GDPR & email marketing (B2C & B2B)

The biggest issues that companies are facing is consent. Consent now requires “clear affirmative action”. Saying that, what will be the business value when companies process is largely dependant of customer data? See below in this article how you can manage compliance in B2C first, then in B2B.

GDPR & email marketing (B2C & B2B)

The biggest issues that companies are facing is consent. Consent now requires “clear affirmative action”.

Note for digital marketing is that these rules apply to existing data, not just new subscribers and customers!

Saying that, what will be the business value when companies process is largely dependent of customer data?
See below in this article how you can manage compliance in B2C first, then in B2B.

How GDPR will affect digital marketing in B2C

Need for consent

Consent is similar to opt-in (the person who receives a mail must have agreed in advance to appear in a mailing file), contrary to B2B field where opt-out is sufficient (the person who receives an email must have the possibility to ask to be deleted from the mailing file).

Under the GDPR the way consent is asked to users will be more strict. It is so inevitable that the GDPR will result in marketing databases shrinking.

However, there are steps that companies can take now to make sure they can continue to use as much of the data they hold as possible after May 2018.

From the 25th May 2018, all permissions about mailing must be opt-in, with a “clear affirmative action” required.
Consent must also be specific, with separate options for each processing being provided to subscribers.

What about actual companies mailing list ?

To continue using customer data for eamailing beyond May 2018, it will need to bring it up to the GDPR standard for consent. Sounds logical !

One frequent issue in several countries is the use of pre-checked boxes indicating that the user wants to “receive regular offers and updates”. The pre-checked boxes are now considered as illegal for the European Committee. Minimum recquirment coulb be the use of checkbox non prechecked as a "clear affirmative action" from users is mendatory.

Proving and document compliance are not facultatives under GDPR. In deed, the second most common issue is that there are no proof that the following information have been provided at the time of opt-in :

  • A clear explanation of how the data would be processed
  • The identity and contact details of the controller
  • Details of any recipients of the data including any third party systems where data is stored, like CRM systems (like Salesforce), email providers, cloud storage providers, etc.
  • Details of any countries to which the data will be transferred. It is often the case that data will reside on servers in other countries especially when using cloud service providers.
  • The period of data retention or citeria used to determine the retention period
  • The existence of the data subject’s rights (the rights to be forgotten, to withdraw consent, to data portability...)
  • The existence of automated decision making and the consequences
  • A statement about the right to complain to the Data Protection Authority

Note GDPR rules will also apply to existing data, a consent update will be necessary to become compliant.

What to do in 4 steps

1. Update website terms of services (ToS), cookie policy, and privacy policy

The first step for almost all organisations that are looking to make their digital marketing GDPR compliant will be to update their website ToS and privacy policy.

Those documents are the easiest way to communicate the key information to data subjects. Those will include information listed in the part above (recquired info in opt-in process), plus :

  • The purpose of processing and legal basis for processing the data
  • The source of the personal data
  • The identity and contact details of the controller
  • The contact details of the data protection officer (DPO)
  • Any additional information that is needed

2. Update the design of lead capture forms on website

The key elements of your new lead capture forms will have to include:

  • A clear explanation of what the user is signing up for
  • A non-pre-checkbox on what is required to be checked by the user before submission, and a text alongside like “I agree to the ToS and privacy policy” with link to the documents.

GDPR compliant consent form example:

3. Document what the subscriber was told when they gave consent

You have to prove that consent has been given. You must be able to demonstrate that you have complied with the GDPR. This might include :

  • Content for the consent form, privacy policy, ToS
  • Consent form itself (screenshot of the page as a minimum)
  • Any context around the consent form

You should also keep a clear log of any updates to your policies and ToS over time.

4. Re-consent your database

Where existing data does not meet the standard required by the GDPR you will need to re-consent, means getting new & valid permission from the individuals.

Cleanse your database
Before you begin the process of re-permissioning you will want to ensure you have all of your data in one location and that it is properly deduplicated.

You should delete any records where emails have hard bounced. If these are valuable customers, then think about a more personal approach. If not, don’t waste your time trying to re-permission them.

Only re-permission those who have given consent (or use a method other than email to reach them)
Under current rules you can approach B2B customers and prospects for consent as long as they have not previously opted out.

Sending a re-permissioning email to an individual who has opted out (even if they have previously subscribed) is a breach of existing rules and again, surely a waste of time.

Will GDPR affect digital marketing in B2B

As you can see, following the GDPR, B2C marketing will have to operate in a highly regulated opt-in mode. On the contrary, B2B marketing operates in opt-out mode, which is less binding for emailing.

In B2B, the solicitation subject must be related to the professional activities of the person being contacted. For exemple, you can contact Marc Benioff to promote benefits of a software in Salesforce ecosystem.

Generic business addresses (, are contact details of legal entities. They are not subject to the principles of consent and the right to object.

However, each e-mail message must:

  • Specify the identity of the advertiser,
  • Propose a simple way to oppose the receipt of new requests (unsubscribe link in the mail landpage)

Note that like the B2C, the use of a pre-checked box is not allowed under GDPR, and already illegal in certain cournties like France or Germany.

The rules above are not new for numerous countries: they are the ones under which the profession operates today. And it will not be challenged by the GDPR. In deed, the GDPR focus on personnal data and so on B2C marketing.

In a nutshell

See GDPR as an opportunity to review and renew data management before the 25th May 2018 deadline. Think that GDPR compliance is a way to become more clean and responsible in business process, and consequently more competitive thanks to confidence it brings to your customers.

Also, be aware that if you haven’t started working towards GDPR compliance for your digital marketing (especially for B2C), there will no better time than right now.

In summary, if you want to do anything with someone’s personal data:

  • Tell the user what processing is used
  • Obtain user agreement by clear and positive action
  • Prove you are compliant and transparent