Data Privacy Marketing

Email Marketing Best Practices for CASL and GDPR Compliance

June 12, 2018




With GDPR now fully-enforceable, marketers need to carefully scrutinize their electronic messaging practices. Is your mailing list exposing your company to the risk of fines?

This is Part 2 of a series on Data Protection, Privacy and Compliance. Part 1 discussed criteria that marketers and business owners should consider in determining whether the EU’s GDPR legislation applies to their business.

On May 25th, 2018, the General Data Protection Regulation (GDPR) was put into effect by the European Union, with broad global jurisdiction. Even North American companies need to be aware of the procedural and technical requirements of this legislation, as non-compliance fines can be astronomically high (upwards of 4 million Euros)! So far, as of this writing (June 12, 2018) a few tech giants have been slapped with lawsuits totalling in the billions of Euros, and all of us have been bombarded with privacy policy update emails, in-app alerts, and opt-in popups on websites. As an owner, developer or maintainer of a website or app, what do you need to do in order to be compliant with GDPR and avoid potential litigation?

Part One of this series looks at some of the criteria for GDPR applicability. It’s a good idea to assess the likelihood that your property will come under scrutiny, and measure that level of risk against the effort (and associated costs) of implementing the necessary changes to achieve full compliance. This post examines the technical and procedural changes that GDPR requires regarding email marketing. As with most data privacy and protection improvements, we feel that these changes are generally favourable in any case, and that your audience will appreciate a demonstration of your concern for their privacy and the security of their data.

Canada has very strict legislation around email marketing, regardless of GDPR, and has had it since 2014.

If your organization is CASL-compliant, you are likely most of the way to GDPR-compliance (with some notable differences, outlined below). If you’re not, or you don’t know what CASL is, you should sit up and take notice – there may be some serious implications for your continued use of existing mailing lists. In 2014 Canada became one of the toughest jurisdictions against fraudulent or spammy electronic communications with its CASL act. Companies (and their directors or officers) can be subject to fines from CAD $1M to $10M per violation, and the CRTC’s CASL taskforce is actively auditing companies’ compliance and levying fines (though the list of publicly documented cases is surprisingly short).

The first step to becoming GDPR-compliant in your email marketing practices in Canada is to be CASL-compliant.

CASL requires that:

  1. You clearly identify yourself and your organisation in any and all communications
  2. Your emails are not misleading or “scammy”
  3. You provide an accessible and straightforward unsubscribe mechanism
  4. You have appropriate consent to send commercial electronic messages

#1 – Clear Identification: is pretty easy to adhere to. Just make sure that every marketing mass-email that goes out lists your full (physical mailing) address as well as an actual email in-box that someone on your team monitors for complaints, unsubscribe requests and other inquiries regarding personal privacy or data security. It wouldn’t hurt to appoint someone on your team the role of “Privacy Officer” and identify that person explicitly in your email footer. (You probably already have a team member appointed as “Fire Marshal” and one as “Office Health and Safety Officer”, right? This is not really all that different. Just give them a nice hat.)

#2 – Honest Messaging: is self-evident if you’re a legitimate business with legitimate marketing practices. You are a legitimate business aren’t you? Of course you are.

#3 – Usable Unsubscribe Mechanism: this is where things might get tricky, depending on the email marketing platform that you’re currently using. Mainstream mass-marketing email solutions such as MailChimp® have invested the hours and effort to ensure they exceed compliance with current legislation. Other, smaller, Canadian-based solutions have built their entire businesses around CASL compliance and are generally safe choices in that regard. The bigger concern is with homegrown or CRM-specific solutions such as the MailPoet plugin for WordPress. These need to be evaluated on a case-by-case basis.

If you are not running a mainstream solution, or are not quite sure, take a moment and audit your current solution.

