GDPR for Email Marketing: Webinar Show Notes

13 Jul 2018 14 min read

Things might have been quiet on the GDPR front for the last month, but that doesn’t mean it’s over. Breach of GDPR can attract fines of up to EU20 million or 4% of revenue, and with Australia likely to introduce the same laws later this year, we teamed up with email marketing experts, SmartrMail, to demystify what GDPR means for Aussie retailers (and the answer is not ‘nothing’).

We had hundreds of people register and there were some great insights for all. Click below to watch the full webinar, or check out the show notes and some of the key learnings.

What is GDPR?

GDPR, or General Data Protection Regulation is a 90-page set of regulations effective from May 25, 2018 that applies to all businesses that serve customers in the European Union (EU). This set of rules is broken into two parts:

  1. Gives users rights control and transparency over their data and how it’s processed.
  2. Regulations for companies who process data to ensure that they’re doing so responsibly, and making it mandatory that they are able to show their work in case regulators come knocking.

SmartrMail <3 GDPR

For us at SmartrMail we love GDPR! (minus all the work we had to do!). But privacy does matter and we believe that given the current state of the web owned by five companies and trust quickly eroding, which we saw with the recent Facebook scandal, any way you can build trust with your customers is going to help you get more sales.

Does GDPR apply to me if I’m only selling in Australia?

Even if you’re an Australia, if you sell to EU customers or resident these regulations do apply to you. It’s easier to treat everyone the same.

We think it’s going to soon become a global standard—GDPR might be really stringest—but it is rumoured that Australia will likely introduce similar regulations this year and if that comes around Christmas time you really don’t want to be implementing new privacy changes at that time of the year. So it’s easier to implement everything now and then when Australia does implement our own regulations, you already comply with the most stringest requirements and you’re giving your customers that trust they need to buy from your store.

GDPR Roles

  • Subject = Customer
  • Collector = You
  • Processor = Any tools or apps you might use in your tech stack, like Neto and SmartrMail.

Where does the responsibility lie for GDPR?

It’s your responsibility.

You have the primary responsibility to make sure you comply and that the technology you use is compliant as well.

But it’s ours too*

That being said, it’s our responsibility too, and from our end we see it as our job to do everything in our power to give you the tools to be compliant and make them as easy to use as possible.

What Does GDPR Legislate and How Does it Affect Email Marketing?

  1. How you collect and use data
  2. How you and your processors secure personal data
  3. How you enable and support your customers’ rights to understand and control their data.

The first part of the regulations covers what personal data is, so first, let’s define ‘data’. Today, data encompasses a lot more than what was previously referred to as PII, or personally identifiable information.

Under US regulations PII referred to information like names and email addresses, but under GDPR that’s all changed. Now all data that can be used to identify a person is included including IP addresses, userids, or any consistently hashed data. Anonymised or not consistently hashed information is okay.

Any data that can be used to identify a user

There's also new regulations on sensitive data (which you shouldn’t have on SmartrMail ayway). This includes race, ethnicity, political views etc. If it's on SmartrMail take it off, and if you are collecting it we recommend you consult a lawyer.

1. How You Collect and Use Data

How you collect data is the first part of ensuring compliance. You must explicitly state what your customers are opting into and what you will do with their data, whether that be an email newsletter or only a single contact request.

Explicitly say what is being opted into

You can’t just say ‘enter your email here to get 10% off’ and then add the person to your newsletter list. You must say ‘enter your email here to join our newsletter and you will get 10% off’

Explicitly say what you will do with their data

Within your privacy policy, forms or double opt-in you need to say ‘you will get emails from us that contain information about new products and our store’.

We see a lot of stores collect emails from quotes and then add them to their newsletter, or when people have five stores across SmartrMail they will add one subscriber to all their lists. Outside of GDPR people don’t appreciate this and you’ll end up with really low open rates, but now with the introduction of GDPR this is no longer compliant.

Must be a positive opt-in

Often when somebody makes an order from your store they’ll be automatically be subscribed to your list. With GDPR that’s no longer the case—people must positively opt-in to your list. You can’t have pre-filled; someone must manually subscribe to your list by ticking the box.

