GDPR caused a lot of confusion when it first appeared, and it’s still causing confusion now, but one of the most complex and tricky subjects is about when businesses can and can’t email their customers.
For years companies have been sending out emails to anyone that appears on their mailing list without thinking if it is legal to do so; it’s a classic tactic to upsell.
There were rules about this in the privacy regulations (known as ‘PECR’) long before the GDPR came along.
GDPR and PECR make the rules extremely clear and gives the ICO teeth to act (and they do act) if people break the rules.
What emails can I send?
One of the problems with sending emails is differentiating between the two distinct types.
There are transactional emails and there are marketing emails.
Transactional emails
If someone buys something off your site, then there’s likely to be a process they have to go through in order to receive their goods.
It’s usually fairly simple:
Add a product to a cart
Checkout from that cart
Fill out some details
Receive confirmation, order status, delivery emails
Those emails at the end of the process and then any updates about that order are transactional emails because they relate to that transaction.
If anything else is generated, such as a follow-up to ask if your product was received, and maybe a review, could also be seen as transactional.
However, if you then send an email trying to upsell, such as “We hope you loved your socks, would you like a pair of matching gloves?”, is marketing.
If you send emails to do with the customer’s account, such as updating passwords, changes to terms and conditions, things like that, then those are transactional also.
Marketing emails
This is fairly self-explanatory.
If you try to sell something to your customer, or your email explains new website features or other things that are meant to entice your customers to click and go check out the site – that’s marketing.
Fairly clear, no?
Confusion reigns
Here’s the problem. Some people still break the law, others are going over the top.
I’ve seen websites that have a form where people can download an e-book. They need to put their details on it. The form also has a tick box that says “Please tick this box if you consent to us sending you this e-book.”
GDPR says the customer should give clear consent, in this case, the consent would be in the form of actually filling out the details to request the e-book and submitting it. .
Imagine it if someone requested the form but then didn’t allow you to send it to them?
Gaining clear consent
When someone is checking out of your store, you can offer them the option of opting in to receive updates from you.
This is usually in the form of a tickbox somewhere on the checkout page – importantly, it needs to be un-ticked initially.
There is also something called the soft opt-in. This is where someone buys from you and gives their email to you as part of the buying process. PECR allows you to take the view that your customers, having bought from you, would not mind knowing about similar products. So as long as you give them a chance to opt-out at the time they buy the product from you and give them a right to opt-out every time you email them then that’s OK.
And that’s really it.
Summing up
The law is extremely clear on what can and cannot be sent to customers, and it leaves little to interpretation.
The simple fact is, if you want to market to customers then you need to have their permission or you act under the soft opt-in. There are no clever ways around it, and if you break the rules of GDPR and PECR, you’re in danger of being picked up by the ICO and fined.
Unless you’ve spent the last 12 months on the International Space Station, there’s a very good chance that the Covid 19 pandemic has affected you in some way. For many, it has seen a fundamental shift in the way they run their business. Those in the retail and hospitality sector have been hit particularly hard, and it’s during these difficult times, some find that they have to adapt and try new ways to bolster an income that has been severely reduced. Going online has been the obvious choice, and so 2020 became the year that shop owners, small and large, took the plunge and got themselves a website. Of course, it used to be challenging to start an online shop, but there are so many ways to do it these days; you can be up and running within a day. It’s no surprise that Shopify now has 1.5 million websites hosted on its platform, and it’s one of the fastest-growing systems for starting up an online presence. But there’s a particular responsibility that comes with owning an online store, and it’s something that needs to be taken seriously: GDPR.
It’s not just about that pop-up
For many, they install some pop-up software that tells people they’re using cookies, and that’s it. But it might not be “it” if you want to ship to countries in which GDPR applies. If you’re in the USA, for example, and want to ship to the UK or Europe, you may well have to adhere to GDPR rules and appoint a GDPR representative. Also, if you’re based in the UK, you can no longer simply post things across to Europe friction-free because of Brexit. You may also need to appoint a GDPR representative in a European country.
How and why does Article 27 apply?
Let’s deal with the UK for now. If you have recently set up a store in the UK and want to ship to anywhere in Europe, then it’s likely article 27 will apply, unless the processing of that data is “occasional”. The ICO (the governing body for GDPR in the UK) states that “occasional” use is a “one-off occurrence, something you do rarely”. So, for example, you mainly sell to the UK, but someone in Germany finds your site, buys something and needs the product delivering there. In this case, you are unlikely to need to appoint a GDPR representative. However, suppose you actively market to Germany or France or anywhere else in the EU. You have prices on your site available in euros, and postage rates set up specifically to handle international shipping. In that case, you’re not ticking the occasional box, and you will need to appoint someone. One exemption is if you already have an office in a European country, but if you’ve just signed up for a Shopify site, that’s unlikely to be the case.
What does the GDPR representative do?
Data protection has been top of governments’ agenda for some time now as the prevalence of websites collecting personal data has clashed with the number of breaches and access to that data. It’s in everyone’s interest to ensure information is looked after. Companies should have a straightforward method of ensuring people know that their private data has been compromised if a breach does occur. Also, people who know a company is holding their data should have access to someone they can talk to. Governments should also be able to query the capabilities of companies holding that data. Therefore, a representative needs to be available in the customer’s country and have the necessary authority to act on the company’s behalf should there be any such queries. As a side note, this person or agency needs to be named in your privacy policy.
But I’m a tiny business. Does Article 27 include me?
Sorry, yes. Some tiny businesses process lots of data. If you sell to someone in Europe, then you have details that could personally identify them. Their address and other information will likely stay in your order system for some time, so they need to have confidence that you’re looking after that data.
I’m in the USA. Does it apply to me?
It certainly does! Although the laws are European in origin (and UK due to Brexit), they are international in scope. If you sell to the UK or any European country, you need to appoint an Article 27 GDPR representative.
Is it expensive, surely I don’t need to employ someone?
Luckily there are ways to comply with the law without setting up an office in the country you want to trade with. A GDPR representative can be an agent who will act on your behalf, and DPA-OK is here for you! Contact us today!
