Mon 10 June 2019

The email industry's got a GDPR problem.

Some of you reading this might have seen me talk about this problem in the very excellent Email Geeks Community, but if you're new, let me break it down for you.

Last year, the GDPR came into effect, which put in place some rigorous laws around data processing and how personally identifiable information (PII) has to be handled. This stressed out a lot of email marketers, who quite rightly realised that the new regulations would have a significant effect on their ability to acquire and market to customers via their email address (which counts as PII).

Now if you're reading this, you're probably familiar with how that's gone, so I won't bore you with the details.





So What's the Problem?

The overwhelming majority of commercial email sent today contains tracking pixels and tracking links, these are used to uniquely identify individuals so that opens and clicks can be correctly attributed to them. This isn't strictly a problem, the GDPR does not ban processing of personal data for tracking purposes, however email tracking frequently fails to meet a number of criteria necessary to be legal under the GDPR.

We're not collection consent to track user behaviour - That means we're probably relying on good old Legitimate Interest and that's frought with a number of risks.

Firstly, most brands aren't disclosing in their privacy policies or at moment of signup that they're tracking user behaviour in marketing emails. That's a problem. Article 5 clearly states that to be legally compliant, personal data should be processed in the following manner:

processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

This is further expanded upon in Recital 39:

It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed.

Failure to adequately disclose email tracking within your brand's privacy policy is a clear breach of the regulation.

Secondly, when Legitimate Interest is used as the legal basis for processing of personal data, the data subject has the Right to Object.

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions.

This means that when processing data under a Legitimate Interest basis, the data subject has the right to object to your tracking, this brings us round to our second problem.





Email Marketing Platforms Are Not GDPR Compliant†

Take a look at your ESP, does it allow you to, on a per individual basis, opt-out of email tracking?

If the answer to that is no, and in most cases the answer will be no, you're in breach of the GDPR as soon as a customer objects to your data processing. That is assuming you disclose the tracking in your privacy policy, if you don't you're already in breach.

This becomes even more of a legal quagmire as soon as we start looking at tracking in emails sent on a legal basis other than Consent or Legitimate Interest.

So what can you do about it?

Complain to your ESP! Complain frequently and loudly. Make them do something about it. Ultimately the GDPR is here to stay, and ESP's must put in the work to allow marketers to comply with the law.





Where Does That Leave Email Marketing?

Email marketing isn't going anywhere, email remains one of the most valuable channels for reaching your customers and losing the ability to track behavioural data isn't going to change that fundamental fact. What is going to change is our ability to act upon vast swathes of personal data.

You know what?

That's not a problem, personal data is not a crucial part of gauging the success of a campaign and anonymised data is more than good enough for us to achieve our objectives.

I'll leave you with a parting note; as marketers, we've become entirely too comfortable handling vast swathes of personal data, it's time we get used to a world where that option isn't always going to be available to us.

Usual caveats apply. I am not a lawyer.

† Yes, I know a small minority are, but they're a small minority. This might be one of the very few instances in which I'd recommend SFMC

Cheers,