A guide to GDPR regulations and best practices for transactional emails
As anyone who does business in Europe will know, GDPR has been in operation since 2018. Globally, it is probably the most comprehensive and well enforced data privacy standard anywhere. If your business is based in the EU, has customers in the EU, or processes the data of any person resident in an EU country – then GDPR rules apply to you.
But what has data privacy got to do with sending emails you say?
Peoples’ email inboxes are a treasure trove of personal data. Names, email and physical addresses, private conversations, and a host of important documents from bank statements and loan agreements to medical information and even copies of marriage and birth certificates.
If any of this information got into the wrong hands, scammers and identity thieves would have all they needed to ruin a person’s life. This is why email is covered by GDPR’s strict requirements on data protection.
In this blog we provide a high-level overview of all GDPR email compliance rules, and then focus on the rules around transactional emails and how businesses can keep on the right side of regulations and maintain the trust and loyalty of their customers.
An overview of GDPR email compliance rules
While general GDPR rules for data processing are clear and consistent, when it comes to email there are some subtle variations depending on whether the messages are promotional or transactional in nature.
It is worth looking at the main areas the rules cover and then how these are applied for the different types of emails that businesses send.
Consent and GDPR email collection rules
Gone are the days when businesses could go to third parties to buy huge lists of email addresses of people who may or may not have given permission for their details to be shared. It is still possible to legally buy lists, but the people on them must have agreed to be included. For example, delegates at trade shows can often check a box on the sign-up form if they are happy to be contacted by vendors.
Consent is one of the fundamental principles of email GDPR rules. We are not talking about implied consent or pre-checked boxes hidden in corners of sign-up forms. The Article 32 rules specify that businesses must collect freely given, specific, informed, and unambiguous consent before collecting, storing, and processing personal data, which includes email addresses. This consent should also be easily revokable at any time, and proof of the consent must be stored.
It is worth focusing on the actual implications of these rules:
- Specific: The person must have actively chosen to provide consent by performing an action like checking a box. Pre-checked boxes are not allowed.
- Freely given: The person must have the option to decline consent without being penalized directly or indirectly. In other words, businesses can’t offer incentives to provide consent, or decline service if consent is not given.
- Informed: The consent form must include all relevant detail required for the person to decide about whether to provide it. This includes the name of the company that will be processing the data, exactly what it will be used for, and whether it will be shared with other parts of the business or with third parties.
- Unambiguous: You can’t hide the true intent in overly technical or legal jargon. The request and associated detail must be presented in clear, concise, everyday language that anyone can understand.
- Revokable: There must be a mechanism in place for people to easily remove consent. This option must be displayed on all correspondence and must be actioned timeously (a time delay of a day or two is allowed to cater for communications that may already be in flight).
- Proof of consent: At any point the organization must be able to provide proof that consent was freely given. This must include the date, time, and mechanism used for obtaining consent, a copy of the information that was presented when requesting consent, and any subsequent requests for renewing consent.
The right to be forgotten
At a high level GDPR rules require businesses to only retain personal data for as long as it is required to achieve the purposes for which it was collected.
This is fairly clear-cut for people that have opted-in to receiving marketing communications from you. You can retain their details and keep mailing them until they withdraw consent – no matter how long that is.
But what happens if someone does opt out of receiving emails from you, surely you need to keep a record of their email address on a ‘do not contact’ register to make sure that they don’t get added to a campaign in error? This is a tricky area of the legislation – some businesses may rightfully argue that they have to maintain a master suppression list to ensure people that have unsubscribed and requested to not ever be contacted don’t slip through the net in the future.
Other organizations may choose to delete the person completely and leave the door open for them to opt in again in the future. If the customer provides their explicit consent for you to send them marketing messages again – then this overrides their previous opt-out and you can legitimately add them back into your email lists.
When it comes to the actual email communications, many organizations automatically delete customer emails after a set period. However, this strict interpretation of the rule that data should be kept “no longer than is necessary for the purposes for which the personal data are processed” may have implications for the customer experience that the organization provides.
What happens if a long-standing customer contacts you asking about an issue that you resolved for them previously, or maybe wants to replenish a product that they bought more than two years ago. If you have deleted all historic correspondence, then you would have no record of it and the customer would have to start from scratch. If you have ever tried to buy the same paint shade five years after you last decorated, then you will know what a pain this can be.
GDPR allows some flexibility for business to be pragmatic about data retention and consent. If customers can see the value of the business keeping a record of past interactions and transactions, then they are far more likely to provide consent for them to do so. The onus is on the business to make this value clear and compelling.
When it comes to transactional email, customers still have a right to be forgotten, but only once the business has fulfilled all their legal obligations. For example, I may close my bank account and request my details are removed – but the bank may only be able to do this once my final account balance has been calculated and funds transferred. Even then, they may be required to retain certain details, for example a record of historic income payments for tax reporting purposes.
