Setting Up Email Newsletters for GDPR Compliance

If your email newsletter reaches anyone in Europe, GDPR likely applies - and failing to comply could lead to serious penalties. Here's how to stay compliant while growing your email list.

Am I Covered by the GDPR?

The GDPR applies if you handle personal data about somebody (the data subject) in any of these situations:

• You are based in a GDPR country
• The subscriber is located in a GDPR country
• Your data processing (e.g., servers) occurs in a GDPR country

By "GDPR country" we mean:

• The 27 countries in the European Union (where GDPR has automatic legal force.)
• Iceland, Liechtenstein and Norway (through an agreement with the EU.)
• The United Kingdom (which has broadly replicated the GDPR in its national laws.)

To put this another way, the GDPR applies to your newsletter unless a very limited set of circumstances apply, namely that you aren't based in a GDPR country, you don't process any data in a GDPR country, and you have (and use) a way to be certain nobody in a GDPR country can sign up to your newsletter.

What Elements of the GDPR Apply to My Newsletter?

Lawful Basis

The main principle of the GDPR is that you can only process personal data when a specific lawful basis (selected from a list in the GDPR) applies. Personal data means information that relates to an identified (or identifiable) individual; this includes names and identifiers such as email addresses. Processing means collecting, using, sharing or deleting data.

You can't simply identify a lawful basis and automatically have it cover all your personal data use. You must instead be able to identify a relevant lawful basis for every purpose: in other words, every different reason your process personal data.

Several of the lawful bases listed in the GDPR only apply in limited cases such as acting in the public interest or protecting people's lives. The two main lawful bases that are relevant to businesses are legitimate interests and consent.

Legitimate interests simply means that processing the data is necessary as part of your ordinary business activities. However, it can only apply where it does not outweigh the data privacy rights of the data subject.

A good rule of thumb is that it should only apply in cases where somebody would reasonably expect you to process their data in a particular way and for a particular reason. For example, legitimate interests would normally cover collecting a customer's email and using it to send a confirmation that you have dispatched an order.

A newsletter normally counts as a form of marketing. As it's not strictly necessary for your business operations, you'll normally need to use consent as your lawful basis.

Consent

Several conditions apply for consent to be valid under GDPR (and thus to make it legal to process data using consent as a lawful basis):

• The consent must cover processing for a particular basis. You can’t get blanket consent to cover all possible use of somebody’s personal data.
• The consent must be explicit. You have to be able to prove the person intentionally gave consent. This means you can’t use opt-out consent where you assume consent unless the person explicitly says otherwise.

• The consent must be based on a request that is “clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.”

• The consent must be revocable. The GDPR specifically says it must be as easy to withdraw consent as it is to give it in the first place.
• The consent must be based on a meaningful choice. That means you can’t demand consent as a condition of a contract unless it’s for data processing that’s genuinely necessary to fulfil that contract. For example, you can demand somebody provide their address so that you can deliver goods, but you can’t demand they agree to receive marketing material after making a purchase.

Does It Matter if I Ignore the GDPR?

If you process data in a way that breaches the GDPR you face a range of penalties. This includes being ordered to stop using the data in a particular way; being temporarily or permanently banned from processing personal data; and paying a fine.

Processing personal data without a lawful basis falls into the most serious category for fines, with a maximum fine of €20 million or four percent of your annual worldwide turnover, whichever is higher.

What To Do With Your Newsletter To Comply With the GDPR

Now we've covered the principles of the GDPR, let's go step-by-step on what you need to do to comply when running a newsletter.

Review Your Data Use

Make a list of all the data you collect as part of running a newsletter and figure out the different purposes for which you use it. This will include people's email addresses and (if you collect them) their names. It can also include any decisions they've made such as subscribing to a particular newsletter or asking for updates on specific topics.

Remember the GDPR only covers information about identifiable individuals. It doesn't cover aggregated data.

For example, if your email newsletter software gives you details about what percentage of people opened a particular email, the GDPR doesn't apply as long as you don't have details of which particular subscribers opened it.

Update Your Privacy Policy

You should already have a Privacy Policy if you handle personal information. Make sure it reflects your data use with the newsletter, including any new purposes. For example, your Privacy Policy may already cover using email addresses to send order confirmations, which count as "transactional emails." Sending a newsletter is a form of marketing so, even though you are using the same personal data (email address), it's a different purpose.

Swindon Borough Council uses a dedicated Privacy Policy to cover its newsletters:

If you don't have a Privacy Policy already, your use of personal data for the newsletter means the GDPR requires a policy. It should cover:

• Your identity and contact details and those of your data protection officer (if you have one).
• The data you collect, the purposes for which you use the data and the lawful basis for each purpose.
• Who, if anyone, you share or sell data to.
• How you will protect the data if you transfer it to a non-EU country.
• How long you’ll keep the data (or how you’ll decide when to delete it.)
• The data subject’s rights to ask you to correct or delete data; to withdraw consent, plus what happens if they do; and to complain to a supervisory authority about your data use.
• Whether the data subject is required to provide the personal data (and what happens if they don’t.)
• Whether you use the personal data for automated decision making, which is sometimes called profiling.

Gather And Record Consent

Make sure you get consent before processing any personal data (including collecting an email address.). Ask for consent when somebody is signing up to the newsletter and make it impossible for you to collect any personal data until you have the consent.

To make the consent informed, include a link to your full Privacy Policy. You can include a short statement (eg "We will use this address to send a regular newsletter") but always include the link to the Privacy Policy as well.

The Guardian links to its Privacy Policy from its newsletter sign-up screen:

To make the consent meaningful, always make the signing up for a newsletter optional. Never make it mandatory to sign up to a newsletter as a condition of doing something else, such as placing an order. Make sure you do not "bundle" consent in with other terms and conditions: deciding whether to consent to data use must always be a completely independent choice.

To make the consent active, always require the user to take a positive step that specifically gives the consent (and performs no other purpose.) Don't rely on simply posting a message that says the user consents automatically by signing up to the data use. Don't rely on a pre-checked tick box or other method that the user could accidentally miss.

The best method is a tickbox, toggle or similar setting that is clearly labelled as a sign of consent and requires the user to take action before they can submit their email address or other personal information.

Qatar Airways uses a clearly-marked tickbox. Users must tick the box before they can click on the 'Subscribe' button:

Allow Unsubscribing

You must make it easy for people to withdraw consent for you to use their personal data for the newsletter. In other words, to unsubscribe. Do not make this more difficult than signing up. At the absolute minimum you need an "unsubscribe" form on your website that is clearly labelled and easy to find from any other page on your website.

The best option is to include a simple one-click "unsubscribe" link or button in every edition of your email. (This will also help you comply with several other laws such as CAN-SPAM in the US. Many email marketing platforms also require a one-click unsubscribe option.)

You should also include a link to your Privacy Policy in every edition.

Make sure you act on unsubscribe requests immediately.

The New York Times includes clear unsubscribe options at the end of its newsletters:

Summary

The GDPR almost always covers email newsletters unless you block European users from signing up. Running an email newsletter involves handling personal data such as somebody's email address, other details such as name, and potentially any interests or preferences they reveal.

Under the GDPR you need a lawful basis to process this personal data. For an email newsletter this will normally be consent, which must be active and meaningful.

When you run a newsletter, review your personal data use and update your Privacy Policy as needed. Then make sure you get suitable consent: require users to give a clear, unambiguous signal they consent to the data use before signing up. Make sure they have adequate details of your data use so this is an informed decision.

Make sure it's easy to withdraw consent, for example by unsubscribing. A simple unsubscribe link with no extra steps is the safest method.