A guide to GDPR regulations and best practices for transactional emails

Transactional emails are defined as any email sent from a business to an individual recipient, triggered by an action that the user takes, or a request that they make. For example, an email confirming a purchase, a monthly account statement, or a parcel delivery notification would all be classified as transactional emails. For any business that operates in Europe, it is imperative that they are sending GDPR compliant transactional emails.

To provide a bit of context, GDPR has been in operation since 2018. Globally, it is probably the most comprehensive and well enforced data privacy standard anywhere. If your business is based in the EU, has customers in the EU, or processes the data of any person resident in an EU country – then GDPR rules apply to you.

But what has data privacy got to do with sending emails you say? And does GDPR apply to transactional emails? We will get to the second question later, but it is important to remember that peoples’ email inboxes are a treasure trove of personal data. Names, email and physical addresses, private conversations, and a host of important documents from bank statements and loan agreements to medical information and even copies of marriage and birth certificates.

If any of this information got into the wrong hands, scammers and identity thieves would have all they needed to ruin a person’s life. This is why email is covered by GDPR’s strict requirements on data protection.

In this blog we provide a high-level overview of all GDPR email compliance rules, and then focus on the rules around transactional emails and how businesses can keep on the right side of regulations and maintain the trust and loyalty of their customers.

While general GDPR rules for data processing are clear and consistent, when it comes to email there are some subtle variations depending on whether the messages are promotional or transactional in nature.

It is worth looking at the main areas the rules cover and then how these are applied for the different types of emails that businesses send.

Gone are the days when businesses could go to third parties to buy huge lists of email addresses of people who may or may not have given permission for their details to be shared. It is still possible to legally buy lists, but the people on them must have agreed to be included. For example, delegates at trade shows can often check a box on the sign-up form if they are happy to be contacted by vendors.

Consent is one of the fundamental principles of email GDPR rules. We are not talking about implied consent or pre-checked boxes hidden in corners of sign-up forms. The Article 32 rules specify that businesses must collect freely given, specific, informed, and unambiguous consent before collecting, storing, and processing personal data, which includes email addresses. This consent should also be easily revokable at any time, and proof of the consent must be stored.

It is worth focusing on the actual implications of these rules:

At a high level GDPR rules require businesses to only retain personal data for as long as it is required to achieve the purposes for which it was collected.

This is fairly clear-cut for people that have opted-in to receiving marketing communications from you. You can retain their details and keep mailing them until they withdraw consent – no matter how long that is.

But what happens if someone does opt out of receiving emails from you, surely you need to keep a record of their email address on a ‘do not contact’ register to make sure that they don’t get added to a campaign in error? This is a tricky area of the legislation – some businesses may rightfully argue that they have to maintain a master suppression list to ensure people that have unsubscribed and requested to not ever be contacted don’t slip through the net in the future.

Other organizations may choose to delete the person completely and leave the door open for them to opt in again in the future. If the customer provides their explicit consent for you to send them marketing messages again – then this overrides their previous opt-out and you can legitimately add them back into your email lists.

When it comes to the actual email communications, many organizations automatically delete customer emails after a set period. However, this strict interpretation of the rule that data should be kept “no longer than is necessary for the purposes for which the personal data are processed” may have implications for the customer experience that the organization provides.

What happens if a long-standing customer contacts you asking about an issue that you resolved for them previously, or maybe wants to replenish a product that they bought more than two years ago. If you have deleted all historic correspondence, then you would have no record of it and the customer would have to start from scratch. If you have ever tried to buy the same paint shade five years after you last decorated, then you will know what a pain this can be.

GDPR allows some flexibility for business to be pragmatic about data retention and consent. If customers can see the value of the business keeping a record of past interactions and transactions, then they are far more likely to provide consent for them to do so. The onus is on the business to make this value clear and compelling.

When it comes to transactional email, customers still have a right to be forgotten, but only once the business has fulfilled all their legal obligations. For example, I may close my bank account and request my details are removed – but the bank may only be able to do this once my final account balance has been calculated and funds transferred. Even then, they may be required to retain certain details, for example a record of historic income payments for tax reporting purposes.

GDPR does not outlaw email marketing. SPAM was already against the law before GDPR, and we still get plenty of unsolicited emails every day from devious companies that have found ways of breaking the rules and evading prosecution (for now).

What GDPR does is put the power back in the hands of the consumer about what they are happy to be contacted about and how often – from companies that they have provided their consent to.

There are countless examples of businesses that understand their customers and have turned their marketing emails into differentiators that brand fans actually look forward to receiving. Spotify, Airbnb, and Disney are just a few examples of companies that use great copyrighting, compelling visuals, and high levels of personalization in their messages.

If these brands stop adding value, or send too many emails, then the customer can withdraw consent at any time. More engaging, better targeted, and ultimately more interesting marketing emails are the result. And that is a good thing for everyone.

