The number of email addresses continues to grow and in 2024 it’s expected to be about 4.48 billion email users worldwide. The large reach and direct contact to recipients make the email channel not only the most widely used marketing channel but also the most profitable channel. It’s not a surprise that email marketing is still an important tool for customer acquisition and retention. Consequently, the demand for email addresses continues to grow.
When data is the new gold in the digital age, email addresses are the diamonds of any mailing list. If email addresses come with even more data, such as age, gender, place of residence or interests, we can even equate email addresses with red diamonds. Because more information means a more precise segmentation of the data, which enables the send-out of marketing emails to ultra-specific target groups and which drives conversation rates.
But with increasing data not only data-driven possibilities are growing, but also the relevance and responsibility for data security. The GDPR was enacted in 2018 to regulate data processing and to protect personal data. Those strict principles have a major impact on email marketing and require companies to be conscientious when processing personal data.
In cooperation with our lawyer, Kaspar-Ludwig Stolzenhain, we have compiled the most important points for legally compliant email marketing. We also highlight how to leverage third-party lists in accordance with GDPR.
- A brief overview of GDPR Regulations
- What is personal data?
- GDPR compliance for email marketing
- Consent is essential
- Single Opt-In vs. Double Opt-In procedure
- GDPR compliant unsubscribe process
- Imprint obligation also applies to newsletters
- Documentation of collected data
- What to consider when working with third-party data?
- Purchasing third-party records
- Leveraging third-party records
1. A brief overview of GDPR Regulations
The General Data Protection Regulation (GDPR) is a data protection law drafted and passed by the European Union (EU) in 2018. The law applies to all individuals and businesses that offer goods and / or services to people in the European Union (EU) or collect and analyze data of EU citizens, regardless of their location. The purpose of GDPR is to provide standardized data protection laws across all member countries. The goal is to protect the fundamental rights and freedom of the individual, in particular the protection of personal data.
In order to regulate the processing of personal data, Article 5 GDPR describes seven basic principles for data processing:
- Lawfulness, fairness, and transparency: The processing of data needs to be based on a legal foundation. The data subject must be informed about data processing.
- Purpose limitation: Data subjects should be informed about the purpose of data processing in a clear and legitimate way at the time the personal data is collected.
- Data minimization: The data collection should be appropriate to the purpose and limited to a necessary minimum.
- Accuracy: Personal data must be correct and up to date. Incorrect data must be deleted or corrected immediately.
- Storage limitation: Personal data may only be stored for as long as it‘s necessary for the purpose of data
- Integrity and confidentiality: Ensure appropriate security of processed data and protect data against unlawful processing or accidental loss, accidental destruction, or accidental damage.
- Accountability: The person responsible for data processing is responsible for providing evidence of compliance with these
1.1 What is personal data?
According to Article 4 GDPR, „‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)“. In other words, it is understood to be data with which an individual can be identified. As per Article 4, this is possible with a „reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The most common personal data are:
- Phone number
- Email address
- Bank account details
- IP address
- GEO data
Physical data such as appearance is also personal data. In addition, personal aspects that relate to a data subject are considered personal data. This includes, for example, the economic situation, health, personal preferences or interests of a person. Such information is used by companies to analyze and predict a person’s behavior. This does not include personal data that is prohibited according to Art. 9 GDPR (“racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership”, etc.).
When it comes to data processing, GDPR does not differentiate between end consumers (B2C) and companies (B2B) – personal data according to GDPR includes both types of recipients.
2. GDPR compliance for email marketing
Email marketing is all about reaching out to your (potential) customers. This is not possible without processing personal data. Consequently, GDPR has a huge impact on newsletter marketing. It’s crucial to observe your data protection policies. Otherwise, you’ll risk high sanctions in form of fines. We’ve summarized the key points you need to consider for GDPR compliant email marketing.
2.1 Consent is essential
When collecting data, the data subject’s consent is required. As part of the consent, recipients must be informed about the purpose for which the data is being collected. It must be clear what type of emails will be sent to the specified email address in the future. For example, if you generate an email address by downloading a white paper, you cannot use this email address for any other purpose. Unless you explicitly indicate the use for marketing purposes in your registration form.
So-called “check boxes” are often used to obtain compliant consent from the data subject. Here it’s important that users activate/tick the box themself in order to maintain the voluntary consent. Pre-activated check boxes are not allowed.
The following information should be part of your registration form in order to ensure GDPR-compliant consent:
- Purpose of data collection
- Products or services to be advertised
- Name of the advertising company/companies
- Note the right to withdraw consent
When talking about existing customers, the situation is a different one. According to Art. 6 Para. 1 S. 1 lit.f GDPR, processing is considered lawful for the purposes of the legitimate interests. However, this article needs to be considered in conjunction with recital 47 sentence 7 GDPR and Section 7 (3) UWG. According to recital 47 p. 7, „processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.“ In addition, newsletters according to Section 7 (3) UWG may be sent under the following conditions:
- The customer’s email address has been obtained in connection with the sale of goods or services.
