GDPR, Cookies and ePrivacy Directive

GDPR: E-privacy Directive, Cookies
Denys Romanov Denys Romanov 21 january 2022, 15:47 0
For beginners

Read about the General Data Protection Regulations (GDPR), ePrivacy regulation, and cookie consent. Your company’s email marketing strategy must comply with these rules and laws.

What Is EU GDPR Compliance and How Does It Affect Brand Communication?

GDPR stands for General Data Protection Regulation or General Regulation on the Protection of Personal Data, and it is an act from the European Union that establishes rules on processing personal data in the EU. Basically, it tells you how to deal with personal data on the internet.

If you send email newsletters to European clients, in most cases you will need to do so under these GDPR requirements.

The regulation came into effect on May 25, 2018. One of the main questions was whether companies that are not based in the European Union but have European customers need to follow the GDPR. Is it legal to send emails to European clients in the context of GDPR? Is an email considered personal data? All of these questions will be covered in the article.

Do Companies Outside Europe Need GDPR

The question that worries many companies located outside the European Union is whether GDPR applies to them. And the answer is yes, in some cases.

Imagine you’re in a boat, sailing across the calm, blue, salt water, and all of a sudden there’s a strong wind blowing your boat so that you have to grab your wheel tight and change course — this is what GDPR is all about. The main force of this law is its extraterritorial jurisdiction — with this power, it can blow wherever it wants to when it comes to processing the data of EU residents. It means that if you have clients outside of the US, living in France or Italy, you must comply with GDPR terms even if your company is located outside the EU.

Email from UBER before the GDPR

The email from UBER was sent out before the GDPR came into force.

First of all, this applies to companies that offer their goods or services on the territory of the EU. Even a small thing like a language switcher on the website can make you an international goods provider. For example, you automatically fall under the GDPR provisions if your website can switch to one of the various European languages and has specific payment and delivery options in the country of that language.

This also inevitably applies to email interaction with European clients from anywhere in the world.

Legal Basis for Processing Personal Data (GDPR Regulation)

The GDPR and the EDPB comments (European Data Protection Board) do not clearly establish in which specific cases data processing consent should be obtained. And it is objectively impossible to determine this because of the huge number of types and methods of GDPR data processing. But the user's consent is not the only legal basis for processing (collection, use) of data.

There are 6 legal bases in total:

  • The data subject’s consent — when the person whose data is being processed gives you explicit permission for it.
  • Legitimate interests pursued by the GDPR data controller or by a third party.
  • Fulfilling a contract. For example, payment processing with a person who makes an online purchase.
  • Fulfilling the legal obligations of the company. This mainly concerns requests from government agencies.
  • Protecting the vital interests of society — in cases where there is a threat to the data subject’s wellbeing. This basis was actively used during the COVID-19 pandemic.
  • Performing a task that serves the public interest. Most often, this basis applies to the authorities.
Permission to continue sending a newsletter

How brands can ask for permission to continue sending a newsletter

The company has to decide which basis to choose. In most cases, to send an email newsletter, we pay attention to two legal bases: the subscriber's consent and legitimate interest.

Subscriber's Consent

Getting the user's consent under the GDPR is not an easy task. In practice, companies often use the standard check-box "I agree to the processing of my personal data".

It is important that the user providing the company with their personal data is sufficiently informed on how and for what purposes the data will be processed, whether the company will share this data with companies from other countries, and so on.

GDPR puts forward the following requirement: consent must be voluntary, specific, informed, unambiguous, taken in the form of a statement or a clear affirmative action. If these conditions are met and consent is obtained, mailings can be legally sent to customers from Europe. You may obtain this consent when registering a user on the website.

The Legitimate Interest of the Company

A legitimate interest may include not only the interests of the company but also the interests of third parties, for example, the same customers or other companies. Now, is it possible to use the "legitimate interest" basis to send mailings without obtaining the user's consent?

GDPR-related newsletter from Belight

GDPR-related newsletter from Belight

The comments from the Working Party on Article 29 state that for some marketing activities, such as email marketing, obtaining the addressee’s consent is mandatory. However, there is an exception — the existing relationship between the customer and the seller, in which the seller advertises their similar products or services. Let’s say, you are the owner of a catering business. You are introducing a novelty — now the clients can get new 100% vegan food kits. In this case, you may have a legitimate interest in sending a newsletter about the new service. The consent of subscribers will not be required. But, of course, you are obliged to provide the user with the opportunity to unsubscribe from the mailing list in a convenient way — by a reply letter or by clicking on a special link.

How to Find Out if a Company Has a Legitimate Interest

You need to understand that when working with GDPR rights, you cannot be completely sure that your intentions correspond to the bases for processing personal data. Especially when it comes to a legitimate interest — this is known to be one of the most flexible if not vague aspects.

