Warning: this content is older than 365 days. It may be out of date and no longer relevant.

You Ask, I Answer: GDPR and Email Marketing?

Noreen asks, “I am ramping up emails in EU, and am looking for current best practices in terms of emailing with respect to the GDPR rules. Do you use outside services to warm up your cold leads so they are compliant with GDPR?”

You Ask, I Answer: GDPR and Email Marketing?

Can’t see anything? Watch it on YouTube here.

Listen to the audio here:

Download the MP3 audio here.

Machine-Generated Transcript

What follows is an AI-generated transcript. The transcript may contain errors and is not a substitute for watching the video.

Christopher Penn 0:29

In today’s episode Norine s, I am ramping up emails in the EU and I am looking for current best practices in terms of emailing with respect to GDPR rules.

Do any of you folks use outside services to warm up your cold leads? So they are compliant with GDPR? You can’t you can’t do that.

GDPR, which is the general data protection regulation in the EU passed in 2018, all enacted into law became operable in 2018.

Explicitly forbids this exact thing.

You cannot email, a cold list of leads, you can’t.

Because you don’t have consent.

And more importantly, you don’t have consent for marketing purposes.

Right? That is what GDPR really focuses in on is do you not just have blanket consent, but do you have consent for the individual purposes.

So if you collect data for sales purposes, and you’ve gotten permission from the user to do that, you cannot use it for marketing purposes.

Just like if you collect data for customer service purposes, you cannot use it for marketing purposes, you have to ask for that consent separately.

And if you don’t follow the rules, the fees, the fines, and the penalties are really, really bad and really, really strict.

We’re talking millions of dollars potentially in fines far more far beyond what anything in the United States has for unsolicited for improper use of data.

So suppose you have a list of email addresses, what can you do with it in and still be compliant with GDPR.

much about the only thing you could do is hash it, which means encrypt it, and then load the encrypted version into a system of advertising that allows you to send retargeted ads towards those individuals asking them to opt in or asking them you know, basically advertising like your newsletter, or what have you.

And even that, you’d want to ask a lawyer, if you’re allowed to do that, right? Because under the law, if you have somebody’s personal information, and they didn’t give you consent for it, I’m not sure you can even use it for that, again, check with a lawyer, I am not a lawyer.

This is not a lawyer here in any way, shape, or form.

Honestly, the safest thing to do would be to take that list of cold leads and shred it, right or hit the delete key and make it go away.

So that you are not in possession of information you should not have, and you’re not tempted to use it.

So what do you do instead? How do you build and grow a marketing list that is GDPR compliant.

Ads, right? run ads in the target market, not using personal information just using aggregated demographics, or firma graphics or whatever, advertising your stuff.

Do any normal inbound marketing, right? So create great content that people in the EU can find and subscribe to your stuff, make a podcast, make videos on YouTube and all the inbound methods where a person comes to you and proactively and voluntarily gives you consent to use your information for marketing data that is okay that will pass muster in the EU, in China in California and all the places where we’re data privacy regulation exists and is stringent.

Inbound Marketing, a permission based marketing is the easiest, simplest and legally strongest way of doing your marketing.

Again, run ads to ads are a little bit more outbound.

But again, if you’re using a system like Google ads or YouTube ads or whatever, and you’re not retargeting based on data that you shouldn’t have you just using general advertising targeting get that’s totally fine.

There are no legal issues with doing broad based awareness based advertising to big market segments, right.

So you’re targeting business owners or you’re targeting people Between the ages of 45 and 54, or you’re targeting people in the country of Belgium, all that totally cool, legally compliant, and will not get you into trouble.

One of the things to be careful of,

Christopher Penn 5:16

and I think this is relevant given the nature of the question is that, before you do any of these campaigns, go to your website, and make sure that all of your forms and data collection are compliant, right? Have your legal team or your legal counsel or your your law firm or whoever review at all, review your privacy policies and things like that, to make them GDPR compliant.

They should be already like GDPR has been in effect since 2018.

So if you’re doing business in the EU, and you’re not compliant, you are playing, you’re playing Russian roulette with a semi automatic, which if you don’t know, those are not as relevant anyway, it’s a bad idea, right? You want to make sure that if you were doing business in the EU, if you are illegal entity that does business with it, the people who are within the EU.

And by the way, that applies to everybody within the physical borders, not just EU citizens.

So if you’re an American, who is in Paris, while you are in Paris, you are subject to the rules of GDPR.

Because you are on European territory.

And so for that time GDPR applies to you.

So a company emailing you, and they didn’t have your consent to send you marketing email, if you get that email while you’re in Paris, you could press charges against that company.

So go through and make sure that all of your website, all your data collection techniques are all compliant, to make sure that you’re not going to be massively illegally exposed.

Within within the EU and by the way, within China, and especially after 2023 In California, in the United States because California CPRA.

Regulations take effect January 120 23.

And they are much more stringent than the CCPA registered legislation that is in effect now and took effect I believe in 2020.

So good question.

Take any information that you do not have consent for and toss it.

It is it is radioactive.

Just throw it away.

Thanks for asking.


You might also enjoy:


Want to read more like this from Christopher Penn? Get updates here:

subscribe to my newsletter here


AI for Marketers Book
Take my Generative AI for Marketers course!

Analytics for Marketers Discussion Group
Join my Analytics for Marketers Slack Group!