Email marketing (and spam)
GDPR does not outlaw email marketing. SPAM was already against the law before GDPR, and we still get plenty of unsolicited emails every day from devious companies that have found ways of breaking the rules and evading prosecution (for now).
What GDPR does is put the power back in the hands of the consumer about what they are happy to be contacted about and how often – from companies that they have provided their consent to.
There are countless examples of businesses that understand their customers and have turned their marketing emails into differentiators that brand fans actually look forward to receiving. Spotify, Airbnb, and Disney are just a few examples of companies that use great copyrighting, compelling visuals, and high levels of personalization in their messages.
If these brands stop adding value, or send too many emails, then the customer can withdraw consent at any time. More engaging, better targeted, and ultimately more interesting marketing emails are the result. And that is a good thing for everyone.
GDPR and transactional emails
Most businesses use email for important messages that customers both want and need to see. In some cases, the business may be legally required to send these messages. Payment confirmations, monthly statements, password resets, and notifications of possible fraud are just a few examples of transactional emails.
GDPR does not require consent to be obtained for sending these types of messages where they are of what the standard calls legitimate interest and they are used in a lawful, fair, and transparent way.
However, it does not list every example of acceptable transactional messages, so there will be edge cases and a grey area which some brands may try and exploit, for example by including some promotional and marketing messaging in their transactional emails.
This is not a good idea. It would just take one recipient to complain to the data protection authority and the business could receive a hefty fine. There have already been a number of test cases in Europe that show that GDPR rules on transactional emails can and will be enforced.
However, these test cases have also surfaced some scenarios that GDPR does not object to. For example, when you make a purchase from Amazon, the confirmation email will include details about the product you have bought and a link to the original product page that itself has links to associated products and ‘also boughts’.
Here we cover six areas of best practice advice for companies sending transactional email to ensure that they remain GDPR compliant but also provide a great customer experience.
1. Use transactional email templates
Transactional emails should be designed to convey the information in a clear and unambiguous way. The recipient should immediately be able to tell what the purpose of the email is from the subject line and a quick glance at the email preview. Put some thought into designing an effective template and then stick with it. Repeatedly changing the design of these emails will lose continuity and erode the trust of recipients.
As mentioned, do not be tempted to add any promotional content or even links to the email. Your IT department may automatically add an email footer to outgoing messages that could contain marketing links – so make sure that this is not done for transactional emails.
Where you cannot legally offer opt-outs or unsubscribes for specific types of emails, make sure that this is clear. This should help to head off any complaints and reduce the chances of recipients blocking your emails in their email client, which you have no control over.
3. Enable subscribers to update their email preferences
Not everyone is the same. Some people want to keep a very close eye on every order and transaction, while others might just want an occasional update or overview. Although legislation might prevent you from giving customers the option to completely opt out of some notifications, you will often be able to offer flexibility on what they get notified about and how often.
The same goes for marketing emails. A person may still want to buy from you in the future and be interested in some of the emails you send them, but not every single one. Giving them the option to choose the types of updates they receive, and the frequency may prevent them from unsubscribing completely.
4. Get your welcome messages right
Another ‘grey area’ alert. When a someone signs up to your service or creates an account then you might legitimately send them a password confirmation and ‘help getting started’ email. If there is no transactional or legal necessity for the email, then you have to be very careful that it doesn’t stray into promotional territory.
You want to start the customer relationship off on the right foot and help the person get value from your service but also stay on the right side of GDPR rules. Like Amazon’s approach, the answer may be to include links to a ‘help getting started’ landing page on your website, which in turn can include entry points to any customer journeys that are relevant for that person.
5. Be transparent when things go wrong
Fraud is an ever-present danger in the modern world and email is not exempt. Personal data and email addresses are valuable commodities for criminals and many high-profile organizations have suffered serious data breaches that have resulted in millions of customer email addresses being leaked to criminal networks.
If this happens to your organization then you have to be transparent about it and inform all affected customers, and the relevant authorities. GDPR is very clear about your responsibilities as a data controller in this regard.
Customers can then make informed decisions about adding extra security their accounts, changing their email address, or being extra vigilant about phishing attacks.
6. Consider using email encryption
Email encryption is not required by GDPR, but its use is encouraged and cited as an ‘appropriate technical measure’ for protecting personal data and mitigating the damage of an unlawful data breach. This is especially relevant when emails contain account information, passwords, and statements that could be used to commit identity theft.
Be aware that the various parts of the email may be handled differently by encryption software i.e. the subject line, from and to email addresses and the message date/time metadata is usually transmitted in plaintext and is therefore not encrypted, while the body and any attachments are.
Best practice is therefore to not include any sensitive data in the subject line of the email.