When you send emails to a customer, including processing orders, you use their personal data. This means you may come under the GDPR. The usual consent rules don't apply to transactional emails, so you'll need to do things differently.
Here's what you need to know about how the GDPR applies to transactional emails, and what you need to do.
Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.
- Click on the "Free Privacy Policy Generator" button, located at the top of the website.
- Select where your Privacy Policy will be used:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- Continue with building your Privacy Policy while answering on questions from our wizard:
-
Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.
That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.
- 1. What is the GDPR and Does it Apply to Me?
- 2. What Does the GDPR Require?
- 3. What are Transactional Emails?
- 4. What GDPR Lawful Basis Applies to Transactional Emails?
- 5. How Can I Make Sure My Data Processing Qualifies as 'Legitimate Interests'?
- 6. Special Types of Transactional Emails
- 7. What Else Should I Do to Make Sure My Transactional Emails Comply With the GDPR?
- 7.1. Include a Link to Your Privacy Policy
- 7.2. Include Unsubscribe Methods and Information if Appropriate
- 7.3. Note the Right to Be Forgotten
- 8. Summary
What is the GDPR and Does it Apply to Me?
The General Data Protection Regulation (GDPR) is a European Union law that restricts the way you can collect and process personal data (information about an identified or identifiable individual).
The GDPR restrictions cover the following countries:
- The EU member states
- Iceland, Liechtenstein and Norway (through the EEA)
- The United Kingdom (which has replicated the GDPR's rules in its national laws)
Broadly, the GDPR applies if:
- The data is about somebody (the "data subject") in a covered country
- The organization processing the data is in a covered county
- The processing physically takes place in a covered country, for example in a data center
What Does the GDPR Require?
The two main requirements of the GDPR are:
- You must have a lawful basis to process the data. The two most likely to apply when you send an email to a customer are that you have the consent of the customer (the data subject) or that you process data as part of your legitimate interests.
- You follow measures that uphold key privacy rights of the data subject.
What are Transactional Emails?
Transactional emails are ones you send to a customer that directly relate to a specific business transaction with them. Most commonly this is when they make an order, but it could relate to an ongoing subscription or a refund.
Other types of emails that are considered transactional are password reset and security alert emails.
As we'll detail, transactional emails do not include marketing content such as sending a promotional offer or newsletter.
Transactional emails inherently involve processing personal data. At the very least you will use the customer's email address. You'll also often use details of what they have ordered and may also use their home address. All of this is personal data.
What GDPR Lawful Basis Applies to Transactional Emails?
"Legitimate interests" is the usual lawful basis for sending transactional emails.
If you come under the GDPR, there's a good chance you already follow the rules to use the consent basis for much of your personal data processing. The problem is that consent doesn't really work for transactional emails.
One of the key points of the consent basis is that it only applies where customers have the right to make a meaningful choice whether or not to give consent (and to withdraw consent later on). It's not practical to give customers a choice whether or not you send them transactional emails such as order confirmations. These messages are often required by consumer law.
Instead, you'll need to use the legitimate interests basis. Here's the how the GDPR describes it:
"...processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
Later rulings and guidance from data regulators have established that:
- "Legitimate" isn’t a value judgement but simply means it’s a necessary part of you doing business.
- The balance between your legitimate interests and the data subject’s rights and freedoms will often come down to whether the customer would reasonably expect you to use their data in a particular way.
How Can I Make Sure My Data Processing Qualifies as 'Legitimate Interests'?
The single most important thing when relying on legitimate interests is that you do so only for purely transactional emails. This means you must not include any marketing or promotional material in the email. This could include anything that is designed to encourage or persuade the customer to make another purchase.
If you do include any marketing material in a transactional email, it will no longer qualify for the legitimate interests basis. This is because the marketing element is not a necessary part of you carrying out the transaction.
If the email contains any marketing element you'll need the data subject's consent. For this reason, it's usually easiest to keep transactional emails (such as order confirmations) and marketing emails (such as a promotional offer for a repeat order) completely separate.
Before sending transactional emails, ask yourself if a customer would reasonably expect you to send the email and use their personal data in this way.
For example, you might send a welcome email to a new subscriber to an online membership site that includes some recommended pages to visit. It's possible to argue about whether or not these recommendations fall into the category of marketing. However, most customers would expect this type of content in a welcome message, so it will likely come under legitimate interests.
Special Types of Transactional Emails
Some forms of transactional emails apply to the ongoing relationship between you and a customer, rather than to a specific purchase.
Examples include:
- Emails about a security breach on your site
- The security emails you send when a customer wants to reset a password
- Emails telling the customer you've changed your Terms and Conditions agreement, Privacy Policy or another legal document
In each of these cases, sending the email comes under legitimate interests because you must send them, and it doesn't make sense for the customer to have a choice whether to receive them. This means you don't need consent to use personal data to create and send these emails.
Again, make sure you don't include any marketing or promotional content in these emails as this will make consent an issue.
What Else Should I Do to Make Sure My Transactional Emails Comply With the GDPR?
As well as having a lawful basis for data processing (including sending transactional emails), you must comply with the GDPR's other measures. Most of these involve the data subject's rights under the GDPR.
Here are some of the key ways these affect your transactional emails.
Include a Link to Your Privacy Policy
The GDPR says data subjects have the right to know how you handle their personal data, so you must tell them. Usually, the easiest way to do this is with a dedicated Privacy Policy. When you send a transactional email, you can link to this Privacy Policy.
Here's an example of an email footer that provides a Privacy Policy link:
Include Unsubscribe Methods and Information if Appropriate
Many guides to the GDPR will tell you to always include an unsubscribe button. This is usually good advice but doesn't make sense with transactional emails. One of the key points of a transactional email is that it contains information that you must send to a customer. Unsubscribe buttons are better suited to emails that include marketing messages.
Here's an example of an email footer that provides links for changing email preferences as well as unsubscribing from all types of emails:
Note the Right to Be Forgotten
This is formally known as the right to erasure. It means data subjects have the right to tell you to delete data when it's no longer needed for its original purpose. With marketing emails, this right takes effect almost immediately. That's because this use of data is based on consent and the data subject can withdraw the consent at any time.
With a transactional email, you won't necessarily have to delete the data immediately. You are allowed to keep it for as long as necessary to complete the original purpose, namely the transaction and any directly related activities.
For example, you could keep data such as the order details and payment card until the end of any returns period in case you need to issue a refund. After this period, you would normally need to comply with the deletion request. You can keep any details necessary to comply with laws, for example money laundering regulations.
This information is usually disclosed in a Privacy Policy, as seen here:
Summary
The GDPR applies if you process personal data about somebody in a European Union country or in Iceland, Liechtenstein or Norway. Similar rules apply in the United Kingdom. The GDPR also applies if you or the physical processing are in one of these countries.
The GDPR says you must have a lawful basis for processing. The most common is consent, but this doesn't work for transactional emails. Instead, you'll need to rely on the legitimate interest basis: broadly, the emails are a necessary part of your doing business and are something most customers would expect to receive.
To avoid confusion or breaching the GDPR, don't include any marketing or promotional material in your transactional emails. A good rule of thumb is that transactional emails should update a user about an ongoing purchase but not encourage them to make another purchase.
