There’s still a lot of buzz around the General Data Protection Regulation (GDPR), which is the set of guidelines that dictate how individuals and companies may acquire, utilize, store, and delete the personal data of European Union (EU) users.
If you have subscribers based in the EU, you are responsible for following these regulations even if you operate outside the EU. It might sound overwhelming at first, but the reality is that GDPR is really good for email marketing and it actually helps improve your campaigns.
Let’s explore how GDPR specifically affects your email marketing, along with 4 best practices to help you get started.
If you handle customer data beyond email marketing or use other third-party tools that collect data, you should definitely check out the full set of regulations and talk to legal experts to ensure you understand the full extent of compliance.
Every time you collect an email address, a name, home address, phone number or IP address, you are obtaining someone’s personal data. If any of those people are in the EU, you must adhere to these rules.
The GDPR was developed to modernize the current EU data protection laws with a stronger focus on an individual’s rights and privacy. While some of the legislation is stricter and the penalties for non-compliance are tougher, the ultimate goal is to improve trust in the digital ecosystem.
To that end, EU users have several rights to help them take more control of their own data. Here are the most important user rights that apply to email marketing:
The right to erasure (also known as the right to be forgotten) gives someone the power to ask a company to delete ALL of the data that is associated with that person. This requires you to provide more than an unsubscribe button. If a user makes a request, you must delete all the data stored in your databases and anything else associated with the user.
This allows your subscribers to ask exactly how you are using their data and for what purposes. If a request is made, you’ll need to provide a personal data report at no cost to them.
This is mandatory under the GDPR, which means you have 72 hours from becoming aware of the breach to notify customers.
This allows people to request their data, which means you would need to download a file of all their data in a ‘commonly used and machine-readable format’.
At its core, GDPR is about giving people more control over their personal data and how others are allowed to use their data. For GDPR in email marketing, that means providing more transparency and clearer consent agreements when signing up new subscribers—which will make your campaigns even better and more trustworthy in the long run!
Now that we’re clear about these user rights, let’s jump into 4 ways that you can keep your subscribers’ data safe and sound.
MailerLite has many features that help make GDPR email compliance easier for you and your subscribers. Here are some features that will help you comply with the following GDPR requirements:
A) Right to be forgotten
B) Proof of subscriber consent
C) Identifying EU users
D) Data portability
The right to erasure is a GDPR mandate that allows subscribers to ask you to delete all of the data associated with them.
If someone makes a request to be forgotten, you can’t simply unsubscribe them or delete them from your list. Even when you remove a subscriber from your list, the system keeps a history of the user. You must delete all their data permanently.
This means that you need an easy way to delete EVERYTHING about the subscriber.
When you use the Delete function in the subscriber section of MailerLite, the information is not entirely removed. The reason for this is simple. If that person later resubscribes, their history is still there so you don’t have to rebuild their profile.
MailerLite has a feature called Forget that completely wipes a person’s data from our system. This function was built specifically for GDPR email compliance of the right to be forgotten. Here’s how it works:
On your subscriber page, there is a button called Actions.
When you choose the option, Forget, the subscriber’s data will be completely removed. Everything will be permanently deleted including reports, clicks, profile data, etc.
This will allow you to comply with GDPR. That said, it is a major step to completely remove a subscriber, which is why we implemented an additional confirmation.
Everyone makes mistakes. The last thing you want to do is delete a happy subscriber’s information by accident. As a safety measure, you will need to type in the word “FORGET” to confirm the deletion.
When you click the Forget button after typing in “FORGET”, the user’s data is completely wiped from the system within 30 days.
Most email service providers make permanently deleting users a manual process. But who has time to fill out forms every time a subscriber makes a request?
We built an automated Forget feature to make it easy for you to comply with this GDPR email marketing rule. But our hope is that you will never have to use it!
Obtaining active and explicit consent from subscribers is a huge deal for the GDPR and email marketing. If you start sending emails to people who don’t want them, they can cause you a lot of problems within the GDPR framework when they complain. You need to have a record of their consent. The burden of proof is on you to provide the documentation proving that a subscriber agreed to share their data.
