GDPR doesn’t allow for “cold emails” to be sent, anyone who receives a marketing email must have first voluntarily opted into receiving those emails. Before GDPR email regulations varied by country, but GDPR overrides the country level laws. These permissions to be emailed must be “clear, direct, and unambiguous” which means that a box must be checked to allow emails to be sent. Having a box that must be unchecked to disallow emails would not be considered appropriate under GDPR.
When someone agrees to be emailed they must be provided with a clear and understandable explanation of how their data will be used. For example, if you’re collecting their data to determine what offer you’ll send them you must explicitly state that you’re collecting data for that purpose and give them another chance to opt-out. What this means is that if you collect email addresses through allowing downloads of your whitepaper it would be illegalto send those downloaders a marketing email unless you first get their explicit permission to do so.
Companies must be able to prove that their email recipients have given their permission to be emailed, and the burden of proof falls on the company instead of the recipient. What this means is that any organization seeking to email someone must maintain proof that the recipient allowed themselves to be emailed for that specific purpose. Companies will have to maintain databases that can be shown to auditors and Data Safety Officers if necessary. GDPR allows for the government to request consent forms at any time, so companies are expected to have them in readily accessible storage. These consent forms can consist of a screen grab that is taken when the user confirms their acceptance of the use of their data.
GDPR doesn’t allow for previous data to be used. What this means is that all people currently on email lists will have to provide their explicit consent, even if they’ve been emailed before. Proof of their consent will be required by the sender and all customers will have to have their data updated.
These regulations only apply to customers who are from the European Union, so it may be possible for companies to set up separate landing and consent pages for visitors from the EU. However, it may be easier to have one landing page that complies with GDPR to make the development processes easier.
Max is a Legal Assistant and author residing in the Philadelphia area He has been writing for AskCyberSecurity.com since early 2017.