7 things you must know to send marketing emails even without consent and stay GDPR compliant

When people hear GDPR, many still imagine it as a huge disaster for email marketing. A few months ago, I had a good laugh at the recommendation from one of our competitors, suggesting that companies without consent from their clients should delete almost their entire contact database and start from scratch. And on top of that, they claimed it would actually benefit their marketing!

In reality, the situation is much more favorable, and unless you have a purchased database of a million contacts and keep sending emails about blue pills repeatedly, you can probably continue as usual.

Cold emailing is a very effective marketing instrument. If done reasonably and within the legal frame, it is not more annoying than any Google or Facebook ad. In this article, I will explain how to use email marketing and cold emailing and stay compliant.

DO YOU NEED TO COMPLY WITH GDPR?

The answer is clear if your company is based in the European Union. GDPR is a regulation mandatory for all European companies. However, this doesn’t mean that if you’re based in the U.S. or elsewhere in the world, you can ignore GDPR. It’s not just about emails or addresses; GDPR is about personal data. The regulation was implemented to protect the personal data of European residents. So, even if your company is outside Europe but targets European customers, you must comply with it. The term “European customer” doesn’t only refer to residents of European countries but anyone within the EU. For example, even a tourist from South Africa visiting Paris falls into this category and is protected by GDPR while in the EU.

If you’re not a European company and are certain you don’t hold any data about European customers, you don’t need to worry about this regulation. However, it’s likely that there are local regulations regarding marketing emails that you need to comply with. In the U.S., for instance CAN-SPAM Act.

ARE YOU SENDING MARKETING EMAILS?

It seems like an odd question, right? What does “marketing email” really mean, and are there “non-marketing” ones?

Yes, when it comes to emails, we can distinguish between:

• Personal emails

• Transactional emails

• Marketing emails

Personal emails are individual messages sent from one person to another. A good example would be responses to customer inquiries. Transactional emails are automated emails sent from your system to contacts, containing information related to a business transaction. If you send invoices, order status updates, account balance notifications, or other customer service-related information via email, you’re sending transactional emails. Under GDPR, transactional emails are covered by “legitimate interest.” When a transaction occurs, it’s necessary to send an invoice to the customer. You don’t need explicit consent for this and can use their personal data for this purpose only. Marketing emails include everything else—promotions, ads, offers, newsletters. To send these, you need your customers’ consent.

Tip: Add a marketing teaser to your transactional email. It will still be considered a transactional email, even if you include a banner or some marketing content. Moreover, transactional emails have a higher open rate, so there’s a much better chance your customer will read it. Therefore, as long as it’s genuinely a transactional email and not sent with the primary goal of promotion, you can take advantage of this.

In the next section, you’ll see how you can legally send marketing emails even without consent.

HOW TO SEND MARKETING EMAILS WITHOUT CONSENT?

You have an email database that you collected over years, but you didn’t explicitly ask for consents. Should you delete it? Nope. There is not just GDPR, but also other valid norms and regulations that you should take into consideration. E-Privacy Directive (2002/58/EC) (ePD) is an EU directive on privacy and data protection that is implemented into national law of European countries (by the way, a new European regulation, so-called ePrivacy Regulation is expected to come into effect in 2019). Individual countries implemented the E-Privacy Directive into their legislation and most of them (except Cyprus, Italy, and Poland) chose some opt-out system for the email communication with current or potential customers. This means that you can send marketing emails to contacts who are your customers (bought a product or service from you) or potential customers (e.g. negotiated about the deal).

Opt-in – you are allowed to send the emails to the customer solely if they asked for them

Opt-out – you are allowed to send the emails to the customer, but you have to stop sending as soon as they ask for unsubscription

However, this is always limited to similar or related products or services. It means that if you have a customer who bought an iPhone from you or e.g. asked you for a price offer for the iPhone, you are in most of the countries allowed to send marketing emails on e.g. new versions of iPhones, or other mobile phones, or accessories. You are nevertheless not allowed to send them promotions for ice cream or online casinos as well as you cannot sell the contacts to third parties.