A timestamp of subscriber consent (time, date, location)
The source of the opt-in (website, social media, etc.)
If you are not sure that you have this information, MailerLite might be able to help you find it.
When you use MailerLite signup forms to acquire subscribers, we capture IP address, location, date, time, and the source of the consent form. This information will solidify your documentation of where, when and at what time your subscribers consented.
MailerLite displays this information in your subscriber profiles. It is important to note that you can only get this valuable proof from users who subscribe through MailerLite forms.
If you want more information about GDPR opt-in forms, here’s a whole article dedicated to it.
While most of you have subscribers all over the world, the GDPR only applies to people who are in the European Union. How can you segment them so you don’t have to worry about GDPR compliance for your entire list?
If subscribers sign up with a MailerLite form, our location tracking capabilities can determine if the person is signing up from an EU country. We can then segment them into a special GDPR group.
It’s important to note that there is a chance an EU citizen is living abroad in a non-EU country. In these cases, it is impossible to identify them as EU users. But GDPR states that you only need to make a reasonable effort to determine a person’s status.
MailerLite has a rule in the subscriber filter called Location where you can sort your subscribers by where they're based.
There is also a special list of all EU countries to help you easily sort GDPR subscribers. By using this filter, you will know how many subscribers you have in the EU.
Again, this feature only works with subscribers that come through a MailerLite form. The location-based ID will not work for subscribers imported from a file or other sources.
Once you identify EU users, you can target them with GDPR-specific emails and requests.
Since each individual has the power to request or delete their data, you need to think about what data you really need and what data you can live without. The more data you collect, the more documentation and management is required to quickly address a data request.
If you prefer to collect a lot of customer data for your marketing initiatives, it’s important to note that the GDPR definition of personal data is far-reaching and includes things like behavioral data, IP addresses, biometric and financial data to name a few. Basically, anything linked to the individual is personal data.
MailerLite allows customers to download user data if someone makes a ‘right of portability’ request. As seen in the screenshot below, you can export and save subscriber data to a PDF (Print) or a JSON file (the most popular format to transfer data).
Your email marketing might be GDPR-compliant, but what about your outside partners and vendors?
Under GDPR, any third party that processes your users’ data is legally obligated to be in compliance. If you use a company that is not compliant, you can be held liable and suffer the consequences including paying fines.
As you know, MailerLite has been on top of GDPR compliance. We want to ease your mind and give you the confidence that your email marketing practices comply with GDPR.
To that end, we are happy to present our Data Processing Addendum, which establishes our GDPR compliance to give you peace of mind.
GDPR is all about protecting your users’ data. If you use other companies to help you process user data in any way, you are required to enter into a written agreement with each data processor.
In GDPR language, you are considered the ‘controller’. Your responsibility is to protect your users’ data by vetting your data processors. You need to establish that they are GDPR compliant.
But more importantly, legally binding contracts with your vendors will instill confidence in your subscribers that you have their interests in mind.
What data we collect.
Why we collect it.
How we use it.
In compliance with GDPR, the agreement also covers our security measures, confidentiality policies, and our acknowledgment and approach to working with other vendors (also called sub-processors).
You can review MailerLite's Data Processing Addendum here.
According to privacy laws, you have to clearly describe how you plan to use your subscribers’ data, including for your use of third parties like MailerLite.
We use MailerLite to manage our email marketing subscriber list and to send emails to our subscribers. MailerLite is a third-party provider, which may process your data using industry-standard technologies to help us monitor and improve our newsletter.
You can unsubscribe from our newsletter by clicking on the unsubscribe link provided at the end of each newsletter.
We’ve included some of the basics to help you get started. In general, most privacy laws require you to inform users of:
Your name (or business name), location, and contact information;
What information you’re collecting from them (including names, email addresses, IP addresses, and any other information);
How you’re collecting their information, and what you’re going to use it for;
How you’re keeping their information safe;
Whether or not it’s optional for them to share that information, how they can opt-out and the consequences of doing so;
Any third-party services you’re using to collect, process, or store that information (such as an email newsletter service, or advertising network).