Opt-ins must be:

  • Specific - you must explicitly ask visitors if they want to be on your list. You can no longer offer a visitor 10% off, and then add their email to a newsletter list.
  • Informed - You have to specifically explain what they will receive by handing over their data to you. Visitors have to understand what offers they’ll be getting.
  • Unambiguous - There can't be any question of whether a visitor intended to give consent. You can’t include a check box that defaults to being checked as “yes.”
  • Freely given - you can’t refuse an offer if the visitor doesn’t subscribe to your list, or force them into anything. In other words if subscribing to your list is required to complete an order, that consent isn’t freely given.

2. How You and Your Processors Secure Data

You have the primary responsibility to make sure you comply and that the technology you use is compliant as well. So number two is all about what falls under us as data processors. You probably got (lots) of emails from providers like us and Neto about how we’ve updated our privacy policies, but what that really boils down to is the following:

What we’ve done at SmartrMail:

  • Appoint a data protection officer in the EU - SmartrMail is a distributed team with an officer in the EU and data will be handled by them
  • Added a Data Protection Addendum (DPA) to our privacy policy
  • Technical measures to secure and delete data on request. Within privacy policy, disclosed third party data processors. There are lots of good tools you can use to add these processors to your own policy and make sure the information is visible on your privacy policy. So if you’re using tools like Adroll, Neto, SmartrMail, your customers will be able to see who also has access to their data.

3. How You Enable and Support Your Customers’ Rights To Their Data

The right to be forgotten

Your users can request that all the data you have on them be given to them, deleted or anonymised within 1 month (which is actually a long period of time). But we’ve created tools in SmartrMail so that you can do this do this in about five minutes, or the customers can also delete their own data.

1. GDPR Double Opt-in

Opt-ins with GDPR can’t be forced. If you have a pop up that says 10% off to subscribe to list, and code is in thank you page of popup. If you want someone to subscribe to your list and you have all these different checkboxes, it really creates a bad user experience, so we’ve put that extra information in our double opt in and you can go into your customised form page in SmartrMail and do this for any form (or remove if you don’t want to be GDPR compliant!).

What this means is that you can have a pop up that says ‘get 10% off if you join our newsletter’, you can give the visitor the code within the pop up and then send them a double-opt-in email, saying ‘hey do you actually want to be a part of our newsletter’, and there’s a snippet about SmartrMail to ensure they agree to our terms of service as well.

SmartrMail's double opt-in email to ensure GDPR compliant 'freely given consent'

2. How to deal with a deletion request

SmartrMail wants to make it really easy to for you or your customers to delete their data. In SmartrMail, navigate to their customer profile - literally just click ‘delete’ in their customer profile and it’s gone.

Delete a subscriber's data in a single click from their customer profile in SmartrMail

We don’t want you to have to deal with a flood of requests if you do get them, so we’ve made it really easy for your customers to delete their data too. If someone does unsubscribe from your list, you’ll see a message that says ‘do you wish to delete all of your data accessible from this sender’ and that will do the same thing as if you as the business did it yourself. So it puts the power in their hands and hopefully you don’t have to deal with that request from customers.

Customers can easily delete their data in SmartrMail too

3. Accessing data

If your customers say ‘hey I want all the data on me’ you can easily access the list of data from their customer profile, export that list and you’ll see all of the rows of data SmartrMail has on them.

Export a customer's data in a single click in SmartrMail

Other must knows

  • Fines are big - up to EU20 million or 4% of revenue
  • Immediate data breach response - this is already a regulation outside of GDPR, but if our data is breached it’s our responsibility to let our customers know immediately. If one of your processors are breached and it includes your customer’s data, then you have to let your customers know too.

The Bottom Line

In today’s world, the customer is in control and they’re in control of their data. Everything we’ve designed in SmartrMail is with that in mind. And anything that you do for your store, you can know that you’ve given your customer all the info they need and you can easily give them their data too.

Live Q&A

Q. Why is subscribe newsletter still automatically ticked when we add a new customer in the backend? Surely we can’t add the tick without explicit approval from the customer?
A. You shouldn’t be adding a customer to your list unless they’ve explicitly opted-in, you also need proof of that.

Q. If someone unsubscribes a friend from a forwarded email does it means they can delete all their friend’s data?
A. Unsubscribe links are unique to that actual customer so unforuntatley yes, if someone does forward that email to a friend they can unsubscribe their friend. But I think it’s a pretty edge case and won’t happen very often, but also the unsubscribe is on the second page so it’s a two-step process.

