Email marketers have got to get round the table with copywriters and tech teams right now to get their house in order before the big fines of the General Data Protection Regulation (GDPR) come into place in 2018.
Those who fail to act on the tighter information and consent aspects of the new directive could be facing a much tougher conversation further down the line. Then, the choice will be to erase their database or carry on and risk a fine of up to 4% of annual international turnover.
That is the stark warning from Steve Henderson, compliance officer at email marketing agency, Communicator. The good news, though, is that email marketers will generally be starting off from a good launch point. The channel traditionally has a very good privacy record because third-party software can identify and bar bad practitioners and consumers can choose to unsubscribe from brands that bother them. This reputation, however, may have lulled some in to a false sense of security that they do not need to act on GDPR compliance any time soon.
"It's likely that a lot of email marketers have become a little complacent and it's easy to see why," says Henderson.
"The channel's traditionally been highly reputable and where there have been any issues the Information Commissioner's Office has usually used its discretion and helped companies to see where they've gone wrong without a fine. That's changing, though. With the GDPR, the national privacy watchdogs are having their discretion taken away from them. They'll be expected to fine."
Inform And Consent To Segment
The principles with the new EU law have not changed but the rules governing data have been tightened and clarified. Namely, it will no longer be enough to just gain permission to put someone's email address in a database. Brands will have to be able to show they have communicated what use the data will be used for and offer control to the end user to restrict how their email address is used.
"Inform and control are the big two watch words," says Henderson. "Consumers have got to know what their data is being used for and to restrict it. Crucially, by restricting how their data is used, they cannot be denied a service, so you can't make it any service reliant on permission to use somebody's data. They have to be able to refuse permission for their data to be used but to still have the service."
Where it gets very interesting with email marketing is the segments that many brands will put the average customer into. These will typically be refined by data gleaned by the company as the person browses its site, interacts over social and transacts with its physical or online stores, if applicable. It has been a grey area until now but from now on, marketers need to operate as if the new directive is active.
For Henderson this is not so much a chore but an opportunity to future-proof a database and get consumers excited by what you can do with their data.
"The best advice is to act as if the GDPR is law now and get permission to build up a marketing profile," he says.
"This is where the email marketers have got to sit down with the copywriters and the tech guys and do it in an exciting way. It might well be asking for an email and then offering a tick box against, say, a VIP service that will match what you're most interested in with our latest offers. That way you're telling customers you're going to look at what they're interested in and target them accordingly. You need to be able to do this so you can show you explained what you are doing with their data and that they give permission. Then your database will be fine.
"You need to do this also for 're-permissioning' returning customers. The copy can say something like 'we're just checking this is your email address and you want us to tailor offers to what you show us you're interested in.' So long as you do this, your email database will be compliant and you can be assured you won't be having a horrible conversation with someone later on when they say the whole database has to be erased to avoid a massive fine."
Get It Right This Time Round
Henderson advises this be done with tech and copywriters around the table because otherwise brands will end up revisiting the early days of cookie warnings.
"I can say this, as I used to be a developer, but if you leave it to the tech team you'll just get a grey horrible box with some legal cut-and-pasted copy that just looks awful," he says. "You've really got to get marketers, the tech team and the copywriters involved. It's the only way to avoid a horrible repeat of the cookie-warning fiasco."
Right now the GDPR is approved and awaiting translation into the many languages of EU members. When that is complete, it becomes law and, from that moment, there will be a two-year countdown until the big fines for noncompliance can be levied.
Any brands not currently operating as if the GDPR is law already need to think long and hard about when they are going to ensure their database is compliant because failing to act well in advance is simply not an option for those wishing to avoid massive fines in a little over two years.