The GDPR has added many requirements to consider with email marketing—especially when it comes to opt-in forms.
The regulations talk a lot about subscriber opt-in, specifically making sure that you clearly explain your intentions (explicit consent) and that you empower users to actively give their consent (active consent).
Beyond being as transparent as possible with your consent forms, you must keep a record of every subscriber’s consent. The burden of proof is on you to prove that the individual consented to your terms. One way to accomplish this is through double opt-in, which provides a paper trail of the transaction. You can learn how to set it up in this help article.
Our embedded form feature includes the tools you need to comply with these GDPR requirements. There are also lots of design options that will help you create more engaging opt-in forms.
Before we dive into our embedded form features, let’s first review the GDPR requirements that you’ll need to keep in mind when building your opt-in forms.
As we briefly mentioned above, explicit consent means that you need to clearly communicate exactly what the individual is agreeing to and what the data is being collected for. We have pre-written texts in our templates to help you get started.
Active consent means your subscribers need to initiate the consent. You can no longer include the checks within the checkbox and make the user remove them—they must actively click the checkbox for the permission to be valid.
If you are just asking someone to give consent to one thing, you can use a few sentences instead of checkboxes to explain what people are agreeing to.
Checkboxes are required when you are offering more than one thing. For example, if you ask someone to receive your newsletter and also use their data for targeted advertising, you need two clear options for consent. In this case, checkboxes should be used.
Our forms include checkbox options for bundled consent and pre-written text that you can use or edit to explicitly communicate how and why you are using the information. Let’s take a look!
Our embedded form editor has the same design options and functionality as our landing page and pop-up builders. You can also access GDPR-compliant options within the form settings.
Not only will your forms help you to comply with GDPR, but they can also be a beautiful accessory for your website or landing page. With MailerLite, you can choose from vertical and horizontal layouts, and add an image to the form (a picture speaks a thousand words, after all 😉 ).
You can also customize your form’s background, button design, custom input fields and fonts—making it extra eye-catching and compelling!
We wanted to make GDPR email compliance a little bit easier for you by including settings that auto-populate your web forms with the necessary consent fields.
You can add multiple checkboxes, segment subscribers with hidden fields, insert GDPR permissions and send users to your own success page.
All of these options are customizable so you can edit the design or text to fit your specific needs. Let’s take a closer look at each option within Form Settings:
While checkboxes are not mandatory for GDPR and email marketing, you will need them if you are asking for subscriber consent of multiple items or if you need acknowledgment of your Terms. If you include a checkbox for your Terms or Privacy Policies, you can add a hyperlink so the user can review them on your site.
You can segment your new subscribers based on where they opted-in. For example, you can create one group that came from your blog and another from Facebook. This allows you to engage them in different ways, and it also helps you identify their source of consent.
Instead of using a standard confirmation page after someone subscribes, you can send them to your own URL. This gives you the flexibility to continue your engagement with your new subscribers.
Your pop-ups and landing pages are fully customizable, with the same form editor and design options as embedded forms. They also have GDPR-friendly form settings, with options including checkboxes and pre-written text permissions.
As we said before, it is critical that you keep a record of your subscriber’s consent. The burden of proof is on you to prove that a subscriber agreed.
All of the information from our embeddable forms, pop-ups and landing pages is automatically updated in the subscriber’s profile within MailerLite. If a subscriber checks one of three boxes on your form, our system will only show you the permissions that they actively agreed to.
With MailerLite, we’ve made it super easy for your email marketing to be GDPR compliant—from embracing the GDPR-friendly features available, to creating data processing agreements and privacy policies, to adapting your opt-in forms. Keep all of these best practices in mind, and your subscribers’ personal data will be safe and secure, while you rest assured that your email campaigns are in line with GDPR.
If you have any unanswered questions about email marketing and GDPR, leave us a comment below.
Editor's note: This article was originally published in 2018. It has now been updated with new insights and best practices.