Email Privacy Changes On The Horizon, More Rules To Follow For Some Email Marketers

Even though this is enacted in Europe this will require significant changes by organizations worldwide.

Essentially GDPR will gdprenact new rules on organizations that offer goods and services to the people who reside in the EU; specifically targeting organizations that collect and analyze data that involves EU residents, regardless of the location of that organization.  This includes email privacy rights

The GDPR proposes to do the following:

  • Improve the rights of individuals by giving them the ability to access the data that a company collects on them, the right to correct mistakes, to delete information, object to how the information is processed and to move their data.
  • Make companies responsible as to how individual information (data) is processed and handled
  • Require companies to report data breaches within a certain time frame, i.e 72 hours
  • Impose fines and sanctions on an organization who unintentionally failed to maintain data privacy, as well as those who intentionally failed compliance.

The bottom line, companies that deal with any EU residents information will be required to update their privacy statements, change the way they put data protection in place, and follow new procedure guidelines.

As a list owner, with subscribers worldwide, the General Data Protection Regulation will expect compliance to protect email privacy rights.

As a list owner or a list hosting company for that matter, if you collect, record, use, store, change and or erase any personal data from your customer list(s) or contacts for EU residents it must all fall under the GDPR guidelines.

To understand the guidelines here a brief definition of the terms in the regs., per the GDPR

Personal Data:  Any information that identifies an individual or can be used along with other data to identify an individual.  That includes the normal information such as social security numbers, house addresses, phone numbers, email address but this reg. indicates that other items we normally do not associate with an individual such as the IP of their computer and social data among other things is considered personal data.  Those collecting information on their subscribers, such as preferences in color, finances, to a login name can be considered personal data if such data can use this to identify an individual.

Process Data: Is defined as any action that affects the data, including but not limited to storing, retrieving, collecting, recording, copying, moving, alternating, restricting and erasing.  In summary, if your lists of subscribers contain any personal data of any EU citizens you and your list provider falls under the GDPR.

Suggestions for List Owners with EU subscribers:

  • Review your privacy and security policies
  • Continue to allow your subscribers to unsubscribe from your list anytime they want to leave
  • Always include an unsubscribe link in your mailings
  • Only add email addresses to your list that are lawfully obtained
  • Make sure your subscribers are opted-in or doubled opted-in to avoid  issues
  • Review your list member records for accuracy
  • Tell your subscribers how their personal data is being used
  • You may have to change the way you collect list subscribers.  If you collect an address by offering a white paper download, for example, according to the GDPR, their email address cannot be stored and used because they didn’t actively agree, at that point,  that’s its okay to use their data.

Things to consider:

  • You may use the subscribers’ data by emailing to them, for example, update your subscribers’ profile, make corrections and changes.
  • Individual subscribers may contact your ESP directly to make corrections, changes, and updates to their profile page.
  • Individuals may ask you or your ESP what personal data you have concerning them

Noncompliance: Why worry?

An EU marketer must be concerned with the stricter regulations and high penalties.   A list owner with EU based subscribers must be concerned as well   As for the ESP, it’s our job to know and act as needed in these cases.

You can read more about the GDPR:

Discover, manage, protect and report.