While thankfully the American anti-spam act hasn’t changed since its institution in 2003, many other parts of the world are constantly rewriting or tweaking their privacy policies.
There have been two examples of this in recent news, the first comes in the form of the passing of the GDTR, the General Data Protection Regulation that was recently signed into law. Its aim is to strengthen and unify data protection for individuals in the EU and will go into effect in May 2018, which is causing marketers and IT professionals to scramble to remain compliant.
The second is a compliance report from the Canadian Radio-Television and Telecommunications Commission (CRTC) which is charge of enforcing CASL, Canada’s anti-spam law. It sets a precedent and clarifies CASL for businesses scraping emails off the internet.
But what do these recent changes mean for the average email marketer?
This post outlines the changes that have or will go into effect, as well as the ways that marketers can prepare for upcoming changes (and avoid paying the massive fines associated with a compliance breach).
GDPR – General Data Protection Regulation
Opt-in Is a Must
While most countries in the EU and worldwide already have laws enforcing consent in email messaging, this new law brings in some overarching constraints to this.
Opt-ins are defined as “freely given, specific, informed and unambiguous.” That means no trickery or deception to get people onto your list.
This includes the signup process, requiring brands to not only explain who they are, but also provide the would-be subscriber with the reason that the brand is collecting their information.
This means no more email mining under the guise of a free whitepaper or software trial, or promotional giveaway. These methods are still acceptable, but now you must also obtain consent to continue sending any marketing or sales messages.
The Burden of Proof for Opt-In is on the Brand
That mean brands must now keep opt-in records, because if they are flagged as being non-compliant, it is up to them to prove that they had consent to send in the first place.
Oh, and one more thing…
Old Data Must Comply With the New Rules
Nothing is grandfathered in here.
That means all those email addresses you have are at risk of being non-compliant, unless of course your standards already met the requirements of GDPR. If you have obtained EU email addresses through a less than kosher method, you need to start rethinking how all that data will fit into the EU’s new law.
And because the burden of proof is now on the brand, even legitimate contacts could be at risk if you haven’t kept the records of opt-ins for each and every one of the addresses on your list.
Basically, if you send emails to those in the EU, then your data needs to be compliant. It doesn’t matter if you are based in the EU or not, the rules apply regardless.
How can marketers ensure that they are compliant?
When May 2018 rolls around, you need to make sure that your database is prepped. If you send emails to any country in the EU, then your list is at risk of being non-compliant.
That includes the UK, in case you were wondering. Despite Great Britain’s move to leave the EU, it is likely that the transition will not be complete until sometime in 2019, a full year after GDPR is implemented. It is also likely that Great Britain will have to pass a series of laws similar to the GDPR to continue easy and open trade with the EU.
Marketers have a few options to deal with the GDPR. They could scrub all EU email addresses from their database, which is impractical and wasteful. Or they can rebuild only the EU addresses to comply with GDPR standards, or completely recreate their database so that all their contacts are compliant.
The last two options are the best, as many companies have a significant portion of their business operating in the EU. And it won’t be easy, but it will be worth it for marketers to avoid the potentially €20 million fine.
CASL Compliance Report
This fall, the CRTC released its first public compliance report and enforcement decision on the CASL anti-spam law.
The law, CASL, is intended to apply to any and all misleading or unsolicited commercial messages. The Canadian government released this fact sheet in case you need a refresher before continuing.
The CRTC has compelled an educational company called Blackstone Learning Corp. to change its practices in sending marketing emails as well as pay a fine that started at $640,000 and was appealed down to $50,000. Blackstone was reported 60 times in 2 months, which is how it fell under investigation.
Blackstone Relied on the “Conspicuous Publication” Exception Instead of Consent
Because the company was sending emails to state employees, it simply pulled publicly-listed email addresses from state websites. The exception they used argues that by putting the email address on a company website indicates implied consent to send commercial messages to the email addresses listed.
The CTRC nixed that exception, saying that public availability is not the same thing as consent. For email addresses to be valid under this exception, it must adhere to these constraints:
- Must be relevant to the recipient’s role or functions
- The address must be published in such a way to imply consent to receive the type of message
- There must not be a statement saying that the recipient doesn’t want to receive unsolicited commercial electronic messages
If these constraints aren’t met, then a brand is not allowed to send to that address. The implications of this decision are that email marketers cannot rely on automated harvesting of addresses from any public website. There need to be a human element to determine whether the recipient is consenting.
What can marketers learn from this?
When sending emails to Canadian addresses, the safest bet is to get consent and not email to address scrubbed from the internet.
But, if you must, make sure to at least follow these rules:
- Establish a link between the recipient’s role/responsibly and the email you send them
- Maintain copies of information linking the addresses to their online home
While it is possible to fly under the radar and not get caught breaching these anti-spam/data protection laws, it isn’t worth the risk. Not only will your company face penalties, but typically the practices that break these laws aren’t best practice in the first place. It is far more difficult to email market to someone who never asked for it. Leave those addresses off your list and your marketing efforts will be more effective.
Have you considered how you will adapt your database to comply with new EU standards? Does the decision from the CTRC surprise you? Let us know what you think in the comments section.