The company must independently determine whether there is a legitimate interest in its processing of personal data and whether it violates the GDPR data subject’s rights

and interests. At the same time, the argumentation of legitimate interest is the task of the company, and here, in the context of email newsletters, you need to understand whether you are really advertising similar products or services. In all cases, to determine a legitimate interest, companies need to conduct a balance sheet test and answer the following questions:

  1. Does the company indeed pursue a legal interest?
  2. Does the company indeed need data processing to achieve the goal?
  3. Does this goal prevail over or interfere with persons’ rights and interests?

If the answer for the first two is positive, and the third one negative, then you probably have a legitimate interest in data processing. However, there are no universal answers to the questions of the balance sheet test. In each individual case, the company must consider the pros and cons on its own.

Let's consider an example — the company has decided to make frequent mailings about a wide range of goods to users who have visited its website at least once and who have never bought goods or services from it. In this case, the company has a business interest in carrying out mailings to increase the number of sales. This kind of interest probably will not prevail over the rights and interests of people since they will always have an opportunity to unsubscribe from an unwanted email newsletter.

What Will Happen if You Do Not Comply With GDPR

The GDPR states that fines (and other sanctions) are individual and should be proportionate to the violation.

Therefore, if a company might potentially violate the rights and interests of its customers with its marketing actions, it is better to change the approach to using marketing tools. And in order to avoid taking risks, in really complex cases it might help to contact qualified lawyers who have extensive experience with personal data protection and EU privacy directive issues.

To ensure customers and stakeholders that the company is fully reliable, it can pursue a GDPR certification. Although it is voluntary, it establishes a legal contractual relationship between the certifying body and the controller. Due to its vague nature, there have been some myths forming around this, but they all have no real basis.

What Does ePrivacy Regulation Have to Do With Email

The European Union has decided to adopt this regulation in addition to GDPR. Previously, the ePrivacy directive served as such an addition, but then it was decided to refine it, make it mandatory and stricter. ePrivacy Regulation (EPR) is a set of rules in the field of electronic communications that will clearly regulate the collection and protection of users' personal data, including cookies.

A double opt-in email from McDonald’s

A double opt-in email from McDonald’s

Moreover, it concerns not only large telecommunications projects, but also messengers, personal messages in social networks, and email – basically nearly all interactions that occur with a user on the Internet.

EPR refers to any activity that is related to online services, uses tracking technologies (for example, affiliate marketing), and direct digital marketing. Marketers, brands, bloggers, SMM managers, SEO specialists have to comply with the EPR.

The stricter requirements for data use in terms of GDPR and the amendments of the ePrivacy Directive concern cookies too. The ePrivacy Directive, or Privacy and Electronic Communications Regulation, officially defined cookies as personal data and gave them extraterritorial liability, as well as imposing enormous fines on website owners for the illegal use of such files.

Although people say these things happen once in a blue moon, there already have been some legal cases on GDPR privacy policy matters. As always, the ones that took the first hit were the big-tech companies. In December 2020 France charged Google with a €100 million fine for placing cookies on users’ devices without consent. Next came Amazon with a €35 million levy and so on.

GDPR cookie consent example from The Times

GDPR cookie consent example from The Times

Statistics have shown that 78% of US companies have taken measures within these 2.5 years to comply with the GDPR US rules. But many of them were so focused on big policies (or didn’t want to spoil the user experience) that they in some way disregarded the policy of using cookies.

GDPR Guidelines for Implementing the Cookie Policy

From the point of view of GDPR and ePrivacy, the rules for the use of cookies are no different from the rules for the processing of all other personal data and must be followed if any cookies are used on the website to form a user profile on the network. However, this does not apply to:

  • cookies only necessary for a proper website performance;
  • cookies only necessary for providing an online service to the user, for example, when the user fills out an online form, uses a shopping cart, or logs in.

Let's go back to the GDPR rules, their essence is as follows:

  1. The installation of cookies should be carried out only with the prior consent of the user.
  2. This consent must be given through a clear action confirming the user's choice, and if a checkbox is used, the check cannot be set by default.
  3. The user should be provided in a clear and intelligible way with information about the purpose of cookies, installation purposes, expiration dates, as well as information about the third parties to whom user data might be sent.
  4. The user must be able to fully or partly withdraw consent at any time.
  5. All consents to the cookies’ installation must be stored securely, and a controller or processor must be able to confirm the fact of consent.

Summary of GDPR: What Companies Should Do

Harsh laws are not a good enough reason to go off the handle and quit email marketing for good. Yes, there are things you have to work on for better website functionality. There are special services that can install GDPR compliance software to help protect your users’ data correctly. Or maybe you would need to change the mailing service — if it does not encrypt subscribers' personal data. But most of the GDPR principles can be followed without involving an army of programmers or lawyers. Also, you can always check with GDPR requirements for US companies — it pretty much reflects the basic rules but has some additional points specifically for the USA.

If the brand’s contact base for newsletters was purchased, there’s a high chance of facing problems in terms of GDPR law. But for those who have been engaged in email marketing professionally and lawfully, there should be no difficulties. After all, the main principles of the new legislation are transparency and security. Probably, this is what we all wanted for so long — less intrusive calls from bank clerks, spam clogging in the email, and the various other "charms" of unprotected personal information.