The General Data Protection Regulation (GDPR) is a set of guidelines that dictates how individuals and companies may acquire, utilize, store, and delete the personal data of European Union (EU) users, including their email addresses and data associated with email marketing.
If you have subscribers based in the EU, you are responsible for following these regulations even if you operate outside the EU. It might sound overwhelming at first, but the reality is that GDPR is good for email marketing and can help improve the subscriber experience.
Let’s learn all about GDPR email marketing, including the steps you can take to stay compliant and how MailerLite can help.
If you handle customer data beyond email marketing, or use third-party tools that collect data, you should definitely check out the full set of regulations and talk to legal experts to ensure you understand the full extent of compliance.
Every time you collect an email address, name, home address, phone number, or IP address, you are obtaining someone’s personal data. If any of those people are in the EU, you must adhere to GDPR.
The GDPR was developed to modernize the current EU data protection laws with a stronger focus on an individual’s rights and privacy. While some of the legislation is stricter and the penalties for non-compliance are tougher, the ultimate goal is to improve trust in the digital ecosystem.
To that end, EU users have several rights that allow them to maintain control of their data. Here are the most important practices that apply to email marketing:
The right to erasure (also known as the right to be forgotten) gives someone the power to ask a company to delete ALL of the data that is associated with that person. This requires you to provide more than an unsubscribe button. If a user requests this, you must delete all the data stored in your databases and anything else associated with the user.
This allows your subscribers to ask exactly how you are using their data and for what purposes. If a request is made, you’ll need to provide a personal data report at no cost to them.
This is mandatory under the GDPR, which means you have 72 hours from becoming aware of the data breach to notify customers.
This allows people to request their data, which means you would need to download a file of all their data in a ‘commonly used and machine-readable format’.
At its core, GDPR is about giving people more control over their personal data and how others are allowed to use their data. For GDPR in email marketing, that means providing more transparency and clearer consent agreements when signing up new subscribers—which will make your campaigns even better and build trust in the long run!
Now that we’re clear about these best practices, let’s jump into 4 ways that you can keep your subscribers’ data safe and sound.
MailerLite has many tools that help make GDPR email compliance easier for you and your subscribers. Here are some features that will help you comply with the following GDPR requirements:
A) Right to be forgotten
B) Proof of subscriber consent
C) Identifying EU users
D) Data portability
The right to erasure is a GDPR mandate that allows subscribers to ask you to delete all of the data associated with them.
If someone makes a request to be forgotten, you can’t simply unsubscribe them or delete them from your list. Even when you remove a subscriber from your email list, the system keeps a history of the user. You must delete all their data permanently.
This means you need an easy way to delete EVERYTHING about the subscriber.
When you use the Delete function in the subscriber section of MailerLite, the information is not entirely removed. The reason for this is simple. If that person later resubscribes, their history is still there so you don’t have to rebuild their profile.
MailerLite has a feature called Forget that completely wipes a person’s data from our system. This function was built specifically for GDPR email compliance with the right to be forgotten. Here’s how it works:
On your subscriber page, there is a button called Actions.
When you choose the Forget option, the subscriber’s data will be completely removed. Everything will be permanently deleted including reports, clicks, and profile data.
This will allow you to comply with GDPR. That said, it is a major step to completely remove a subscriber, which is why we implemented an additional confirmation.
Everyone makes mistakes. The last thing you want to do is delete a happy subscriber’s information by accident. As a safety measure, you will need to confirm the deletion.
When you hit the Forget button, the user’s data will be completely wiped from the system within 30 days.
We built this Forget feature to make it easy for you to comply with this GDPR email marketing rule. But we hope you will never have to use it!
Obtaining active and explicit consent from subscribers is a huge deal for GDPR and email marketing. Sending emails to people who don’t want them can cause a lot of problems within the GDPR framework if they complain.
You need to have a record of their consent. The burden of proof is on you to provide the documentation proving that a subscriber agreed to share their data.
A timestamp of subscriber consent (time, date, location)
The source of the opt-in (website, social media, etc.)
If you are not sure that you have this information, MailerLite might be able to help you find it.
When you use MailerLite signup forms to acquire subscribers, we capture the IP address, location, date, time, and source of the subscription.