SENDING TO B2B OR B2C – DIFFERENT RULES

It really matters whether you send to companies or to individuals. First, although GDPR stands for “General Data Protection Regulation“, in fact, it protects just personal data of living natural persons. Data of legal persons are not protected under GDPR. It has many implications, among others, it means that solely under GDPR you can freely collect and use the addresses of companies. But a company address does not mean anything @company.com. Even if the email address is on a company domain, it still could be associated with an individual natural person, and therefore it is still protected under GDPR. Just the addresses that are without any doubt general and not belong to any particular human being are exempt. Addresses like info@company.com, sales@company.com, etc. are usually a good example. In some other cases, it is not that clear. For example, hello@johnsmith.name is most likely an address of a natural person (hopefully living), so it should be treated with the respect to GDPR.

As was already mentioned, GDPR is not the only law you should care about. If you want to send marketing emails, ePD is also important and then it depends on national implementation, what you can or cannot do. Most European countries protect B2C communication more than B2B (not surprisingly). It means that you can opt-out companies, but you must opt-in individuals. Exceptions exist: in Italy, the rules for B2B are more stringent than for B2C, Malta does not distinguish between these two domains. In the U.S., for comparison, there is the opt-out rule for all recipients.

PERSONAL USE

So far, we’ve only talked about company use. It’s true that companies are the main senders of mass emails, but individuals occasionally send them too. A good example might be holiday greetings. So, do you send those as well?

Don’t worry—you can still send a greeting to your grandmother without any concerns. GDPR explicitly states: “This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence, maintaining address books, or use of social networking and the Internet in connection with such activities. However, this Regulation does apply to controllers or processors who provide the means for processing personal data for such personal or household activities.” (Recital 18).

LEGITIMATE INTEREST

Legitimate interest is a concept within GDPR that allows you to process personal data even without a consent. We already mentioned transactional emails, what is the application of Člíne 6 (b): “zpracování je nezbytné pro splnění smlouvy, jejíž smluvní stranou je subjekt údajů, nebo pro provedení opatření přijatých před uzavřením smlouvy na žádost tohoto subjektu údajů party or in order to take steps at the request of the data subject prior to entering into a contract“. Of course, if you are selling through your e-shop, you need to know the address of your customer where to ship their orders or where to send invoices, etc. It would be silly to ask for a consent to be allowed to do so. Article 6 enumerates other cases when you can process the data without the consent, e.g. if you are obliged to do so by law, if you are an official authority, etc.

Článek 6 (f) is particularly interesting: “zpracování je nezbytné pro účely oprávněných zájmů příslušného správce či třetí strany, kromě případů, kdy před těmito zájmy mají přednost zájmy nebo základní práva a svobody subjektu údajů vyžadující ochranu osobních údajů, zejména pokud je subjektem údajů dítě.” and means that you can use someone’s personal data if for your legitimate interests if  your interests are not overridden by the interests of the subjects of the data. Except for the case when the subject of the data is a child it is quite a vague statement.

Recital 47 of GDPR strictly states that: “Zpracování osobních údajů pro účely přímého marketingu lze považovat za zpracování prováděné z důvodu oprávněného zájmu.” To verify whether we have a legitimate interest, we can pass the following tests:

• purpose test
• necessity test
• balancing test

From the marketing point of view, without much doubt, dispersing information about its products and services is a legitimate interest of any business. As long as we are within a legal framework, it means we e.g. don’t want to promote illegal drugs, etc. and we follow the local opt-in/opt-out rules, we most likely pass the purpose test. The necessity test should verify that the processing of personal data is necessary. Email marketing is an incredibly efficient form of communication. Particularly a small company could decide quite easily that it is a necessary marketing tool because they simply have not enough funds to pay Google for PPC. Finally, the balancing test should assure that the benefits for the target customers overweight their costs. This is usually perhaps the most tricky test as we tend to focus on benefits for us instead of the benefits for the subjects, i.e. the customers. From my experience, the most important is perfect targeting. If you offer something what is of a real value for someone, something that they are currently looking for, they will hardly complain. Web advertising like Google or Facebook PPC is by the way based on the same assumption. If you are sending suspicious offers of Cialis to millions of addresses, it is hard to prove that the benefits of the emails for the customers are greater than the cost of their time for reading and removing spam. On the other hand, if you are e.g. a startup seeking funding and you receive an invitation into an accelerator, it could be in your real interest to receive such an email.