- The email address of the existing customer may only be used for direct advertising for own similar goods or services – not for goods and services of third-
- The customer has not objected to the use of the e-mail address
- Each time the email address is used, it is clearly indicated that the customer can object to such at any time without costs arising.
Let’s have a look at an example. Here we show you how Audience Serv complies with GDPR requirements. When collecting data, Audience Serv expressly refers to marketing purposes. By sending email campaigns ourselves, we meet the requirements of GDPR.
2.2 Single Opt-In vs. Double Opt-In Procedure
Unlike the single opt-in (SOI), the double-opt-in (DOI) procedure represents the most secure way of collecting data for your mailing lists. But what is the difference?
The single opt-in procedure describes a simple registration process in which the data subject registers in just two steps:
- Data subject fills out a registration form.
- Data subject clicks on “Submit” and provided information will be saved in the operator’s database.
With the double opt-in procedure, a new subscriber receives an automatic email with a confirmation link. By clicking the link, the user verifies the registered email address and the consent to receive marketing emails. This extends the registration process by one step:
- Data subject fills out a registration form.
- Data subject receives a confirmation email for the opt-in and clicks the confirmation link.
- Submitted data of data subject is saved in the operator’s database.
The double opt-in procedure is considered best practice for email marketing, although it is not absolutely necessary according to GDPR. Because digital proof of the date and time of registration is sufficient according to the General Data Protection Regulation. Qualified data, however, is characterized by DOI and is preferable to SOI. The DOI not only ensures the consent itself, but also the correctness of the email address. This way you can avoid the collection of “fake emails”, which ultimately damages your reputation.
Audience Serv uses DOI procedure to generate leads in order to ensure the highest data quality for our clients and also to maintain our excellent deliverability and our good reputation. Audience Serv attaches great importance to legally compliant data collection and also follows industry-specific recommendations such as the CSA criteria. In addition, by signing the “Quality Standard Email Marketing” of the DDV, Audience Serv undertakes to comply with applicable principles in email marketing.
- Every purpose requires a separate consent. Make sure to a use a separate box for each purpose.
- Ticked/Activated boxes are not allowed. Users have to tick checkboxes themselves to give valid consent.
- Double opt-in is the most secure procedure to collect email addresses.
2.3 GDPR compliant unsubscribe process
According to the GDPR, the data subject has the right to withdraw its consent. In order to comply with this right, marketing emails always have to contain a link to unsubscribe (opt-out). In this way, recipients can make use of the withdrawal with just one click.
Audience Serv designed the unsubscribe process fully automatically and unsubscribers are removed directly from the recipient list. Depending on whether a blacklist is provided by the client, corresponding entries are made there as well.
In order to avoid unsubscriptions from your newsletters, various thematic newsletter campaigns can be set up, for example. Instead of unsubscribing from the entire mailing list, the customer unsubscribes from just a certain section and can continue to receive newsletters related to other topics. However, separate consent is required for each type of newsletter.
2.4 Imprint obligation also applies to newsletters
Sending marketing emails is a telemedia service that falls under the Telemedia Act. Therefore, the indication of an imprint is a mandatory part for email-marketing-campaigns. According to Section 5 of the Telemedia Act (TMG), the following information needs to be specified in an easily recognizable and immediately accessible way:
- Company name
- Company registration number
- Place of registration
- Contact options: email and / or telephone
- Registered office address (which may be different from the office you trade from)
The mandatory information differs depending on the type of business (GmbH, Gbr, etc) and must be adapted individually.
2.5 Documentation of collected data
As mentioned in the beginning, the data controller is responsible for compliance and is also obliged to provide evidence for it. The data subject has the right to request and obtain information about data collected. In order to fulfill this obligation, companies must be able to provide consumers with information in an easily accessible, transparent manner and to make data available free of charge.
For data generated online, the following information should be documented in particular:
- List of the data collected
- Purpose of data processing
- Contact details of data controller
- Contact details of the data protection officer
- Date, time and possibly IP address
- when giving consent (form on website) and
- when clicking the confirmation link (DOI)
- Confirmation email at DOI
- Information about the origin of the data
- Categories of recipients of the personal data
3. What to consider when working with third-party data?
We have clarified what needs to be considered for expanding your own email list. But what about the use of an external database? Many marketers use third party lists to expand their own reach. This way, you can reach out to potential new customers, convert them and drive growth.
