Withdrawal in email marketing and GDPR
The process to withdrawal in email marketing campaigns and how to implement it following the GDPR is one of the common questions asked by people in the sector and one most often discussed in the recent edition of the Email Marketing Bootcamp, in which I had the privilege of giving the legal session once again this year.
Which regulations apply in the withdrawal from email marketing?
If you consider email as personal data (it will be, as long as email marketing campaigns are B2C), the GDPR should undoubtedly be entirely applied. This well-known regulation applies to any processing of personal data, regardless of the sector. Therefore, it governs all email marketing campaigns.
Thus, if the sending of emails with advertising or promotional content is based on the consent of the recipient because this has been accepted at some point, he/she must be entitled to withdraw that consent (Art. 7.3) and, therefore, this recipient’s right, becomes an obligation for the company or agency managing the campaign.
The “cancellation” also finds its justification in the right of any person to erase or suppress their personal data (Art. 17 GDPR). Therefore, if someone asks for their personal data to be deleted (including the email where the transmissions are made), this should lead to the cancellation of all commercial communications they were receiving until that time.
Finally, and still within the GDPR, its Article 21.2 provides for the so-called right of opposition, which is nothing more than everyone’s possibility to refuse the processing of their data for commercial purposes.
It must not be forgotten that the right to oppose or to not receive any more electronic commercial communications is also regulated by the 2001 LSSICE, in which it also indicates that the procedure must be simple and free of charge.
In case of cancellation, should I delete the data immediately?
Currently, most email marketing campaigns are automated through platforms available in the market (Mailchimp, Active Campaign, Send in Blue, etc.). In this same way, the management of cancellations following the requests from recipients is also an automatic procedure.
Therefore, the company responsible for the campaign, does not normally even know that a cancellation has been requested because, as said, this is an automatic process facilitated by the platform.
Regardless of this, bear in mind that when requesting withdrawal from an email marketing campaign, the data blocking rule included in Art. 32 of the current LOPD applies.
This article sets forth sets forth two important provisions that affect unsubscribe requests in email marketing campaigns:
- When a withdrawal is requested, the applicant’s data must not be deleted immediately, but must be blocked. In this state, the data will remain under the control of the company that managed the campaign, but it must take the appropriate measures to ensure this data cannot be altered. Only after the statute of limitations for infringements should the data be deleted. In the world of email marketing, the most serious common infractions prescribe after 2 years, so this is a good time criterion when deciding when data should be deleted.
- Where the data processing system or the campaign delivery platform does not allow for this blocking and deletion system, the cancellation requests must be extracted and saved independently before deleting the data after the two-year period has elapsed.
- A request to unsubscribe from your campaign does not mean that you should delete the data immediately. Make sure the applicant does not receive any more emails (especially if your unsubscribe system is not automated), but do not delete their data.
- Check that your email marketing platform foresees the possibility of blocking and subsequent deleting of the data.
- If your transmissions and your campaign management system are more “manual”, also take these recommendations into account.
If you have any doubts about this or any other issue, please contact us!
Information on data protection
LEGAL IT GLOBAL 2017, SLP
Providing the service.
Sending the newsletter.
Compliance with the service provision.
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.