Home » Blog » GDPR E-commerce » Guide to GDPR compliance for e-mail marketing campaigns

Guide to GDPR compliance for e-mail marketing campaigns

Publié le

Admeet's guide to GDPR-compliant email campaigns

This article explores all the issues surrounding GDPR compliance in the field of marketing and will give you all the keys you need to set up e-mail campaigns that comply with French regulations.

How does the GDPR affect marketing?

General marketing practices

Marketing practices have been substantially affected by the implementation of the GDPR. Today, the vast majority of marketing strategies involve the processing of large quantities of personal data of customers and prospects: website, newsletter, e-mailing, telephone canvassing, postal mailings, etc.
The notion of personal data should be understood very broadly, since it includes all information that can directly or indirectly identify a natural person. If you are an e-commerce business, you will probably use the data collected during online transactions (names, e-mail addresses, purchasing preferences, etc.) to send them marketing e-mails. You will therefore need custom solutions for your e-commerce website.

Application of the GDPR and CNIL recommendations

If you are implementing marketing practices in France involving the processing of personal data, it is essential to take account of the GDPR and CNIL rules.
When it comes to commercial prospecting, the legal basis for processing personal data may be consent or legitimate interest. This is referred to as opt-in when the data subject has given their consent to receive commercial solicitations, or opt-out when the data subject objects to their personal data being processed for direct marketing or commercial solicitations:

  • Opt-in involves obtaining the prior consent of the recipient of the advertising, in short: if they haven’t said yes, it’s no. The opt-in principle applies to B-to-C (business-to-consumer) advertising sent by e-mail, SMS, MMS, automatic call machine or fax;
  • Opt-out is just the opposite: as long as the recipient of the advertising has not objected to it, they are deemed to have agreed to receive it. The opt-out principle applies to B-to-B (business-to-business) advertising sent by e-mail, post, telephone call, automatic call machine, SMS, MMS, and also to B-to-C advertising sent by post or telephone call (excluding SMS, MMS and automatic call machines).
    In all cases, you will need to inform people beforehand that you intend to use their data for commercial canvassing, specifying the channel (e-mail, SMS, etc) and whether they can refuse (opt-in) or oppose (opt-out).

GDPR-compliant e-mail campaigns in France

E-mailing is one of the most widespread methods of reaching a target audience.
As e-mail addresses, even professional ones, are considered to be personal data, sending e-mail campaigns involves a number of challenges in terms of GDPR compliance.
Generally speaking, canvassing e-mails (newsletters, promotional e-mails, cold e-mails, but also abandoned basket e-mails) intended to promote a service or product are therefore subject to the GDPR, as the CNIL reminds us.
On the other hand, service e-mails (e.g. order confirmations, e-mails relating to order tracking, e-mails collecting feedback from data subjects on their orders, etc.) are not considered to be advertising, since the legal basis for sending these e-mails is the performance of the contract between the seller and the buyer.
To ensure that your e-mail marketing campaigns comply with the GDPR, Admeet provides you with the following guidelines.

Inform your customers and prospects in a transparent manner

  • First make sure that your data collection and use practices are GDPR compliant;
  • Generate or update your privacy policy to reflect your current practices, clearly explaining how data is collected, stored, used and protected. If this data has been provided to you by a data broker, clearly state the source with the name and contact details of your partner.

Obtain the consent of customers and prospects if you are targeting individuals

In order to comply with the CNIL’s recommendations concerning respect for the rights of individuals with regard to their data, you must obtain the consent of the person concerned if you are targeting individuals:

  • Ensure that consent is collected in a free, specific, informed and unambiguous manner, in particular by means of a checkbox that is not pre-ticked by default (article 7 of the GDPR);
  • If possible, use the double opt-in procedure to confirm consent;
  • Explain clearly to users why you are collecting their data and how you will use it.

Furthermore, if you are sending different types of communication for different purposes, separate consents must be collected for each purpose.

Record proof of consent from your customers and prospects

Recording proof of consent is important in order to prove the legitimacy of your commercial prospecting mailings in the event of a complaint from a data subject to the CNIL and of an inspection by the latter.
To do this, keep proof of each consent, ideally including the date, time, source and content of the consent. You can also use Consent Management tools (CMPs), such as the one offered by Admeet, essentially for cookie consent (and not for e-mails).

Audit your current databases

  • With the help of a DPO, carry out an audit of your database to identify the origin and location of your contacts, particularly if you buy e-mails from companies specialising in data resale. Beware: buying lists of e-mail addresses without consent or sending unsolicited e-mails to individuals contravenes the principles of the GDPR and may be penalised by the CNIL. Purchasing a database of business contacts (B-to-B) is possible provided that you comply with the information obligations and the possibility of withdrawing consent at any time in the communications sent (see paragraph 1.b.);
  • Delete contacts for which you do not have proof of consent in order to limit the risks;
  • If you segment your database to send personalised e-mails, make sure you only use the data collected for campaigns that are relevant to each group of customers (article 5 GDPR).

