GDPR updates: What you need to know!

/ eMS Blog - Back to overview

Do the updates from the European Data Protection Board (2024) spell the end of newsletter tracking? Not if you do it right. In October 2024, the European Data Protection Board (EDPB) published new guidelines on the EU General Data Protection Regulation (GDPR). These new guidelines on tracking are of great importance to email marketers. In this blog post, we take a look at the most important aspects of GDPR compliance in email marketing and provide you with practical tips to ensure legal certainty.

New EDSA guidelines: What has changed?

The EDSA guidelines from October 2024 provide some clarification in the area of email tracking. The key point: Any form of tracking now requires explicit consent, which must be specific, informed, and voluntary. This applies not only to open tracking, but also to click tracking and other forms of user analysis.

Here are the most important points →

 

eworx practical tip: Review your current tracking methods and adjust your consent processes accordingly.

Explicit consent for tracking:

Explicit consent is now required for email tracking.

Differentiation of consents:

Consent for email tracking must now be given in addition to consent for the sending of newsletters.

Transparency:

Users must be clearly informed about the purpose and nature of tracking.

Consent acquisition and double opt-in:
The key to compliance

Obtaining consent correctly remains the be-all and end-all of GDPR-compliant email marketing. The double opt-in process has established itself as best practice here:

 

1. Initial registration

The user enters their email address and agrees to receive the newsletter.

2. Confirmation email

An email with a confirmation link is sent to the address provided.

3. Final confirmation

The registration is only completed when the link is clicked.

Important aspects when obtaining consent:
 

  • Unambiguous action: Consent must be given through an active action on the part of the user.
     
  • Specific purposes of use: Consent for email marketing does not automatically entitle the use of data for other purposes, such as WhatsApp advertising. Each marketing activity requires separate, specific consent.
     
  • Clear consent procedures: If consent for mailing has been obtained without explicitly mentioning tracking, it is not permissible to track interactions.
     
  • Avoid preselections: Checkboxes for newsletter subscriptions must not be preselected; users must actively give their consent.
     
  • No forced consent: Consent must not be made a prerequisite for using a service. Consent must be given voluntarily, without access to services or functionalities being made dependent on it.

 

eworx practical tip: Clearly explain why you are collecting and using the data. In particular, tracking must now be explicitly mentioned. Add information about data storage and deletion to increase transparency.

Myths and facts about the GDPR in email marketing

Let's clear up some common misconceptions:

  1. Myth: “The GDPR is an EU law.”

    Fact: The GDPR is an EU regulation that is transposed into national law in each country. Therefore, the exact regulations may vary slightly from country to country.

     

  2. Myth: “If I use GDPR-compliant software, I'm on the safe side.”

    Fact: GDPR-compliant software such as the eworx Marketing Suite is helpful, but the responsibility for correct use lies with the user. Technology alone does not protect against penalties.

    Info - What makes a GDPR-compliant solution like the eworx Marketing Suite stand out: The eMS ensures the protection of your data by storing it exclusively in Austria. In addition, we only use third-party tools that process data within the EU, such as spam checkers and captcha services. The eworx Marketing Suite itself offers comprehensive GDPR functions that are necessary to ensure compliance. These include a double opt-in workflow for verified consent, a GDPR-compliant unsubscribe option for recipients, a mandatory unsubscribe link in every campaign, and data access and data deletion reports that enable transparency and control over data processing.

  3. Myth: “I don't need consent for existing business relationships.”

    Fact: This is true for information relating purely to existing contracts. However, you do need explicit consent for newsletters or tracked emails.

     

  4. Myth: “All personal data must be deleted immediately.”

    Fact: There is a right to have data deleted. However, the GDPR does not require that all personal data be deleted immediately after the processing purpose has been fulfilled. When the data must be deleted depends on the purpose and legal basis of the data processing. It is important to clearly document and regularly review the necessity of data storage to ensure compliance.

Practical tips for GDPR-compliant email marketing

  1. Transparency is key: Inform your subscribers clearly and concisely about how their data will be used. This builds trust and reduces the risk of complaints.

     

  2. Regular audits: Check your processes regularly for GDPR compliance. The data protection landscape is constantly changing, so stay on top of things!

     

  3. Documentation is key: Keep accurate records of consents, data processing procedures, and deletion processes. These are essential in the event of an audit.

     

  4. Train your team: Ensure that all employees who work with customer data are aware of the GDPR requirements.

     

  5. Be cautious when purchasing data: Purchasing email lists is generally not recommended. If you are still considering this, be sure to seek legal advice.

     

  6. When in doubt, consult an expert: If you have specific legal questions or in the event of an audit, it is advisable to seek professional legal advice. With a proactive approach to GDPR compliance, you will not only build trust with your recipients, but also minimize the risk of fines.

Your GDPR checklist

To help you ensure that your email marketing complies with legal requirements, we have put together a short checklist for you:

✔ Consent for sending emails has been obtained.
 

✔ Separate consent for email tracking has been obtained.
 

✔ The purpose of data processing has been clearly communicated.
 

✔ A double opt-in procedure has been implemented.
 

✔ An unsubscribe link is included in every email.
 

✔ The privacy policy is up to date and easily accessible.
 

✔ A process for regularly reviewing recipient lists has been established.
 

✔ Documentation of consent and processes is available.
 

✔ The legal basis on which you rely is documented.
 

✔ The technical and organizational measures for protecting personal data are documented.

Conclusion: Consider the GDPR as an opportunity for better marketing

At first glance, the GDPR may seem like an obstacle, but with the right approach, it can be easily overcome. Above all, it offers you the opportunity to strengthen your customers' trust and improve the quality of your marketing activities. The key lies in transparent communication with your recipients, careful collection and documentation of consent, and regular review of your processes. This will not only enable you to operate in a legally compliant manner, but also increase the effectiveness of your email campaigns.

 

Would you like to learn more about GDPR-compliant email marketing or have your current practices reviewed? Contact us for a personalized consultation.

 

Source: https://european-union.europa.eu/institutions-law-budget/institutions-and-bodies/search-all-eu-institutions-and-bodies/european-data-protection-board-edpb_de

Request a free consultation now for GDPR-compliant email marketing.