We also have separate opt-in fields that show when a subscriber clicked on a double opt-in email.
This information is collected when you use double opt-in and it will solidify your documentation of where, when and at what time your subscribers consented.
MailerLite displays this information in your subscriber profiles. It is important to note that you can only get this valuable proof from users who subscribe through MailerLite forms.
If you want more information about GDPR opt-in forms, here’s a whole article dedicated to it.
While most of you have subscribers all over the world, the GDPR only applies to people who are in the European Union.
If subscribers sign up with a MailerLite form, our location tracking capabilities can determine which country the person is signing up from. You can use this information to see if a particular subscriber is likely to be from an EU country.
It’s important to note that there is a chance an EU citizen is living abroad in a non-EU country. In these cases, it is impossible to identify them as EU users. But GDPR states that you only need to make a reasonable effort to determine a person’s status.
MailerLite has a rule in the subscriber filter called Location where you can sort your subscribers by where they're based.
This feature only works with subscribers that come through a MailerLite form. The location-based ID will not work for subscribers imported from a file or other sources.
Once you identify EU users, you can target them with GDPR-specific emails and requests.
Since each individual has the power to request or delete their data, you need to think about what data you really need and what data you can live without. The more data you collect, the more documentation and management are required to address a data request quickly.
If you prefer to collect a lot of customer data for your marketing initiatives, it’s important to note that the GDPR definition of personal data is far-reaching and includes things like behavioral data, IP addresses, and biometric and financial data. Basically, anything linked to the individual is personal data.
MailerLite allows customers to download user data if someone makes a ‘right of portability’ request. As seen in the screenshot below, you can export and save subscriber data to a PDF (Print) or a JSON file (the most popular format to transfer data).
Your email marketing communications might be GDPR-compliant, but what about your outside partners and vendors?
Under GDPR rules, any third party that processes your users’ data is legally obligated to be in compliance. If you use a company that is not compliant, you can be held liable and suffer the consequences including paying high fines.
As you know, MailerLite is on top of GDPR compliance. We want to ease your mind and give you the confidence that your email marketing practices comply with GDPR.
To that end, we are happy to present our Data Processing Addendum, which establishes our GDPR compliance to give you peace of mind.
Let’s talk about some of the key aspects of our data processing addendum and provide a written statement that you can cut and paste into your own privacy policy. But first, a quick recap of why we need this.
GDPR is all about protecting your users’ data. If you use other companies to help you process data belonging to users in any way, you are required to enter into a written agreement with each data processor.
In GDPR language, you are considered the ‘data controller’. Your responsibility is to protect your users’ data by vetting your data processors. You need to establish that they are GDPR compliant.
But more importantly, legally binding contracts with your vendors will instill confidence in your subscribers that you have their interests in mind.
We created our Data Processing Addendum, which forms part of the Terms of Use, to cover the GDPR requirements as they relate to email marketing. Our goal is always complete transparency and our agreement mirrors this approach with clear details about our data collection including:
The data we collect
Why we collect it
How we use it
In compliance with GDPR, the agreement also covers our security measures, confidentiality policies, and our acknowledgment and approach to working with other vendors (also called sub-processors).
After you start using MailerLite, it is important that you update your privacy policy to include how and why MailerLite processes your users’ data.
You can review MailerLite's Data Processing Addendum here.
According to data privacy laws, you have to clearly describe how you plan to use your subscribers’ data, including for your use of third parties like MailerLite.
You have to state each data processor separately and clearly explain how and why they are using the data. To make your life easier, we wrote a statement about MailerLite that you can simply add to your privacy policy.
We use MailerLite to manage our email marketing subscriber list and to send emails to our subscribers. MailerLite is a third-party provider, which may process your data using industry-standard technologies to help us monitor and improve our newsletter.
MailerLite’s privacy policy is available at https://www.mailerlite.com/legal/privacy-policy
You can unsubscribe from our newsletter by clicking on the unsubscribe link provided at the end of each newsletter at any time.
Under GDPR, people have a right to know how their private data is handled. If you don’t have a privacy policy, you should seriously consider adding one.
