{"id":4950,"date":"2021-03-08T11:20:46","date_gmt":"2021-03-08T16:20:46","guid":{"rendered":"https:\/\/www.litmus.com\/blog\/5-things-you-must-know-about-email-consent-under-gdpr\/"},"modified":"2023-07-17T14:20:57","modified_gmt":"2023-07-17T18:20:57","slug":"5-things-you-must-know-about-email-consent-under-gdpr","status":"publish","type":"post","link":"https:\/\/www.litmus.com\/blog\/5-things-you-must-know-about-email-consent-under-gdpr","title":{"rendered":"EU & UK GDPR: 5 Things You Must Know About Email Consent"},"content":{"rendered":"\n\n\t
\n
\n \t
\n \t\t
\n \t\t\t
\n \t\t\t\t

The European Union\u2019s privacy law, General Data Protection Regulation (GDPR), went into effect on May 25th, 2018. At the time, many wondered what GDPR means for email marketers<\/a>. And fortunately, GDPR didn\u2019t kill email<\/a> like the doomsayers predicted. But one thing that still might cause you headaches? How to collect and store email consent.<\/p>\n

GDPR raises the bar to a higher standard of consent for subscribers based in the European Union (EU), meaning how you\u2019ve collected consent from EU subscribers in the past might not be compliant anymore.<\/p>\n

And even now that the United Kingdom (UK) has formally left the EU, GDPR after Brexit<\/a> hasn\u2019t changed too<\/em> much. The UK has created their own UK GDPR, which is essentially the same as the EU GDPR except that it applies to UK residents only. Details are covered in the Guide to the UK GDPR<\/a> from the UK\u2019s Information Commissioner\u2019s Office (ICO). For simplicity\u2019s sake, I\u2019ll refer to both as just GDPR unless referencing one specifically.<\/p>\n

So the real question is: What does all this mean for email consent from your EU and UK subscribers?<\/p>\n

How to keep email consent compliant with GDPR<\/h2>\n

GDPR requires that brands collect affirmative consent that is \u201cfreely given, specific, informed, and unambiguous<\/a>\u201d to be compliant. The ICO has also provided a comprehensive guide on consent under GDPR<\/a>. If you\u2019re not ready to dive into the full 39-page guide just yet, here\u2019s a breakdown of the five most important things you must know about email consent under GDPR\u2014with plenty of examples of how we put them into action here at Litmus.<\/p>\n

1. Get consent from a positive opt-in, not pre-ticked boxes<\/h3>\n\"Opt-in\n

For consent to be valid under GDPR, a customer must actively confirm their consent, such as ticking an unchecked opt-in box. Pre-checked boxes that assume consent if people don\u2019t<\/strong><\/em> uncheck them aren\u2019t valid under GDPR.<\/p>\n

Recital 32:<\/strong><\/em>
\n\u201cSilence, pre-ticked boxes or inactivity should not constitute consent.\u201d<\/em><\/p>\n

Example<\/h4>\n

In the screenshot above, we show an example of how we use unchecked, opt-in boxes at Litmus to get consent. If the box was pre-checked, that wouldn\u2019t comply with GDPR.<\/p>\n

2. Keep consent requests separate from other terms & conditions<\/h3>\n

Email consent must be freely given\u2014and that\u2019s only the case if a person truly has a choice of whether or not they\u2019d like to subscribe to marketing messages. If subscribing to a newsletter is required in order to download a whitepaper, for example, then that consent is not freely given.<\/p>\n

Under GDPR, email consent needs to be separate<\/em>. Never bundle consent with your terms and conditions, privacy notices, or any of your services (unless email consent is necessary to complete that service).<\/p>\n

Article 7(4):<\/strong><\/em>
\n\u201cWhen assessing whether consent is freely given, utmost account shall be taken of whether [\u2026] the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.\u201d<\/em><\/p>\n

Example<\/h4>\n

In the same screenshot above: When someone downloads an ebook or other content from Litmus, there\u2019s an unchecked box to get on our email list. But signing up for emails is optional<\/em>\u2014you can always download the ebook without subscribing to our emails.<\/p>\n

However, in this example below, we have an email subscription form in the footer of the Litmus website. The box is still unchecked, but the red asterisk denotes that consent is required<\/em>.<\/p>\n\"Email\n

Why? Because email consent is necessary to complete the service. In other words, this specific service is to send you our emails, and we can\u2019t do that unless you opt in.<\/p>\n

3. Make it easy for people to withdraw consent\u2014and tell them how to do it\u200b<\/h3>\n\"Email\n

Article 7(3):\u200b<\/em><\/strong>
\n\u201cThe data subject shall have the right to withdraw his or her\u200b consent at any time [\u2026] It shall be as easy to withdraw as to give consent.\u201d\u200b<\/em><\/p>\n

All major email laws, including CASL in Canada and CAN-SPAM in the U.S., require brands to give their subscribers the opportunity to opt out from receiving emails. Each promotional email you send must include an option to unsubscribe.<\/p>\n

If you are already compliant with current Canadian, American, or European email laws, you may not have to change much when it comes to this requirement for GDPR compliance. Still, this is a perfect time to revisit your current opt-out process to ensure you\u2019re following unsubscribe best practices<\/a>:<\/p>\n