an email-based conversation with them.
“They need to update their privacy policies and be aware of the fines,” Milla said. “For the ad agency I work with, a €20 million [US$24 million] fine would have a dramatic impact on their business. For some, it would mean closing down.”
As the deadline looms, another option is to use ready-made solutions from tech and service providers. Automated Intelligence, for instance, recently raised £1.5 million (US$2 million) on the promise that its software will automatically enforce GDPR compliance. IBM has also introduced an anti-data breach feature, Pervasive Encryption, that will help organizations comply with GDPR. OneTrust and TrustArc also market compliance tools.
Milla said such solutions are good for large companies (those with 500 or more employees), but won’t make your problem automatically go away. “The issue with tools is if you’re going to make the investment, they aren’t cheap and they still require you to the build the knowledge,” said Milla. “Anyone who tells you, ‘Use this tool, it’s everything’ — that’s disingenuous.”
