Data protection and data security are central topics in online marketing, and not just since the EU General Data Protection Regulation came into force. Long before the GDPR, it was already necessary to pay very close attention to legally secure data processing according to German law. With the DSGVO, the requirements in this country have not actually become so drastically stricter, but there is now a much greater relevance to actually comply with the regulations.
This is because there are extremely severe penalties for non-compliance with the GDPR, which can threaten the existence of practically every company. In the case of data processing without a legal basis or without consent, fines of up to 20 million euros or 4 percent of the respective company turnover are indeed possible. Furthermore, due to the additionally raised presence of data protection and data security, among other things, all the more - undoubtedly controversial - warnings lurk from competitors or law firms specializing in this area. In the focus of these lawyers and also on the agenda of official data protectors are especially those measures in which (personal) data of customers are directly requested. Email marketing is of course a prime example.
But what to do?
In many places, GDPR-critical website features were simply turned off or not even considered for their own purposes. Of course, this is also possible with email marketing, but in most cases it is a very unfavorable solution. Because a strategically optimal playout of e-mails can not only prove to be extremely effective - be it for customer acquisition or customer retention. It also still convinces with nothing less than the highest average ROI of all disciplines of (online) marketing. Therefore, it is more important to strive for a legally compliant email marketing than to cancel the sending of newsletters altogether.
Before further details on legally compliant email marketing follow, it must be stated that this article does not constitute legal advice and is for information purposes only. No liability is granted for the correctness of the contents.
What are the fundamental consequences of the GDPR for legally compliant email marketing?
The storage of data is practically automatic in the course of online marketing. Even if (potential) customers only look at a form to register for a newsletter, information is already stored in necessary cookies as a result. This can become problematic if there are no corresponding notices or generally no information on data protection. Similarly unconscious, but factually even more tricky is: even if no active email marketing takes place at all, email advertisements sent to existing customers, for example, can actually be interpreted as such in the GDPR. Here, even emails that reach several recipients at the same time are critical. Legal compliance must therefore always be assessed precisely and ultimately guaranteed on the basis of the right precautions. Data protection and data security can thus definitely be attributed an all-embracing relevance in the context of any business email advertising.
What do I have to consider for a DSGVO compliant email marketing
in particular?
The following points are necessarily only to be considered as an overview of some of the most important legal provisions for GDPR-compliant email marketing. This list is not comprehensive and must be weighed individually in specific company contexts or orientations of the relevant newsletters.
First and foremost is the premise that data in any form may only be collected with the specific consent of the respective customer.
In principle, general personal data, such as name, birthday, address, email address, etc., physical characteristics, i.e. gender, hair and eye colour, clothing size, etc., identification numbers, such as social security or ID card numbers, customer data on orders, corresponding account information and some more may be collected in the context of legally compliant email marketing. However, the following applies: It is essential to ensure that only personal data that is absolutely necessary for the performance of the associated company services is requested.
The collection of so-called personal data that requires increased protection is completely prohibited. This information includes, in particular, biometric data, information on the state of health and information that permits an assessment of ethnic origin or religious, political or ideological views.
The so-called double opt-in is the only DSGVO legally compliant method of registering to receive the newsletter. Here, the interested party receives an email with a confirmation link after submitting their personal data, which must then be followed for the final activation of the newsletter. This practically excludes the possibility that someone other than the person whose data has been stored has carried out the registration and thus no consent of the data owner to the data collection has been given. If the confirmation does not take place, the personal data must be deleted immediately. By the way, according to legal regulations, no advertising may appear in confirmation e-mails.
In the newsletter registration form, only one field should be marked as mandatory: the email address. Because only this is really necessary for the playout of the newsletter or the implementation of email marketing. Furthermore, care must be taken to ensure that checkboxes, for example to confirm consent to data collection, are not pre-selected. In this context, it is also important to note the prohibition of tying, which is not directly stated in the GDPR, but in the Federal Data Protection Act, which came into force together with it. Accordingly, such checkboxes or the options that can be selected here may not under any circumstances provide compulsory consent. This means, for example, that it is not permitted to require registration for the newsletter as a prerequisite for receiving a whitepaper.
Like a website, a newsletter should also contain an imprint. According to DSGVO, all data including the address of the sender must be stored here. Placing a link to the imprint of your own website in the footer of the newsletter is sufficient. However, it is better to include all relevant information directly in each message.
A software-based automation of email marketing means an enormous facilitation of corresponding processes. Especially in the context oflead management, an economical procedure is practically impossible today without such software. Whether newsletters are sent manually or automatically is irrelevant in the context of legally compliant email marketing. When using an email marketing software, it is only important that it enables and, at best, facilitates the implementation of all data protection-relevant points. Mailchimp is a good address here.
Our support around the topic of web analytics & data protection:
- Support with the DSGVO-compliant application and implementation of your online media.
- Optimization of your email marketing and legally compliant newsletter distribution.
- Design and implementation of meaningful KPIs for the evaluation of your pages or applications. Individual development of dashboards that give you an overview of the relevant key figures.
- DSGVO-compliant implementation of analysis tools (Matomo / Google Analytics etc.) in your pages / applications.
Benefit from our know-how also in the following topics:
Oliver Parrizas will be happy to answer any questions you may have on the subject. +49-800-911-91-91