Category Archives: GDPR

GDPR and Email: Part 2, Unsubscribing and Forgetting

GDPR forgetting vs. unsubscribing

NOTE: This is the second in a series of articles addressing the GDPR and its effects on email marketing. For an overview of the subject, see our previous article: GDPR and Email: Part 1, an Overview.

No aspect of the General Protection Data Regulation (GDPR) has generated more confusion and misinformation than Article 17—the notorious “Right to Erasure” clause.1 Partly, this confusion is a result of the GDPR’s failure to address email regulations head-on, choosing instead to try and tackle the privacy issue on a grander scale (you won’t even find the word “unsubscribe” used anywhere in the GDPR or its “recitals”).

As we mentioned in the previous article, whether or not you’ll need to concern yourself with the ramifications of the GDPR will depend entirely on your subscriber base, and whether or not you actively seek subscribers in countries that belong to the European Union. If all your subscribers are in the United States, then you have things pretty easy. If a good percentage of your subscribers are in Europe, then you’ll probably want to make sure you follow the rules laid down by the GDPR. The fines for ignoring it are steep.

Forgetting Isn’t Unsubscribing

The most important point to remember is that “forgetting” and “unsubscribing” are two different things. When a person asks to be unsubscribed, they are saying: “I don’t want to receive any more email from this source.” Sometimes that means unsubscribing from a specific topic. For instance, you might unsubscribe from PC World’s Tech Deals newsletter but still receive their Daily News updates. Sometimes it means unsubscribing from all the mailings a company sends.

Forgetting—or the “right to erasure”—is another animal entirely. In this case, the subscriber is asking not only to be removed from your active mailing list but to have all identifying information removed from your system, with the possible exception of the email address used to verify the erasure request. When a subscriber asks to be forgotten, all personal data must be removed from the database.

Why does it matter?

Right now, nobody knows what effect the GDPR will have on email subscriptions, but some sources predict dire things. Pegasystems, a provider of customer engagement software, reports that 82% of European consumers plan to exercise their new rights to view, limit, or erase the information businesses collect about them, although the article goes on to say that only 21% of those surveyed had any idea what GDPR is or what it enables them to do. According to a survey commissioned by Veritas and conducted by 3GEM, 40% of British consumers plan to exercise their GDPR data rights.

One country that might live up to the dramatic figures for erasure requests is Germany. One need only compare Google street views for Germany versus any other country in the world to see that Germans love their privacy. People had to request that their buildings be blurred out, and Germans did it in droves. Will they do likewise with the GDPR’s right to erasure?google street viewFor most, we suspect that the unsubscribe will suffice.

How to Forget

How each email marketing software provider (ESP) contends with the right to erasure varies. Some ESPs instruct recipients to send them an email if they want to be forgotten, while others remain silent on the means to be forgotten. For our own part, we decided to automate the feature in Symphonie, so if it’s enabled by the administrator, recipients can choose to be forgotten with no manual labor. If the number of requests to be forgotten for European users climbs as high as some suggest this could be a big labor saver for Symphonie users.

As mentioned previously, the true test of these clauses in the GDPR will be put to the test over the next few months. Given the ability of people to find loopholes where the creators thought none existed, we’re sure to see some amendments to the regulation.


1. Chapter 3, Article 17: Right to erasure (‘right to be forgotten’)

GDPR and Email: Part 1, an Overview

GDPR vs. Email
They started working on it in 2012, and for the next four years, the countries of the European Union argued over, cajoled each other, and hammered out the details of a ruling known as the General Data Protection Regulation (GDPR). It was a long hard slog, but when the dust had cleared, the feeling was that the Council of the European Union and the European Parliament had a regulation that would satisfy the privacy issues inherent with any new or future technology, without hampering individual needs.

Or did they?

Ratified on May 24, 2016, the GDPR took effect on May 25th, 2018, and offers the strictest set of regulations to date as to what you can and cannot do with someone’s data. Everything from Facebook to your digital camera has to comply with the regulation, and that includes email subscriptions.

It Affects the Whole World

Although intended to protect the citizens on the European Union, it also applies to overseas companies with EU subscribers—and here’s where the GDPR starts getting fuzzy. In a recent webinar, listeners were told that they don’t have to worry about the GDPR as long as they can prove that did not actively seek European subscribers. On another site, readers were told that if you have any European subscribers, you’re obliged to follow the GDPR restrictions. So who’s right? The webinar is correct, in fact. If you can prove that you intended for your site to be used exclusively outside of the EU and had no mechanism in place to entice European subscribers, you are not liable, but that also means you might have to prove it at some point, and if, for reasons beyond your control, a large number of your subscribers are from the European Union, you’ll probably lose that fight.

That Depends on What The Meaning of “Is” is

At first glance, the GDPR looks pretty thorough. It even has a section that defines the terms it uses, such as “personal data” and “natural person.”1 But look more closely and you’ll see that every definition, in turn, raises new questions. “Personal data,” for instance, is defined as “any information relating to an identified or identifiable natural person (‘data subject’),” and goes on to explain that “an identifiable natural person is one who can be identified, directly or indirectly” (italics mine). Although the ruling is broad enough to include it, you won’t find a discussion of email anywhere in the regulation. In fact, the word “email” is used only once—as an example of one of the things that can be used to identify a person.

After reading and re-reading the current crop of articles about the regulation, what strikes us is how few of these address the questionable areas of GDPR, especially as it relates to email marketing. Whether you run email marketing using your own equipment or take advantage of a hosted solution, here are some questions and discussion about GDPR challenges for email senders.

