If you’re an email marketer in the United States, you’re already familiar with CAN-SPAM – at least I hope you are! Since its inception in 2003, the CAN-SPAM Act has provided a framework enabling companies to email their clients and prospects while remaining compliant with regulatory rules.
The law is fairly straightforward and after almost 15 years, marketers have shown it is entirely feasible to build a highly productive email marketing program while being compliant.
In May 2018, the General Data Protection Regulation (GDPR) came into being and provided a whole new set of rules with regard to the collection and usage of consumer data – creating major impacts for companies marketing into the European Union (EU). Many digital marketing channels have been dramatically impacted by the new regulation, as noted in plenty of articles, white papers, and other published content. While the impacts on programmatic advertising, location-based marketing, and numerous other areas have been covered extensively, I haven’t seen that much discussion about email marketing.
For email marketers already running successful programs under the auspices of CAN-SPAM,
how is GDPR different from what they are already doing? (*Note – I’m going to keep the
comparison at a high level. For more specifics on the similarities and differences between CAN-SPAM and GDPR, you should look at each piece of legislation and compare the details.)
This is one of the major differences between CAN-SPAM and GDPR. CAN-SPAM allows the
sending of unsolicited email to recipients, as long as an appropriate opt-out mechanism is
included in the message and unsubscribe requests are honored in future campaigns. GDPR
builds on the already existing requirement in the EU that email recipients must have provided consent (or opted-in) prior to receiving email. A similar opt-out process is also required.
So, the main difference here is that CAN-SPAM does not require consent prior to an email being sent, but GDPR does require that prior opt-in. Also, it’s good to note that the requirement for an opt-in for email marketing already existed in the EU, but it has been clarified within GDPR.
GDPR also includes some details about how consent is communicated, to ensure individuals
fully understand what they are opting in for, and that opt-in boxes may not be pre-checked. You can delve deeper into the consent requirement in GDPR at the UK Information Commissioner’s Office website.
As mentioned above, both CAN-SPAM and GDPR require that email marketers provide a
a mechanism for recipients to opt-out of future email messages. CAN-SPAM requires that such opt-outs be acted upon within 10 days of receipt. GDPR, being more focused on overall data privacy includes a more universal opt-out process called the Right to erasure, to request that all personal data be erased. A part of that erasure request would necessarily be a request to unsubscribe from future email communications (some exceptions noted later in this article). In each case, once an opt-out has been received, no further emails can be sent to the specific email address. There are exceptions to this rule under both regulations, related to transactional messages and other email that may relate to the business relationship between the user and the company sending the email. (Having a current client opt-out from receiving your monthly email newsletter does not automatically preclude you from sending them your monthly invoice email.)
Individual Data Rights
As mentioned above, the focus of GDPR is on personal data privacy, not email marketing – or really any type of marketing. It is just that marketing has evolved to rely heavily on user data for targeting, tracking, and other purposes. So, rules related to data privacy naturally have a significant impact on marketing. CAN-SPAM is legislation focused particularly on email marketing, so there are many aspects of GDPR that are well outside the scope of CAN-SPAM. A major difference is in the defined individual data rights defined in the GDPR. Many of these rights do impact email marketers and add new requirements beyond CAN-SPAM.
Right of Access and Data Portability.
Under GDPR, EU data subjects have the right to request access to all of the data a company has on file about them. An email marketer may only have fairly basic data (email address, first/last name, etc.). However, if the company collects, process, and/or stores more data on email recipients (in a customer database for example), it needs to be able to locate all that information and provide it to the user upon request.
Right of Erasure
As discussed previously, this right is actually a bit complicated when it comes to email. The GDPR provides EU data subjects with the right to request that a company delete all information it has ever collected about them. There are quite a few exceptions to this right. For example, a customer can’t simply request all information about them be deleted, when they have an outstanding account balance with the company. It isn’t a get-out-of-your-debts-free card. In email, there is a different issue. A request for erasure also includes a defacto unsubscribe request. But, to ensure an unsubscribe request is honored going forward, that email address typically needs to be permanently stored in an opt-out list to be used for suppression purposes.
So, how is email marketing in the EU really impacted by GDPR? Depending on the
organization, the impact may not be that significant. Email marketing in the EU has already
been working under a required opt-in framework, while many other forms of marketing have not. The biggest change might be simply ensuring opt-in language is specific about how their data will be used and ensuring that consent is freely given. If a company is sending 3rd party promotions via email, that should be called out specifically in the opt-in language.
Note – The author, Tom Wozniak is not a lawyer or legal professional and no information in this article should be taken as actual legal advice. It is always recommended that companies obtain professional legal guidance on matters pertaining to industry regulation or legislation, like GDPR.