Top Questions about GDPR in Email Marketing

12 min

GDPR became applicable on May 25th, 2018.

Not a single day has gone by without hearing or reading about how it changes the way we do business and how much marketers will lose in the long run.

And what we hear is only partly true.

Implementing all the necessary changes to stay compliant with GDPR isn’t an easy thing.

We’ve been there, too.

Hey, we’ve even shared our GDPR Plan, which you might have seen on the blog before.

To make your lives a little bit easier, we’ve decided to answer some of the most frequently asked questions regarding GDPR and email marketing.

This post is for informational purposes only. Please do not treat it as a substitute of a professional legal opinion. Always consult your lawyer or other professionals responsible for data protection within your organization. In no event shall GetResponse be liable for any indirect, special, incidental or consequential damages arising out of any use of or reliance on any content or materials contained herein.

1. Now that GDPR applies, how should I get consent?

Let’s start by answering the following question:

Why do you need your contact’s consent?

The answer: GDPR states that – unless you have another legal basis to process data (e.g. you need it to perform a contract) you need to ask your contacts if it’s okay to process their personal data.

What’s important is that processing doesn’t only refer to obvious activities like sending marketing communication. Storing data, for example, is considered processing, too.

Having that out of the way, let’s look at how GDPR defines consent:

“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

That’s all good, but how does it work in practice?

You can still use the most popular methods such as signup forms, landing pages, or webinars.

Nothing’s changed here.

The process remains the same: someone fills out a form, clicks on the signup button, and ends up on your email list.

What’s changed, however, is what you should include in your forms, so that people can make a more informed decision, whether or not they want to join your list.

Under GDPR you have to be more transparent about why you’re requesting people’s data, what legal basis you have for collecting it, what you’re going to do with it, how people can withdraw their consent, and so on.

There are multiple obligations you have to meet to be able to get consent and stay GDPR compliant.

We’ve covered them in the Getting Consent chapter in our GDPR Guide.

One way to help your contacts to make a more informed decision is to add the privacy notice into your forms.

This could be a few paragraphs of text and links directing to key pages (e.g. privacy policy), placed above the signup button.

Below’s an example of our newsletter signup form that includes the privacy notice right above the call-to-action button.

GetResponse gdpr-compliant newsletter signup form

What about a checkbox?

You don’t need consent (and respectively a check-box) if you’re going to process the data to carry out a contract (e.g. ship the product to your customer) and you’re not going to use it for other purposes, like sending marketing or promotional communication. However, if you want to use it for other purposes, you’ll need consent too, along with additional check-boxes.

But let’s say you’re running an ecommerce business.

If you want to keep contacting your customers after they’ve received your product in their mail, you’ll probably want to use an additional checkbox in your registration form.

Not because checkboxes are obligatory in the signup forms. But because you’re asking for the permission to process their data for reasons other than what’s required to perform the contract.

Similarly, if you want to send marketing materials to people who download an ebook from your resource center, you might want to use an additional checkbox.

That’s what we’ve done for our Resource Center forms.

Thanks to the additional checkbox, we’ll be able to send updates about new guides or webinars to the contacts who decide to check it and at the same time be sure that they are sent only to people interested in receiving it.

gdpr checkbox getresponse

How about the people who don’t check the box? 

GDPR states that your audience needs to explicitly give their consent – and you can’t make it a pre-condition for providing a service.

That’s why your checkbox shouldn’t be pre-checked, and neither should it be a required field.

Like in our example above, if you want to download an ebook, you can do it, but you won’t be added to our newsletter list unless you explicitly give your consent by checking an additional box.

What about proof of consent?

You also need to be able to prove that your contacts have opted in.

And this applies to everyone who’s joined your list, no matter if it was before or after GDPR came into force.

So, do make sure that your forms are working and people get signed up to your newsletter lists, but also that you have the proof that they explicitly wanted to opt in.

What about confirmed or double opt-in?

Confirmed opt-in can work wonders.

In Germany for example, where confirmed opt-in is obligatory, the average email open rates are around 40%.

Now compare that to a global average of 24.88%.

But is confirmed opt-in obligatory under GDPR?

It’s not. But it doesn’t mean you don’t want to use it.

The challenging part about using confirmed opt-in is that it most probably will reduce the number of incoming leads you’re going to get.

At the same time though, it’s going to help you improve the quality of your database – after all, only those who are truly interested in your content will join your list.

What’s more, it’ll also improve your deliverability and the likelihood of emails landing in front of your customers’ eyes.

And that’s also the essence of GDPR.

The changes you’re making to comply with GDPR will help you retain the customers who are truly interested in receiving your communication.

You’ll have a smaller, but higher quality list and will be able to draw better conclusions when planning your future campaigns.

Worth noting: bear in mind that using confirmed opt-in is meant to help you improve the quality of your list and your deliverability. But the fact that someone clicks in your confirmation message link cannot be used as proof of consent.

To further prove that it’s not the end of the world, you might want to look at the data from our Email Marketing Benchmarks report.

As you can see from the chart below, marketers with smaller lists tend to get higher open and click-through rates.

One reason for this could be that they’re just better at understanding their audience and building lasting relationships.

average results by list size

2. How do I find out who’s given consent?

Let’s say you’ve edited your signup forms and landing pages, and you want to find out who’s given you the consent to process their data.

How can you identify these people?

There are several ways to do this, but the simplest one is to use Search Contacts and specify via which subscription form or landing page your new leads have joined your list.

As in the example below.

search contacts in getresponse

Once you’ve done it, you should get a list of all the people who’ve joined your database using your new GDPR-compliant signup forms or landing pages.

And if you click on the Contact details of any of the people you’ve identified, you’ll also find the opt-in proof.