Most businesses use email for important messages that customers both want and need to see. In some cases, the business may be legally required to send these messages. Payment confirmations, monthly statements, password resets, and notifications of possible fraud are just a few examples of transactional emails.

GDPR does not require consent to be obtained for sending these types of messages where they are of what the standard calls legitimate interest and they are used in a lawful, fair, and transparent way.

However, it does not list every example of acceptable transactional messages, so there will be edge cases and a grey area which some brands may try and exploit, for example by including some promotional and marketing messaging in their transactional emails.

This is not a good idea. It would just take one recipient to complain to the data protection authority and the business could receive a hefty fine. There have already been a number of test cases in Europe that show that GDPR rules on transactional emails can and will be enforced.

However, these test cases have also surfaced some scenarios that GDPR does not object to. For example, when you make a purchase from Amazon, the confirmation email will include details about the product you have bought and a link to the original product page that itself has links to associated products and ‘also boughts’.

GDPR COMPLIANT

Dear Mr Smith,

Thank you for renewing your subscription. We have successfully processed your payment of $95.00.

You can access a summary of your subscription benefits on your account summary page. If you have any further questions, please visit our support page, or send us an email.

NOT GDPR COMPLIANT

Dear Mr Smith,

Thank you for renewing your subscription. We have successfully processed your payment of $95.00.

Have you considered upgrading to a Premium subscription? For just an extra $5.95 a month you can enjoy all of the following exclusive benefits…

To ensure that your transactional emails remain GDPR compliant, here we cover six areas of best practice advice to ensure that you remain compliant but also provide a great customer experience.

Transactional emails should be designed to convey the information in a clear and unambiguous way. The recipient should immediately be able to tell what the purpose of the email is from the subject line and a quick glance at the email preview. Put some thought into designing an effective template and then stick with it. Repeatedly changing the design of these emails will lose continuity and erode the trust of recipients.

As mentioned, do not be tempted to add any promotional content or even links to the email. Your IT department may automatically add an email footer to outgoing messages that could contain marketing links – so make sure that this is not done for transactional emails.

You need to have a detailed privacy policy in place that is easily accessible and written in clear everyday language that your customers can understand. Add a disclaimer to your emails to show that you have a GDPR policy in place and explain that the email is for transactional purposes and that you are legally obliged to send it.

Where you cannot legally offer opt-outs or unsubscribes for specific types of emails, make sure that this is clear. This should help to head off any complaints and reduce the chances of recipients blocking your emails in their email client, which you have no control over.

If you ever need to update your privacy policy, then you need to inform your customers that you are doing this. If they have previously provided consent to receive marketing emails from you then you need to offer the option for them to withdraw this consent. This should be easily possible at any time, but particularly when you change your privacy policy or terms and conditions.

Not everyone is the same. Some people want to keep a very close eye on every order and transaction, while others might just want an occasional update or overview. Although legislation might prevent you from giving customers the option to completely opt out of some notifications, you will often be able to offer flexibility on what they get notified about and how often.

The same goes for marketing emails. A person may still want to buy from you in the future and be interested in some of the emails you send them, but not every single one. Giving them the option to choose the types of updates they receive, and the frequency may prevent them from unsubscribing completely.

Another ‘grey area’ alert. When someone signs up to your service or creates an account then you might legitimately send them a password confirmation and ‘help getting started’ email. If there is no transactional or legal necessity for the email, then you have to be very careful that it doesn’t stray into promotional territory.

You want to start the customer relationship off on the right foot and help the person get value from your service but also stay on the right side of GDPR rules. Like Amazon’s approach, the answer may be to include links to a ‘help getting started’ landing page on your website, which in turn can include entry points to any customer journeys that are relevant for that person.

Fraud is an ever-present danger in the modern world and email is not exempt. Personal data and email addresses are valuable commodities for criminals and many high-profile organizations have suffered serious data breaches that have resulted in millions of customer email addresses being leaked to criminal networks.

If this happens to your organization then you have to be transparent about it and inform all affected customers, and the relevant authorities. GDPR is very clear about your responsibilities as a data controller in this regard.

Customers can then make informed decisions about adding extra security their accounts, changing their email address, or being extra vigilant about phishing attacks.

Email encryption is not required by GDPR, but its use is encouraged and cited as an ‘appropriate technical measure’ for protecting personal data and mitigating the damage of an unlawful data breach. This is especially relevant when emails contain account information, passwords, and statements that could be used to commit identity theft.

Be aware that the various parts of the email may be handled differently by encryption software i.e. the subject line, from and to email addresses and the message date/time metadata is usually transmitted in plaintext and is therefore not encrypted, while the body and any attachments are.

Best practice is therefore to not include any sensitive data in the subject line of the email.