Tell Me You Like Me

If you’re a European citizen and you’ve signed up to receive email from a company, that company must “demonstrate” that you actually did sign up. So how do you demonstrate that someone provided their information on a web form? The GDPR goes on to talk about written declarations, but that is unlikely to apply for email marketing.

You can be audited to ensure that you are complying with the GDPR, so you should be able to prove this.2 If you say that the recipient confirmed with a double-opt-in, what physical evidence can you present to backup this statement? Is the word of your software that says the recipient clicked the link enough? Do we need to record additional information to show this action really happened, like recording the IP address and browser information used when the confirmation link was clicked? But wait! Isn’t that Personal Identifying Information (PII) that you shouldn’t be keeping on recipients? Which takes precedence? Proving the recipient “demonstrated” their consent, or minimizing the PII for that recipient?

A double-opt-in confirmation step would seem to “demonstrate” the person’s interest in receiving your email. But as many email marketers know, getting people to confirm is challenging. A double-opt-in can reduce the list size; forcing them to do it again is guaranteed to reduce list sizes even further.

Unsubscribing is not Forgetting

You won’t find the word “unsubscribe” anywhere in the regulation or its recitals.3 When you unsubscribe, your information is still in the database, being applied to past metrics and ensuring that you aren’t accidentally left on any mailing list segments. Unsubscribing should be easy. Just click the unsubscribe link on any email and as long as it is an honest and legitimate company you should stop receiving mailings from that company in short order. But the GDPR even complicates this.

“Personal data shall be: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed…” the regulation states, but then goes on to say: “In a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” To further muddy the waters it continues by adding that “personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes…in order to safeguard the rights and freedoms of the data subject.”4

The first statement seems to indicate that data about a recipient can be retained only while it is needed for processing. For a regular newsletter subscriber, it seems likely that retaining their information would be acceptable to be able to provide the newsletter service. But what if the person unsubscribes? Or the email address is no longer valid (goes on-hold). Should any personal data for the recipient be removed at this point?

The structure of the GDPR seems to suggest that the answer to this is no unless the person has requested to be “forgotten,” which opens up a whole new can of worms.

I Forgot to Remember to Forget

One of the most controversial and discussed topics about the GDPR is its “Right to erasure (‘right to be forgotten’)” clause, which states that the “data subject” has the right to request the erasure of personal data.5 Of course, nothing is ever that simple. The regulation goes on to list the cases where a person may request erasure. Since these include for direct “data marketing purposes,”6 we can assume that it applies to most email situations, but is it possible to request that a company erase all your personal information, even though you wish to remain a customer? And what about past metrics? If 25 subscribers clicked on links last year, then asked to be forgotten this year, what happens to that data? Data from previous could be construed as “historical research,” which the GDPR says is okay to keep.7

If “forgotten” means you’re no longer anywhere in the system, and not simply, “we’re not going to send you any more email,” how would you know this? Surely you need to keep a record verifying that a person requested to be forgotten, but if you do, then they’re not completely forgotten. It reminds us of comedian Mitch Hedberg’s joke: “A man in an infomercial told me to forget everything I knew about comforters, so I did. Then he tried to sell me a comforter, but I didn’t know what it was.” If you don’t keep track of who asked to be forgotten, then how can you prevent them being re-entered into your system? It’s ludicrous. The GDPR seems to suggest that a marketer has the right to retain the email address since it’s required for compliance with the legal obligations of the states and is required by the email marketer for the defense of claims that the recipient might make.

Data Extraction

In Article 20, the GDPR is very clear that a person has the right to “receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format.”8 This is the “data extraction” clause, and the way it is worded suggests that every email marketer intending to be compliant with the GDPR should have a mechanism that allows recipients to see the data that’s been collected on them. It just doesn’t say what this data might be. Data in demographic fields or associated one-to-many tables would seem like reasonable choices, but how about open and clickthrough data?

For both the data extraction request and the request to be forgotten, there are privacy and security issues left unaddressed by GDPR. You could, for instance, create a web form that lets an email address be “forgotten” when it’s entered, but then a malicious person could erase data just for kicks. Similarly, providing all the collected personal data on request should require some validation to ensure the recipient is actually requesting this data.

Many ESPs have added a request to be forgotten feature to their privacy policies requiring you to send an email to request this. While this wouldn’t appear to be automated, at least it’s a step towards ensuring the recipient is the one making the request. As for the request for data requirement, so far, only Goolara offers to extract the recipient’s personal data in electronic form. Since it is a requirement of the GDPR, we expect others will eventually comply.

Final Thoughts

While the goals of the GDPR are fairly clear and even laudable, it can be difficult to implement when the rubber hits the road. How do we both remove personal data and keep some for the purpose of honoring the unsubscribe? Do we really need to remove all demographics when someone unsubscribes? How do we implement features like data extraction and make it available for portability? We’d like to hear your thoughts on this in the comments below.

In Part Two, we’ll get a little deeper into the nitty-gritty of the GDPR, and look at the right to be forgotten in more detail.


1. Chapter 1, Article 4: Definitions

2. Chapter 2, Article 7: Conditions for consent

3. Recitals are brief descriptions added to the GDPR to help clarify certain terms and aspects of the regulation. At this time, there are 173 recitals!

4. Chapter 2, Article 5: Principles relating to the processing of personal data

5. Chapter 3, Article 17: Right to erasure (‘right to be forgotten’)

6. Chapter 3, Article 21: Right to object

7. Chapter 9, Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

8. Chapter 3, Article 20: Right to data portability