You should be able to confidently answer “yes” to all of the following:

  • Every mass-email that we send out includes an unsubscribe link in it. It should be easy to read, easy to click, and should direct users straight to an unsubscribe page (on your site or the third-party mailing software’s site).
  • Our website or app has a highly visible and accessible unsubscribe link or button that takes users to the unsubscribe page immediately. Even if the subscription mechanism is not on your primary website, that website should contain the unsubscribe link in a discoverable and accessible location. Many website owners choose to put this information in the site’s footer, or on the Contact Us page. App developers often put these links on the User Preferences or User Account Settings views.
  • Our unsubscribe page is clear, straightforward and accessible to all users, even those with disabilities such as visual impairments or motor skills challenges. (Is this a good time to mention AODA? If your business is in Ontario, you should probably check that out sometime too, but I digress…)
  • Our users are able to unsubscribe directly from the unsubscribe page. There shouldn’t be a second screen to confirm, or an alert such as “Unsubscribe? Are you really sure? Here’s a coupon for a free Timbit if you stay with us…” (but see the “Confirmation Page” note, below)
  • On our unsubscribe page, users must be able to unsubscribe from all correspondence with one simple step. It is acceptable to also let users selectively unsubscribe from various lists (for example, you may have a “Marketing Promotions” list and a “Product Updates” list). But if you do, you still must provide them with the option to unsubscribe from everything without having to manually check off all the options.
  • There is a confirmation page or notification that the user has successfully unsubscribed. A separate page is much better than an alert, for accessibility reasons (developers can read how to properly handle dynamic alerts here). You are allowed to include the option to re-opt-in. We commonly see messages such as “We’re sorry to see you go. If you change your mind, resubscribe here”. Avoid anything negative or designed to make the user feel guilty.
  • People that unsubscribe from our lists are actually removed (name and emails actually deleted within 10 business days). This might be the hardest to verify. You’ll need to have access to the actual mailing list data. If you can’t see the mailing list directly (this really only applies to homegrown solutions), you’ll want to contact the developer of that solution and ask them the question. If you do have visibility into the mailing list, subscribe to the list and follow the unsubscribe process. Take a look at the list and make sure that email has been removed, not just tagged as “unsubscribed”. To fully comply with CASL and GDPR, that record has to be purged or anonymized.

If you cannot confidently affirm all of the above, it might be time to consider another option as your electronic marketing platform, or, if it’s easier (or cheaper), work with a qualified developer to bring your custom solution into compliance. We typically favour off-the-shelf solutions due to their stability, but if you have unique workflows or require deep integration with a custom CRM, then you may have no choice but to update your existing custom-built software.

#4 – Appropriate Consent: “consent” is a crucial term in data privacy. Indeed, much of GDPR revolves around the notion of consent: how it’s obtained, logged and managed. CASL sets a very high bar in terms of consent, but allows what is called “implied consent” in certain key situations, whereas GDPR does not make these allowances when it comes to direct-to-consumer (B2C) marketing. Since we’re talking about how you can bring your electronic marketing practices up to the highest level of compliance, we will focus on GDPR’s requirements.

First, bear in mind that for business-to-business (B2B) electronic marketing, much more leeway is given. Under CASL this is called “implied consent”; GDPR’s verbiage uses “Legitimate Interests” to cover:

  • An existing business relationship (they are already a client)…
  • where the email is related to existing products and/or services that the client is already engaged with…
  • and where the message is of sufficient importance to warrant the email…
  • and email is the least obtrusive / most effective means of communicating with this client.

In general, it’s a lot more prudent to obtain explicit consent even in the context of B2B relationships.

So, let’s take a look at “Explicit Consent”. Under CASL and GDPR you can obtain consent in writing (electronically or otherwise) or verbally. In all cases, you must keep and be able to produce proof that demonstrates both the request for consent and the consent being given. It’s harder to do this verbally, which is why most companies choose to only collect data (such as email addresses) when consent is given electronically. Asking for someone’s email address at the point of sale isn’t going to cut it anymore, unless you go to great lengths to give them the means of reviewing the request, and your staff the means of recording their assent, or unless your email tool provides a double opt-in (protocol) that usually involves sending a confirmation email that users must accept before they are validated onto your mailing list. Most commercial mailing tools have this feature as an option – we recommend you turn it on.

