We felt that it might be useful to some of our clients if we wrote an article with some general guidelines. We strongly recommend that if you are at all unsure about the compliance of your website with GDPR, that you get some proper advice from a GDPR specialist consultant. I'm not a GDPR consultant or a lawyer, so this article doesn’t cover the breadth of the GDPR legislation and isn’t intended to give you advice - your situation might be unique or different.
The important thing with GDPR is that a website can't imply or assume a user has consented to signing up for any communication anymore, people need to know exactly what they're signing up to and they need to explicitly sign up.
If people have given you their email address, and they've opted in to receive marketing emails, you can still send them marketing emails.
If people haven't explicitly opted in to your marketing list, or you're using lists you have purchased or built from general website interaction, you will need the person’s consent to send them marketing emails.
When someone gives you any of their personal details, such as their name, email address, phone number etc., you need to make it really clear what exactly it is they're opting in to, and what you'll use that information for. For example, if someone downloads an e-book from your website and you want to add their name and emails address to your email marketing list, you will need to give them the option of also signing up for your mailing list. You cannot assume that because they've downloaded the e-book they're also giving you consent to send them other emails.
It's the same with online shopping.
If a person has purchased from your website, you can send the user transactional emails. These are the emails that are triggered by their purchase, such as an order confirmation, invoice and dispatch notice, but you can't then send them marketing emails unless they have expressly ticked the box saying they're signing up to receive them.
It is not GDPR compliant to have pre-ticked boxes or confusing consent. The intention and method of subscribing needs to be really simple and easy to understand. For example, some stores have historically had a marketing form that the user has to opt out of in order to opt out of marketing emails. For example, there will be a tick-box with a message similar to “We will occasionally send you marketing emails. If you’d rather opt out of marketing emails, please un-tick this box”. That would not be GDPR compliant.
You must make it clear what people are subscribing to, make sure the process is opt-in and also make it easy for them to unsubscribe.
If the user signed up via your e-newsletter sign-up form, or expressly opted in to receive your marketing emails, you do not need to ask the user for their consent again. If you had their express consent in the past, you have consent now.
If the people on your marketing list have not expressly subscribed to your marketing emails, you need to get their permission to send them marketing emails. For example, if a user filled out a basic contact form on your website, or made a purchase from your website and you added them to your marketing list, you do not have their express consent to send them marketing emails. You will either need to obtain their consent or remove them from your list.
If you really have no idea where your list came from, or you have some people who have opted in and others who didn’t and have no idea which is which, you will need to expressly obtain permission to send marketing emails to the people on the list.
There should also be a link on every single email that enables the user to “Unsubscribe”, which takes them to a page that says something like “Sorry to see you go, you're now unsubscribed.”
If you use an email marketing service like MailChimp or ActiveCampaign, there should always be an unsubscribe button at the bottom of the email. When people click this, they will automatically become unsubscribed from the marketing list.
If you use Outlook and just BCC everyone on your list, then you have no real way of guaranteeing that people will be removed from your marketing list when people unsubscribe, so you will most likely need to use an email distribution service such as MailChimp or ActiveCampaign.
If you're a large company, there are rules specifically for large businesses, so it is important to get a consultant to advise you on your particular case with regards to your GDPR compliance.
If you're a small business, you need to follow some basic steps initially:
Firstly, check out the ICO website https://ico.org.uk/ which explains the new GDPR legislation in detail. You can also contact the ICO for advice.
Secondly, check your mailing list. You will need to make sure you are not breaking the law.
Do you know where the email addresses came from? Can you split out all the ones that opted in via your sign-up form? This is the list of people who absolutely, positively wanted to sign up. If so, tag them or sort them to another list.
If there are some email addresses you're not sure about, put those in another list or tag. Send out an email giving them an option of opting out.
If you're using a good email system such as MailChimp or ActiveCampaign, then all unsubscribes are handled automatically, but if you’re not and someone requests to be removed from your lists – do it immediately.
As long as people have expressly opted in to your marketing list, you’re open and honest about what you do with the data you keep, ensure you keep that data securely and you delete people's data as soon as you're asked, you should be GDPR compliant with regards to email marketing lists.