They started working on it in 2012, and for the next four years, the countries of the European Union argued over, cajoled each other, and hammered out the details of a ruling known as the General Data Protection Regulation (GDPR). It was a long hard slog, but when the dust had cleared, the feeling was that the Council of the European Union and the European Parliament had a regulation that would satisfy the privacy issues inherent with any new or future technology, without hampering individual needs.
Or did they?
Ratified on May 24, 2016, the GDPR took effect on May 25th, 2018, and offers the strictest set of regulations to date as to what you can and cannot do with someone’s data. Everything from Facebook to your digital camera has to comply with the regulation, and that includes email subscriptions.
It Affects the Whole World
Although intended to protect the citizens on the European Union, it also applies to overseas companies with EU subscribers—and here’s where the GDPR starts getting fuzzy. In a recent webinar, listeners were told that they don’t have to worry about the GDPR as long as they can prove that did not actively seek European subscribers. On another site, readers were told that if you have any European subscribers, you’re obliged to follow the GDPR restrictions. So who’s right? The webinar is correct, in fact. If you can prove that you intended for your site to be used exclusively outside of the EU and had no mechanism in place to entice European subscribers, you are not liable, but that also means you might have to prove it at some point, and if, for reasons beyond your control, a large number of your subscribers are from the European Union, you’ll probably lose that fight.
That Depends on What The Meaning of “Is” is
At first glance, the GDPR looks pretty thorough. It even has a section that defines the terms it uses, such as “personal data” and “natural person.”1 But look more closely and you’ll see that every definition, in turn, raises new questions. “Personal data,” for instance, is defined as “any information relating to an identified or identifiable natural person (‘data subject’),” and goes on to explain that “an identifiable natural person is one who can be identified, directly or indirectly” (italics mine). Although the ruling is broad enough to include it, you won’t find a discussion of email anywhere in the regulation. In fact, the word “email” is used only once—as an example of one of the things that can be used to identify a person.
After reading and re-reading the current crop of articles about the regulation, what strikes us is how few of these address the questionable areas of GDPR, especially as it relates to email marketing. Whether you run email marketing using your own equipment or take advantage of a hosted solution, here are some questions and discussion about GDPR challenges for email senders.
Tell Me You Like Me
If you’re a European citizen and you’ve signed up to receive email from a company, that company must “demonstrate” that you actually did sign up. So how do you demonstrate that someone provided their information on a web form? The GDPR goes on to talk about written declarations, but that is unlikely to apply for email marketing.
You can be audited to ensure that you are complying with the GDPR, so you should be able to prove this.2 If you say that the recipient confirmed with a double-opt-in, what physical evidence can you present to backup this statement? Is the word of your software that says the recipient clicked the link enough? Do we need to record additional information to show this action really happened, like recording the IP address and browser information used when the confirmation link was clicked? But wait! Isn’t that Personal Identifying Information (PII) that you shouldn’t be keeping on recipients? Which takes precedence? Proving the recipient “demonstrated” their consent, or minimizing the PII for that recipient?
A double-opt-in confirmation step would seem to “demonstrate” the person’s interest in receiving your email. But as many email marketers know, getting people to confirm is challenging. A double-opt-in can reduce the list size; forcing them to do it again is guaranteed to reduce list sizes even further.
Unsubscribing is not Forgetting
You won’t find the word “unsubscribe” anywhere in the regulation or its recitals.3 When you unsubscribe, your information is still in the database, being applied to past metrics and ensuring that you aren’t accidentally left on any mailing list segments. Unsubscribing should be easy. Just click the unsubscribe link on any email and as long as it is an honest and legitimate company you should stop receiving mailings from that company in short order. But the GDPR even complicates this.
“Personal data shall be: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed…” the regulation states, but then goes on to say: “In a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” To further muddy the waters it continues by adding that “personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes…in order to safeguard the rights and freedoms of the data subject.”4
The first statement seems to indicate that data about a recipient can be retained only while it is needed for processing. For a regular newsletter subscriber, it seems likely that retaining their information would be acceptable to be able to provide the newsletter service. But what if the person unsubscribes? Or the email address is no longer valid (goes on-hold). Should any personal data for the recipient be removed at this point?
The structure of the GDPR seems to suggest that the answer to this is no unless the person has requested to be “forgotten,” which opens up a whole new can of worms.
I Forgot to Remember to Forget
One of the most controversial and discussed topics about the GDPR is its “Right to erasure (‘right to be forgotten’)” clause, which states that the “data subject” has the right to request the erasure of personal data.5 Of course, nothing is ever that simple. The regulation goes on to list the cases where a person may request erasure. Since these include for direct “data marketing purposes,”6 we can assume that it applies to most email situations, but is it possible to request that a company erase all your personal information, even though you wish to remain a customer? And what about past metrics? If 25 subscribers clicked on links last year, then asked to be forgotten this year, what happens to that data? Data from previous could be construed as “historical research,” which the GDPR says is okay to keep.7
If “forgotten” means you’re no longer anywhere in the system, and not simply, “we’re not going to send you any more email,” how would you know this? Surely you need to keep a record verifying that a person requested to be forgotten, but if you do, then they’re not completely forgotten. It reminds us of comedian Mitch Hedberg’s joke: “A man in an infomercial told me to forget everything I knew about comforters, so I did. Then he tried to sell me a comforter, but I didn’t know what it was.” If you don’t keep track of who asked to be forgotten, then how can you prevent them being re-entered into your system? It’s ludicrous. The GDPR seems to suggest that a marketer has the right to retain the email address since it’s required for compliance with the legal obligations of the states and is required by the email marketer for the defense of claims that the recipient might make.
In Article 20, the GDPR is very clear that a person has the right to “receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format.”8 This is the “data extraction” clause, and the way it is worded suggests that every email marketer intending to be compliant with the GDPR should have a mechanism that allows recipients to see the data that’s been collected on them. It just doesn’t say what this data might be. Data in demographic fields or associated one-to-many tables would seem like reasonable choices, but how about open and clickthrough data?
For both the data extraction request and the request to be forgotten, there are privacy and security issues left unaddressed by GDPR. You could, for instance, create a web form that lets an email address be “forgotten” when it’s entered, but then a malicious person could erase data just for kicks. Similarly, providing all the collected personal data on request should require some validation to ensure the recipient is actually requesting this data.
Many ESPs have added a request to be forgotten feature to their privacy policies requiring you to send an email to request this. While this wouldn’t appear to be automated, at least it’s a step towards ensuring the recipient is the one making the request. As for the request for data requirement, so far, only Goolara offers to extract the recipient’s personal data in electronic form. Since it is a requirement of the GDPR, we expect others will eventually comply.
While the goals of the GDPR are fairly clear and even laudable, it can be difficult to implement when the rubber hits the road. How do we both remove personal data and keep some for the purpose of honoring the unsubscribe? Do we really need to remove all demographics when someone unsubscribes? How do we implement features like data extraction and make it available for portability? We’d like to hear your thoughts on this in the comments below.
In Part Two, we’ll get a little deeper into the nitty-gritty of the GDPR, and look at the right to be forgotten in more detail.
3. Recitals are brief descriptions added to the GDPR to help clarify certain terms and aspects of the regulation. At this time, there are 173 recitals!