August 2017 - Email: Trust & Challenges | Email Marketing | Data Protection & Privacy

Email Marketing Without Breaking the Law: Consent, Honesty and Transparency are Key

Massive fines are looming for email marketers that disrespect EU data protection law. Rosa Hafezi, Attorney at eco’s Certified Senders Alliance, explains how senders of email marketing can avoid the traps and keep their bank balance and reputation in good order.


© Bosphorus |

With the EU General Data Protection Regulation (GDPR) (for more on the GDPR, see the interview with Dr. Katharina Küchler) coming into force in 2018, now is the time for email marketers to take stock and look critically at their email design, content and processes. These aspects always have been important and always will be, but with the GDPR the fines for infringements will skyrocket. In the past, some companies have not taken much notice of data protection laws, because they felt they could disregard a fine of a few thousand Euros. But they are more likely to care when sanctions go into the millions. 

But quite apart from the financial risks, reputation is something email marketers should always keep in mind, because ISPs – which means the companies like Yahoo or 1&1 or AOL, who receive your emails and then deliver them to your target customer – won’t let your email go through if you have a bad reputation. And this is clearly not what you want. Even if you don’t care about the fines, ultimately you should care about your reputation.

The eco Association’s Certified Senders Alliance whitelisting project recently published an update of the eco Directive for Permissible Email Marketing – available in English, German, Spanish and French. These are the five key findings of the new directive, with examples of good and bad practice:  

1. Consent is the key: The consent needs to be prior, concrete, transparent, active, explicit and separate from other declarations.  

What does a legal consent declaration looks like? I will give you an example for each of these points. Firstly, active consent means it requires an action on the part of the person wanting to subscribe to your newsletter. For example, you have to tick the check box. If it’s pre-selected, then from the user side it is not active, so it does not fulfill the requirement. 

Then, it has to be concrete. For example, if I subscribe for a newsletter, I need to know what I am subscribing to. Who is the company behind it? What products or services do they advertise, etc? This has to be very specific. It is even not considered to be sufficient to say “we will send you advertisement for our company’s products” – this could be anything. It has to be as concrete as possible. 

A very, very important aspect which is also stated in GDPR is that the consent has to be separate from other declarations. This means, for instance, that you cannot have a declaration stating, “I want to buy this product and by buying these products I agree to receiving newsletters from your company”. This is, for one thing, not voluntary, and it is not separate from another declaration – because one declaration is the purchase agreement from the company, and the other would be the newsletter subscription. It has to be different checkboxes. If, on the other hand, a company says “get a 10% discount on your purchase if you register for our email newsletter,” that’s OK – it’s legal because it is voluntary and they are giving you an incentive to do it.

2. In the event of a dispute, the sender of the email has the burden of presentation and proof. The Double-Opt-In (DOI) procedure offers the maximum legal certainty. The DOI email must be free of any advertisement.  

It is also stated in GDPR that you have to prove, as a sender, that you have the recipient’s legal permission according to law. How should you do that? The best way to do it, which is also recommended by courts, is to use double opt-in email (DOI). So, how does DOI work? You subscribe for a newsletter, and after that, you will receive an email which says "we received a request for our newsletter, and by clicking this link in this email, you confirm your registration”. If you don’t click on that confirmation link, you should never get on the mailing list. 

While a single-opt-in makes sure that your email address cannot be automatically added to a mailing list, the advantage of the DOI process is that another person cannot manually add you to a mailing list – for example, a colleague playing a prank and putting your email address a whole range of distribution lists. The confirmation link protects the user from unwanted subscriptions, and for the email marketer, it is actually a very good way to prove that you have the permission of the owner of the email address.

3. Those who send advertising emails are obligated to give the recipients the opportunity to delete their names from the distribution list and to clearly point out this possibility. The information of the possibility of unsubscription and how to do so must be given BEFORE the data are collected and in every email as well.

Of course, if you want to get the permission to send newsletters, you have to inform the recipient before you collect the email address that they have the chance to opt out at any time with effect for the future. And this needs to be stated in every newsletter itself as well. For example, if you design the consent declaration, then you should also state somewhere – very close to the actual declaration – that “you have the opportunity to unsubscribe at any time with effect for the future,” either by sending an email to a specific email address or by clicking the unsubscribe button in the newsletter (see “The Most Important Click for Your Brand” for one technical solution for this). But whichever method you choose, it has to be very easy to do and easy to find. 

The eco Complaints Office once had a case where the only way to unsubscribe from the newsletter was to send a letter by post. Who does that?! This is what we would call worst practices! So this example is not easy to do, and it has to be easy.

4. The commercial character of an email may not be disguised. 

If you send emails of a commercial character, be clear that you have a commercial character in the newsletter. For example, some newsletter subject lines do not say very clearly that they’re commercial, and this is forbidden. If you include the subject line "This as an invitation to my birthday party" the recipient’s first assumption is that this is a private party. And then you open it and you see that company XXX is turning 10 years old and to celebrate they have special offers. 

Say who you are. Be honest. Transparency is really the key to all of these points. And treat your recipients the way you want to be treated.

5. Each commercial email needs to contain an easily findable Legal Notice which includes all relevant company information.

What is also mandatory by law is that each commercial email needs to have a legal notice at the bottom. What they need to include is the name of the company (in Germany it’s also the name of the legal representative, according to Telemedia Act) and the VAT ID. Then you have the street address, of course, and what is also mandatory is the email address (simply an info@... is fine). Then you need another communication channel which enables fast communication. So, the best would be phone. But then, it should be a phone number that is answered by a real person, who can react within a short time. If the number always leads to a machine, this is not considered a fast communication channel. All mandatory information of a legal notice are included in national and European Laws. 

An example of bad practice was a very big company that provided an email address, but when you wrote to that address their only reply was, “We receive so many emails we cannot answer your email at the moment. Please call this number for support.” According to the courts this was not sufficient. 

Rosa Hafezi interviewed a range of speakers at the CSA Summit in May 2017. Read the interviews with: Terry Zink (Microsoft), Marcel Becker (Oath), and Paul Midgen (250ok).

Rosa Hafezi studied Law at the University of Bonn and has been registered as an attorney since January 2013. During her studies she worked for renowned media groups and international companies. Since 2013, she works as Legal Counsel for eco- Association of Internet Industry, the largest Internet industry association in Europe, and the Internet Exchange operator DE-CIX. Rosa is in charge of the legal content of the project Certified Senders Alliance (CSA) and is a speaker for relevant topics regarding legal email marketing.

Data protection and what’s in store for companies with the forthcoming EU GDPR will be a focus of the December 2017 issue of dotmagazine – stay tuned!