Email best practices
Email compliance audit: GDPR, CAN-SPAM, and CCPA
An email compliance audit will help you analyze your data compliance and ensure your email program stays on the right side of marketing laws.
PUBLISHED ON
If a historian was ever to document the story of email marketing, we suspect they would look at it from the perspective of before-GDPR and after-GDPR. GDPR wasn’t the first regulation to attempt to clean up the world of email marketing, but it was the first that had real teeth and the promise that it would bite if marketers didn’t comply. Before GDPR, email marketing was still in its Wild West era. After GDPR, email marketing became a much more accountable environment, making the inbox a much more productive and friendly place.
The success of the European Union’s General Data Protection Regulation (GDPR) hasn’t gone unnoticed and is largely being replicated around the world. For example, the California Consumer Privacy Act (CCPA) and, more recently, the California Privacy Rights Act (CPRA) mirror the GDPR. Like GDPR, both of these laws give regulators the power to go after less-than-scrupulous email marketers who had previously disregarded more lax regulations, such as the CAN-SPAM act.
Unlike the CAN-SPAM Act, the GDPR doesn’t differentiate between personal and business contacts. Therefore, if you don’t have permission to email an individual, regardless of their status as a business or individual, GDPR applies to you.
So with so many laws and regulations, how do you ensure you’re on the right side of email compliance? In this post, we share all the information you need to audit your email compliance and make sure you are getting it right.
What is an email compliance audit?
Essentially, an email compliance audit is designed to make sure marketers are following the requirements of any data privacy laws they need to adhere to.
More specifically, it will help email teams ensure they have legally collected any contact details stored across their Martech stack and have matching records offering explicit permission from each subscriber to receive marketing communications. The audit should also help marketers understand where subscribers’ information is stored in the business, helping them quickly remove the data from their systems should a subscriber ever request that move. It should also help define the length of time marketers should keep the subscribers’ information if they are inactive.
If you worked in email marketing before GDPR, the date of May 25, 2018, is probably burned into your memory, and you should be fully aware of what an email compliance audit looks like.
To ensure they were compliant with the GDPR, email marketers desperately consulted with their legal teams before looking back at their records to ensure they had permission to maintain their relationships with their subscribers. In many cases, this information was lacking, and marketers resorted to retrospectively asking for their subscribers’ permission to continue their relationship. Most of these requests were ignored, and the inbox environment went very quiet for a while. For more considerate and compliant marketers, this was bliss.
Identifying what laws you need to comply with
The first step before auditing your email compliance, though, is identifying which regulations you should comply with. Knowing where your users are based will help you understand what laws you need to adhere to. For example, marketers emailing EU citizens will need to follow GDPR, while those sending campaigns to people in California will need to adhere to the CCPA.
The good news is, if you are GDPR compliant, you are probably doing everything you need to do to be compliant with CCPA, CPRA, and all the other regulations that may impact your campaigns – since GDPR set a pretty high overall standard. There is even more good news in the fact that GDPR compliance looks very much like email marketing best practice.
The GDPR, CCPA, and CPRA all insist that:
Email marketers have their subscribers’ explicit permission before adding them to a list.
Email marketers only send relevant communications based on previous engagements.
Email marketers do not share subscriber data with other parties without permission.
Email marketers identify themselves clearly in every communication.
Email marketers enable subscribers to quickly and easily remove themselves from lists.
This should mean, if you pride yourself on being a good email marketer, compliance with whatever regulation you look at should be a breeze. If only life was this easy.
When should you conduct an email compliance audit?
Like any email audits, email compliance audits should be undertaken periodically to ensure you’re following all laws and regulations that might apply to your business, especially when a new one comes into effect.
You might also want to conduct an email compliance audit if you’ve inherited an email list with no clear understanding of how the data was acquired. At best, that data might have been collected legitimately but become separated from the documentation that proves its compliance over time. At worst, that data could have been acquired using less-than-scrupulous practices. However, it really doesn’t matter if that data has been purchased, stolen, or orphaned from its permission statement — as an email marketing complying with the latest regulations, you cannot use it.
It’s at this point that you’ll want to conduct an email compliance audit to separate the data you can use from the data you should never send to.
What information should you look for in an email compliance audit?
There are a few elements you should consider when you decide to do an email compliance audit on your email program. These refer to the data you request from your subscribers and the ways in which you collect this information.
Permission statement
The first item you need to look at when conducting an email compliance audit is the permission statement approved by a subscriber at the moment of subscription.
That record of permission can be collected and stored in a number of ways. Ideally, it will have been acquired via a tick box linked to a statement on an online subscription form and be accessible via your email marketing service provider. Alternatively, it may have come via an ecommerce system, payment gateway, mobile app, or any number of other online services. However, keeping track of these permission statements can be challenging when sharing data across platforms and risks being lost when moving to new systems or re-platforming.
The problem is amplified when you collect email addresses offline, perhaps in a retail store, trade counter, or an event. Best practice dictates that you collect these emails addresses electronically. A simple subscription form, complete with a permission statement, can easily be hosted on a tablet or smartphone. However, if you want to make life hard for yourself, it’s also possible to collect your subscribers’ permission using paper forms – which is even more of a nightmare than it sounds.
Subscription sources
The second item you need to look for is the source of your subscription. A compliant email should always be relevant to your subscribers’ original engagement. Just because your business offers multiple services doesn’t mean you should be marketing them to your subscribers.
The real challenge for email marketers is they may have to search far and wide to tie subscribers with permission statements across multiple technology platforms, which they may or may not have access to or experience in. And remember, email compliance is a legal requirement. So as an email marketer, you’ll need to share your knowledge and experience with your organization’s legal team, who will ultimately approve your audit.
Amount of data collected
The third item you need to assess when running an email compliance audit is the actual information you collectfrom your contacts. What data are you asking your users to provide when they register?
Your data collection processes should always respect the data minimization principle – that is, only collect the minimum data you need for your specific purpose. Don’t request data you don’t need or you don’t plan to use. Think about it, why are you collecting the individual’s date of birth or phone number if you don’t intend to do anything with that information? If it’s not relevant, don’t ask for it.
Pros and cons of running an email compliance audit
OK, this is a slightly misleading heading. There are only benefits to running an email compliance audit. There is a risk that you might have to remove email addresses from your lists, but the risk of sending non-compliant emails is far greater.
GDPR violations can carry massive fines – as much as €20 million (about $22.6 million) or 4% of annual global turnover – whichever is greater. And if you think the EU is a toothless tiger, consider the €8.5 million fine issued to Vodafone in Spain for unsolicited marketing activities.
Start fresh with Mailjet
Use a GDPR compliant email marketing service provider like Mailjet is a great start to build a compliant email program. If you use the Mailjet subscription widget, you can be assured that you are properly collecting the requisite information from your new contacts. With such a valuable asset, you’ll want to be extra sure that you’re not polluting your list with non-compliant contact collection methods.
Nobody enjoys running an email compliance audit unless you are a legal fanatic, but if you cannot 100% guarantee the quality of your lists, it’s something you are going to have to do. But don’t worry, we have a GDPR SOS kit ready for all those marketers in distress.
Want to get more email marketing tips directly in your inbox? Sign up for our newsletter and get weekly email updates from the Mailjet team!