Now that we’ve lived with the General Data Protection Regulation (GDPR) for almost two months, it’s time to look at the next step: making sure your opt-in procedure passes muster with this and other laws governing email, data, transparency, and privacy.

Did you lose a big chunk of your email list after GDPR went into effect on May 25? This could have happened for any of these reasons:

  • You ran a re-permissioning campaign, either to EU-specific email addresses or to your entire list if you couldn’t tell where your subscribers lived, but you didn’t get a great response. (Many emailers reported hearing from less than half of their subscribers.)
  • You removed addresses of people who were opted in involuntarily because you used pre-checked opt-in forms whenever you captured email addresses, on transactional emails, website or event registrations, downloads or any other use of your websites. Note: Opt-out methods such as removing a checkmark in an opt-in box are now illegal under GDPR and other email laws, such as CASL (Canada’s Anti-Spam Law). It also violates best practices.
  • You removed email addresses that you collected using other dubious permission methods or methods that GDPR, CASL and other email laws prohibit or whose data and permission you couldn’t verify.

If you haven’t audited or updated your email list lately, you’d better get on that before any more time goes by. We’re already seeing GDPR complaints being filed against companies like Facebook and Google over marketing practices like forced consent.

Now it’s rebuilding time

GDPR essentially codifies responsible data and email practices. Following the rules means you’re putting your subscribers first. This has become table stakes in this age of empowered and data-wary consumers. You’ll also comply with just about every email law on the planet.

These steps will help you build a list that will pass the data sniff test and, more importantly, give you a database of subscribers who really do want to hear from you. That higher quality will justify the work you put into tuning up your opt-in practices.

1. Hunt down any stray prechecked forms.

Don’t stop with your website-based forms, such as the blank that appears somewhere on the homepage, or a popover that blooms on the page when a browser lands on it or moves to close the page.

Your audit should extend to every form where you collect email addresses for marketing messages, like these:

  • All transactional emails
  • Event registration forms
  • New-account forms
  • Download registrations
  • Information requests

Sending emails as part of a business transaction or information request is permitted under most laws – GDPR calls it “legitimate interest” – but you must be clear about the conditions under which you’ll send emails. This implied permission doesn’t generally extend to marketing messages.

2. Be clear about the benefits subscribers will get from your emails.

Does that sound familiar? We talk about this all the time. It’s not enough to ask your customers to sign up for your email. Do you know anybody who wants more email in their inboxes? You must instead beef up your benefits – the “what’s in it for me?” statement that’s uppermost in skeptical subscribers’ minds.

If your email invitation is limited to a variation of “Sign up to get our emails,” it’s time to re-think and tune up your value proposition. Talk up your email features and benefits (and then carry through on them).

3. Be equally transparent about how you collect, secure and delete user data.

This is the essence of GDPR. The law isn’t about email. It’s about data collection and security. Here’s a good model to follow from Typeform, a Barcelona-based designer of data-collection tools like surveys and quizzes:

GDPR Data Collection

4. Force consumers to choose.

No, this is not forced consent. Rather, you give your consumers two options: “yes” and “no,” and require them to choose one or the other before proceeding.

This gives you a clear record of your customer’s intent. It also forces you to sell your email benefits as vigorously (and truthfully) as you would the best-selling product on your site to persuade more customers to opt in.

Why you still need to think about GDPR

The law applies beyond the borders of the European Union’s 26-member countries because it protects the data rights of individuals. So, the law covers any resident of an EU country in your database (whether customer, subscriber, prospect or whatever) even those living somewhere else.

We covered some GDPR basics in an earlier blog post (“Opt in again for GDPR? 9 email re-permissioning examples from 7 brands“). Also, the GDPR website has several resources to help you understand the law and how it affects your data practices.

Got questions about building a GDPR-compliant email list? Let us know in the comments below!