It’s right at the bottom of the page, like in the example below.

opt-in proof

How about if you used a checkbox?

You can still use the same method to identify the people who have given you the permission to process their data.

Alternatively, when setting up your forms and landing pages, you can make sure that everyone who checks the box is assigned a specific custom field, e.g. marketing_consent.

Then you can identify them using that custom field as your condition.

Just like in the example below.

marketing consent

How about if you ran a reconfirmation campaign and want to find the people who clicked on the reconfirmation link?

If you decided to run a reconfirmation campaign – which I’ll talk more about in a moment – you can find them using Search Contacts, too.

Choose: Contact actions » Link clicked » Message type » Message name » Specific URL

Similarly to what I’ve done in the example below.

newsletter course reminder

3. Can we or our sales team reach out to people who downloaded our ebook or signed up for our newsletter?

If you’ve read my answer to the first question, I’m pretty sure you already know the answer to this one, too.

Whether or not you or your sales team can reach out to your contacts depends on what your contacts agreed to when they signed up.

If ­­– apart from processing the data to perform a contract or provide a service –  you want to send further marketing materials or offer a demo –  alongside with the privacy notice, you’ll want to add an extra checkbox for each channel (email, phone, etc.) you want to use to contact your audience.

4. Do I need to get consent from my contacts if I operate on different markets?

We’ve addressed this question in our previous article, where the Head of GetResponse Legal Department Aleksandra Kubis shared our GDPR Plan.

So here it is.

GDPR may apply if you’re a data controller or data processor:

  • based in the EU, even if you process data outside the EU.
  • based outside the EU, but process personal data of EU residents. This applies if you sell goods or services (or offer them for free), or monitor people’s behavior within the EU.

How do you know if you offer goods or services to people in the EU?

  • You use a language or currency common in one or more EU countries, to help people who live there take up your offer.
  • You mention customers or users who are in the EU.
  • You clearly target your offer to people in the EU.

In this case, you’ll need to comply with GDPR.

On the other hand, you probably won’t need to comply if you simply have a website, email address, or other contact details that can be accessed in the EU – and the language is common to your country (and not to any EU member state).

Let’s say you run an ecommerce business that aims only to target US customers. Your offer is in English only, you don’t offer international shipping, and all your prices are in USD. If despite all that, someone from the EU makes a purchase from your store and arranges the shipping themselves, you most probably don’t need to be GDPR-compliant.

5. How do I run a reconfirmation campaign?

If you’re unsure whether the consent you’ve previously gotten is still valid or you just want to be double-sure you’re operating according to the GDPR regulations, you might consider running a reconfirmation campaign.

To collect consent from your existing contacts you’ll need to follow these three steps.

Step 1. Identify the contacts that are subject to GDPR using the search conditions.*

* Please remember that if you’re based in the EU, then you should collect consent from all your contacts, regardless of where they’re located.

Step 2. Assign the consent custom field to them.

Step 3. Email them with a request to review their contact details and subscription settings.

We’ve covered the first two steps in our Help Center.

For the 3rd step, we’ve prepared three workflows that will come in handy. You can use these workflows as predesigned templates in our marketing automation tool.

Please note that all custom field values and tags shown here are used as examples and shouldn’t be used as specific recommendations for your own implementation.

The first workflow, which you can see below, sends a message to everyone who’s been assigned a tag called “consent_unknown”. These are the people you want to re-confirm.

gdpr consent workflow in getresponse

Then the workflow waits for seven days to check which of the users have updated their consent settings.

Those who’ve updated their settings and agreed to receive your communication will have a new tag assigned (consent_confirmed), and the previous one removed (consent_unknown).

Those who don’t update their settings will have a new a tag assigned (consent_withdrawn), and the previous one removed (consent_unknown).

What happens next is for you to decide.

For example, you can move your newly confirmed users to a separate list or workflow, and run a new campaign that will continue building the relationship with them.

You can learn more about implementing this template in our Help Center.

The second workflow can be used if you’re importing a completely new list of contacts into your GetResponse account and you’re unsure about the status of their consent.

gdpr consent workflow 2 getresponse

In this workflow, you’re sending a re-confirmation message to everyone who’s joined through that specific import.

Afterwards, similar to the previous workflow, it waits and checks whether the consent_confirmation custom field is updated within seven days.

If it is, and your users have agreed to receive further communication from you, they’ll get a new tag (consent_confirmed).

If they don’t update the custom field, they’ll be assigned a tag called (consent_withdrawn).

You can learn more about implementing this template in our Help Center.

The third workflow should be used if you want your reconfirmation campaign to be run continuously.

What it does is simply monitor whether someone updates their contact details and withdraws their consent.

If they do, they’re assigned a tag (consent_withdrawn) and you can, for example, move them to another list or workflow to avoid sending them further marketing communication.

gdpr consent workflow 3 getresponse

You can learn more about implementing this template in our Help Center.

Time will tell

Even though GDPR has already become applicable, there are still many uncertainties about what we should do to be fully compliant and keep the business growing.

Along with our awesome Customer Success Team and Privacy Experts, we’re collecting all your GDPR questions and requests, and we’re doing our best to address them in this and future articles.

So if you want to read a bit more on this and stay updated, join our blog newsletter subscription and keep checking for the next GDPR-related article.

Michal Leszczynski
Michal Leszczynski
Meet Michal Leszczynski, Head of Content Marketing and Partnerships at GetResponse. With 10+ years of experience, Michal is a seasoned expert in all things online marketing. He’s a prolific writer, skilled webinar host, and engaging public speaker. Outside of business hours, Michal shares his wealth of knowledge as an Email Marketing lecturer at Kozminski University in Warsaw. You can reach out and connect with Michal on LinkedIn.