Q. When deleting all customer data, do I have to delete all manually sent emails between us.
No you don’t. If it’s just personal emails on your gmail where you’ve emailed back and forth manually then that’s a manual process to delete them. Both Neto and SmartrMail have tools to delete customer data within platforms.

Q. Do I have to delete the data the customer provided when they purchased goods, such as name, email, delivery address?
A. Yes, if you get a deletion request you will have to delete within Neto and also within SmartrMail.

Q. You mentioned that by deleting a customer in Smartrmail, it removes all of their information, but I just wanted to confirm whether it removes their information from NETO as well? Or just Smartrmail?
A. No, just for the moment, deleting it in SmartrMail just deletes it within SmartrMail; however we are working on tools at the moment if people delete within Neto it will go back to SmartrMail (but I don’t think it will ever happen in the opposite direction.

Q. How is SmartrMail different from Mailchimp?
A. SmartrMail is personalied and easy to use, we’ve created tools to help you send personalised product recommendations based on data from within Neto. We’ve also created tools that help you quickly and easily create emails that pull in your products directly into your emails with images, prices and descriptions, making that design process so much easier. Because If you’re spending time on the set up and design process, you’re not setting up automations or targetting which is what is going to get you sales.

Q. Do we need to ask for permission if we send information to our installed (ie our regular) users? It is not marketing - just some PR to give them extra information.
A. Permission needs to be explicit - If you say you’re just going to give them a quote and then you send them your newsletter, that is not GDPR compliant.

Q. Is there a feature already where we can create multiple headers from multiple lists
A. It’s not multiple headers from multiple lists, but it’s multiple headers across multiple emails. For example, different headers from brand a and brand b, or different headers for abandoned carts emails.

Q. I have Neto mail and use Aus Post is there a way you can automatically send an email once aus post has been delivered.
A. Not at the moment, SmartrMail only currently deals with marketing not transactional emails. I believe Neto has its own features to deal with this.

Q. Do you have a recommended copy of what needs to be updated in our Privacy policy?
A. Search ‘ecommerce platforms privacy policy’, there’s a few examples out there. Basically you need to:

  • Appoint a Data Protection Officer
  • State who your third party processors are
  • Explain what you are going to do with your data

Privacy policy generators: iubenda, getterms, your lawyer!

Q. If a customer chooses to delete the data is this automatic or do we have to manually delete this?
A. Delete data after unsubscribe is completely automatic, you don’t have to do anything. But if they make the request to you, it’s easier for you to go into their customer profile and delete it yourself.

Q. Are you cheaper in cost than Mailchimp?
A. We have a few different plans, we try to price consistently with Mailchimp. Our advanced plan is higher but we offer more features, priority support and phone support in Australia. View our plans here.

Q. Do i need to go back to my whole database and ask them to re-opt-in now?
A. No, that’s one of biggest myths of GDPR. As long as you have evidence off their opt in you don’t have to, even though you’ve seen a million emails from other businesses. However if you don’t have evidence and maybe you created your list 7-10 years ago, we’ve created a really easy tool within SmartrMail to generate a re-opt-in email on your own account with a one-click button (reach out to us to do this).

Q. We're a New Zealand e-commerce store, customers only in NZ - Although we have a few newsletter subscribers in EU. If we are not fully compliant with GDPR, will it affect our SEO or google ranking etc even though we're not selling to EU?
A. I'm not entirely sure on SEO but you can also segment these customers out depending on their location.

Q. Does SmartrMail have the ability to have first and last names added to the email address yet when someone subscribes?
A. Yes this is available.

Q. Can you offer a discount voucher for newsletter sign up? ie save $20 off your first order for signing up.
A. Yes indeed, however, you have to be explicit on the fact that they are going to be added to your subscribers list + send the double opt-in email (which we automatically do for you).

We hope these insights and key takeaways have been helpful for ecommerce marketers and business owners looking to get ahead with GDPR!

If you want to watch the webinar in full, you can watch it here, and if you're a Neto customer looking for a top-notch ecommerce email marketing platform that will help you deal with GDPR in minutes not days, click here to get 30% off your first six months.