In order to properly gain consent electronically, under GDPR (which would also cover your CASL requirements) you will need a sign-up / opt-in form on your website or app that:

  • is written in plain language,
  • is unambiguous and optional (so, not bundled with your Terms and Conditions or required for a “gated” whitepaper download),
  • clearly identifies the nature of the communication(s) the user is opting into,
  • allows users to selectively opt into specific kinds of communications,
  • clearly and specifically identifies any third-party organizations (by name, not generically) that you will be sharing users’ email address and personal data with,
  • states what information you are storing about the customer, how it will be used, and how you’re protecting that data, and
  • stores both the request and the response for proof.

If you already have a sign-up / opt-in form somewhere on your website, you’re likely most of the way there. You’ll want to make sure that:

  • Opt-in checkboxes are not pre-checked by default. (It’s “opt-in” not “opt-out”).
  • Each “mailing list” is separately identified. For example if you have a “flash sales” and a “product updates” list, they must be called out separately with their own opt-in checkboxes, since they do not share the same purpose.
  • The request and the acceptance are stored. This is important because if you have to prove that you have consent, the wording of your website / app may have changed since the time you obtained that consent. So you need to be able to produce a “snapshot” of the consent form at the time of consent. It needs to record the date and time, the method of consent and the exact wording of the request (at that time). This is the one that’s missed the most often, especially in bespoke solutions, but even with some of the larger players.

If you use a third-party mass-mailing tool, there’s a good chance that you’re covered here, but do check that last point. It only comes into play if you’re ever audited, but when the fines get up into the millions of Euros, it’s better to be safe than sorry!

Will you need to purge your non-compliant mailing lists?

The very last thing marketers want to do is to throw out their mailing lists and start over again. To make sure that existing mailing lists are GDPR-compliant, it’s a very good idea to send out a re-permission email that is clearly worded, unambiguous (not wrapped up in a bunch of other announcements), and is designed to educate your audience about your privacy and data protection policy updates, and most importantly, drive people to a page where they can manage their mailing subscriptions.

But are you allowed to reach out to a non-compliant mailing list via email? Maybe. Check that:

  • The mailing list, if targeting Canadians, is CASL-compliant. If not, it can’t be used for GDPR re-permission.
  • You have had an existing business relationship with each recipient within the last 6 months. This allows you to contact them under the auspices of “Legitimate Interests” and “Implied Consent”.
  • The individual is over 16 years of age.

In some cases, entire mailing lists need to be dumped and those poor marketers will need to jump into launching a re-subscription campaign to build a new CASL- and GDPR-compliant mailing list. In the vast majority of cases, a mailing list audit and cleanse, followed by a privacy and protection re-permission email will lock down the list (for 2 years, after which explicit consent expires under GDPR).

Summary: Steps to GDPR Commercial Electronic Messaging compliance

  1. Set up a compliant opt-in / subscription page on your website or app, and make sure that the unsubscribe process follows guidelines as well.
  2. Audit your existing mailing lists for CASL- and GDPR compliance and purge non-compliant addresses.
  3. Identify a data privacy and protection officer at your company.
  4. Update your mass email template to include identifying information (company and DPP officer contact info) and a clear unsubscribe link.
  5. Send out a re-confirmation email, and establish a repeating schedule (max every 2 years).

I hope this demystifies the implications of GDPR on your email marketing practices, and that you’ll discover you don’t have far to go in order to implement the necessary changes. We are far from legal experts here at Art & Science, so if you have any doubts about your obligations and risks, please do not hesitate to take appropriate legal counsel.

Stay tuned for future posts in this series that will look in detail into the technical and practical changes required to achieve full GDPR compliance in digital marketing.