There are basically two options to use external lists:
- Purchase of external/third party records
- Usage of external/ third party records
3.1 Purchase third-party records
Data trading is a huge topic. There is a lot of discussion about buying email addresses. Especially in the light of the GDPR, the purchase of third-party data needs to be considered critically. As already described, marketing emails according to Art. 7 GDPR may only be sent with the explicit consent of the data subject. The purpose for data collection and the type of future mailings must be clearly communicated. By naming “partner companies” or “passing on your personal data”, the legitimate collection and resale of data is possible, but as a buyer, you are responsible for GDPR compliance and you have to check whether the third party provider has actually complied with all the necessary requirements when collecting the data. If this is not the case, you are making yourself liable to prosecution.
Basically, it is possible to buy external data records. According to GDPR, the sale, and acquisition of email addresses is not prohibited. However, it comes with risks and in general, it’s not recommended to purchase external email lists.
In addition to the legal challenges, external data records can result in difficulties with your email client and they can cause negative impacts on your email deliverability. Many email clients simply prohibit the import of purchased data sets. When sending to third party lists, the reputation of your sending domain can suffer. Email recipients often respond with spam flags and blocks to emails from an unknown sender.
3.2 Leveraging third-party records
The situation is different with the “mere” use of external data sets. Here the list owner is responsible for the legally compliant collection of data from email addresses. Let’s take a look at this fact using the example of Audience Serv. As a specialist for new customer acquisition, Audience Serv provides an extensive database with over 100 million user data. Our customers can use this reach without encountering legal risks for data collection.
How does it work?
Our clients provide us their newsletter templates, we send it to our segmented email lists (and / or those of our verified list partners). The direct contact between our clients and prospects is only given with the conversion of leads. Audience Serv is therefore responsible for compliance with data laws. With a GDPR compliant lead generation process, Audience Serv can use the data obtained for marketing purposes.
When working with external service partners and their data, you should ensure that data is used in accordance with the GDPR. You should ask the following questions to ensure a proper process:
How is data collected?
Ask how the data was collected and whether the GDPR regulations were taken into account. Most of the time, data is generated via various portals or lead magnets. Ask for examples to get an overview of the provider’s lead generation portals.
Audience Serv generates data from three different sources:
- Own online portals: leads are generated via self-operated online portals. The consent for marketing purposes is collected using the DOI procedure. As a “data controller”, Audience Serv is the responsible sender of emails.
- Publisher online portals: Audience Serv is explicitly mentioned in the consent text. The consent for marketing purposes is collected using the DOI procedure. As a “data controller”, Audience Serv is the responsible sender of emails.
- List Management: Audience Serv works with validated list partners and uses external lists, which are validated for quality and GDPR conformity. The user gives the advertising consent to the publisher, on whose behalf emails are sent. As a data processor, Audience Serv acts as a marketer and technical service provider.
Are data continuously maintained and updated?
Outdated and incorrect data sets do not lead to the desired outcome of your email campaigns. Make sure your service partner works with accurate data and performs regular data reviews. After all, you don’t want to pay for “dead data”.
Audience Serv attaches great importance to data maintenance along with regular checks and updates. We have implemented database processes that ensure the highest data quality. This is how we prevent “fake leads”, bots and spam traps. This is the only way we can ensure reliable deliverability and how we can provide our customers with quality leads.
Is there a data protection officer?
According to GDPR, large companies with customers in the EU are obliged to appoint a data protection officer (DOP). A DOP can act internally or be employed externally. The DPO is responsible for ensuring the protection of personal and business data and is the first point of contact for risks, complaints, or general inquiries. There are exceptions for small companies with fewer than 10 employees.
Audience Serv fulfills this obligation. With a data protection officer responsible for the DACH region and another DPO who is responsible for international concerns, we guarantee the protection of personal data.
Is there a process for data protection complaints?
In addition to legally compliant data collection, the processing of data protection complaints is as important. If a violation of the protection of personal data becomes known, the controller must report the incident immediately (if possible within 72 hours) to the responsible supervisory authority according to Art. 33 GDPR. Otherwise, you make yourself liable to prosecution. For this reason, an effective privacy complaint process is essential. Your business partner should be well-positioned to respond to such complaints as quickly as possible.
Audience Serv has built up an effective “complaint process” over the past few years. Compliant data processing is our top priority. Incoming complaints are forwarded directly to our data protection officer and processed within 48 hours. This way, customers don’t have to worry about legal complications.
GDPR didn’t make email marketing easier, but it has not made it impossible either. In order to protect users’ personal data, marketers should pay particular attention to compliant consent and, at best, use the double opt-in procedure as best practice. Data maintenance and documentation are an important part of the GDPR regulations. Therefore, a well-maintained CRM and clear internal guidelines are crucial.
Despite the GDPR, marketers can leverage external databases to acquire new customers. Here, however, it’s not recommended to buy third-party lists. Rather, companies should work with trustworthy and professional service providers in order to properly exploit the potential of external third party lists without taking legal risks.
We have compiled all information for you with great care. However, we assume no liability for the correctness and completeness.