We’ve included some of the basics to help you get started. In general, most privacy laws require you to inform users of:
Your name (or business name), location, and contact information;
What information you’re collecting from them (including names, email addresses, IP addresses, and any other information);
How you’re collecting their information, and what you’re going to use it for;
How you’re keeping their information safe;
Whether or not it’s optional for them to share that information, how they can opt-out and the consequences of doing so;
Any third-party services you’re using to collect, process, or store that information (such as an email newsletter service, or advertising network).
The GDPR has added many requirements to consider with email marketing—especially when it comes to opt-in forms.
GDPR regulations talk a lot about subscriber opt-in, specifically making sure that you clearly explain your intentions (explicit consent) and that you empower users to actively give their consent (active consent).
Beyond being as transparent as possible with your consent forms, you must keep a record of every subscriber’s consent. The burden of proof is on you to prove that the individual consented to your terms. One way to accomplish this is through double opt-in, which provides a paper trail of the transaction. You can learn how to set it up in this help article.
Our embedded form feature includes the tools you need to comply with these GDPR requirements. There are also lots of design options that will help you create more engaging opt-in forms.
Before we dive into our embedded form features, let’s first review the GDPR requirements that you’ll need to keep in mind when building your opt-in forms.
As we briefly mentioned above, explicit consent means that you need to clearly communicate exactly what the individual is agreeing to and what the data is being collected for. We have pre-written texts in our templates to help you get started.
Active consent means your subscribers need to initiate the consent. You can no longer include the checks within the checkbox and make the user remove them—they must actively click the checkbox for the permission to be valid.
If you are just asking someone to give consent for one purpose, you can use a few sentences instead of checkboxes to explain what people are agreeing to.
Checkboxes are required when you want to use their data for multiple purposes. For example, if you ask someone to provide their data to receive your newsletter and also for promotional emails, you need two clear options for consent. In this case, checkboxes should be used.
Our forms include checkbox options for bundled consent and pre-written text that you can use or edit to explicitly communicate how and why you are using the information. Let’s take a look!
Our embedded form editor has the same design options and functionality as our landing page and pop-up builders. You can also access GDPR-compliant options within the form settings.
Not only will your forms help you to comply with GDPR, but they can also be a beautiful accessory for your website or landing page.
With MailerLite, you can choose from vertical and horizontal layouts, and add an image to the form (a picture speaks a thousand words, after all 😉 ).
You can also customize your form’s background, button design, custom input fields, and fonts—making it extra eye-catching and compelling!
We wanted to make GDPR email compliance easier by including settings that auto-populate your web forms with the necessary consent fields.
You can add multiple checkboxes, segment subscribers with hidden fields, insert GDPR permissions, and send users to your own success page.
All of these options are customizable so you can edit the design or text to fit your specific needs. Let’s take a closer look at each option within Form Settings:
While checkboxes are not mandatory for GDPR and email marketing purposes, you will need them if you are asking for subscriber consent of multiple items or if you need acknowledgment of your Terms. If you include a checkbox for your Terms or Privacy Policies, you can add a hyperlink so the user can review them on your site.
You can segment your new subscribers based on where they opted in. For example, you can create one group that came from your blog and another from Facebook. This allows you to engage them in different ways and it also helps you identify their source of consent.
Instead of using a standard confirmation page after someone subscribes, you can send them to your own URL. This gives you the flexibility to continue your engagement with your new subscribers.
Your pop-ups and landing pages are fully customizable, with the same form editor and design options as embedded forms. They also have GDPR-friendly form settings, with options including checkboxes and pre-written text permissions.
As we said before, it is critical that you keep a record of your subscriber’s consent. The burden of proof is on you to prove that a subscriber agreed.
All of the information from our embeddable forms, pop-ups and landing pages is automatically updated in the subscriber’s profile within MailerLite. If a subscriber checks one of three boxes on your form, our system will only show you the permissions that they actively agreed to.
With MailerLite, we’ve made it super easy for your email marketing to be GDPR compliant—from embracing the GDPR-friendly features available, to creating data processing agreements and privacy policies, to adapting your opt-in forms.
Keep all of these best practices in mind, and your subscribers’ personal data will be safe and secure, while you rest assured that your email marketing campaigns are in line with GDPR.
If you have any unanswered questions about email marketing and GDPR, leave us a comment below.
Editor's note: This article was originally published in 2018. It has been updated with new insights and best practices.