Manage unsubscriptions to your e-mail campaigns

In all cases, whether in the context of B-to-B or B-to-C prospecting, data subjects must be able to refuse to receive further solicitations at any time when they are contacted. As part of an e-mailing campaign, a valid unsubscribe link must be provided in all prospecting e-mails sent. The link should be clearly visible and displayed in a suitable font size.
If you send different types of communication, offer your contacts options for unsubscribing from some or all of your communications).
You also need to get organised internally so that you can effectively deal with these requests (by drawing up a list of people who have objected, setting up tools so that push-back lists are drawn up, etc.).

Check the GDPR compliance of your service providers

To check the GDPR compliance of your service providers:

  • Make sure that your service providers and partners also comply with the GDPR, particularly companies specialising in the resale of data or marketing agencies;
  • Thoroughly check their confidentiality policies and data processing practices.

Train your marketing teams in the protection of personal data

Your marketing teams handle personal data in their day-to-day activities. It is vital to make them aware of the GDPR and its implications for e-mail campaigns, by organising training courses, e-learnings, etc.

Regularly update your marketing practices

GDPR compliance is an ongoing process. To ensure long-term compliance :

  • Regularly review your compliance procedures and practices, identify areas for improvement and take corrective custom if necessary;
  • Monitor GDPR-related case law and adapt your practices accordingly to remain compliant.

Practices to avoid for GDPR-compliant e-mail campaigns

Purchasing contact lists: pay attention to the way in which contacts have been collected

Buying contact lists is a common practice in the marketing field, but it is essential to take a few precautions to ensure that this practice complies with the GDPR:

  • Check that the personal data on the list has been collected lawfully, in accordance with the GDPR principle of transparency;
  • When you first communicate with contacts from this list, you are obliged to inform them of the data processing methods and also of the origin of the data, including the contact details of the company from which you acquired the data.

Dark patterns: tactics contrary to the GDPR

Dark patterns are a way of coming into conflict with the GDPR. These are intentional designs to manipulate or deceive users into taking actions they wouldn’t otherwise: using tactics to make unsubscribing hard to find or to trick users into sharing more data than they want to, for example.
These deceptive practices are obviously against the GDPR. To avoid penalties, make sure your newsletter subscription and unsubscription process is clear, simple and transparent.

GDPR and marketing: the risks of non-compliance

The risks of non-compliance with the GDPR for your marketing campaigns can be considerable, whatever the size of your business. The financial penalties can reach up to €20 million or 4% of annual global turnover, and the reputational consequences can be devastating. In November 2022, the CNIL fined EDF €600,000 for failing to comply with its obligations in terms of commercial prospecting and personal rights. A number of breaches were identified, including:

  • failure to comply with the obligation to inform individuals;
  • failure to comply with the obligation to obtain the consent of individuals to receive commercial canvassing by electronic means;
  • failure to comply with obligations relating to the procedures for exercising rights;
  • failure to comply with the obligation to respect the right of access to data (article 15 of the GDPR) and the right to object of the data subjects.

Essentially, the sanctions imposed by the CNIL on EDF highlight the importance for companies of being able to provide concrete evidence of user consent when that consent is used as the legal basis for processing personal data.

GDPR compliance: a real opportunity for your marketing campaigns

In the digital age, consumers are increasingly aware of the issues surrounding the protection of their personal data, and are therefore more and more sensitive to companies’ marketing practices.
Compliance with the GDPR and the implementation of marketing practices that respect the privacy of your customers and prospects are becoming a real marketing advantage, and therefore a competitive advantage. If users give their consent to receive your marketing e-mails, it means that they are genuinely interested in your products or services. The result? A much higher click-through and conversion rate.
By protecting your customers’ personal data, you can build up a genuine relationship of trust with them, develop their loyalty and maintain a positive image of your company.

An attractive, GDPR-compliant website with Admeet

Whether you’re an SME or a real estate agency, a website is an essential part of any marketing strategy. But to be truly effective, it needs to be GDPR compliant.

Admeet will be at Digitalize on 31 January and 1 February 2024, and we’ll be delighted to help you making your website GDPR compliant.

This means generating an adapted and personalised privacy and cookie policy, as well as an effective cookie banner and consent manager. The link to your privacy policy must be found under all the points at which personal data is collected on your website, whether it’s to sign up for a newsletter, provide an e-mail address to get in touch, take part in a competition, and so on. This is why all your GDPR documents must be in Legal Design so that they are clear and understood by everyone.
To help you make your website GDPR-compliant, Admeet offers an all-in-one solution with the essential functions: