We often see organisations struggle with the question of whether they need to use an opt-in/opt-out for their customers and which content you can send to whom. Good news! Nothing will change in that regard when the new GDPR (General Data Protection Regulation) enters into force on 25 May, as long as you make sure that your consent requests meet the requirements of the GDPR. Furthermore, you must be able to prove that you received a customer’s consent.
In this article, we explain the ins and outs of opt-ins/opt-outs in situations where a customer relationship does (not) exist. We also clarify the finer points of emailing B2B contacts.
1: No customer relationship
What is a customer relationship? A customer relationship is formed when someone has actually bought something from you and paid you for this product or service. This does not apply to free products or services.
If you do not have a customer relationship with someone, they must opt in to (i.e. consent to) receiving your email newsletters.
Under the GDPR, a person’s consent must be a “freely given, specific, informed and unambiguous indication” of their agreement, given via “a clear affirmative act.” This can be done by e.g. entering one’s email address and then clicking a button marked “Sign up” or by deliberately checking a checkbox. Take a look at our blog about registration texts for more information about the requirements that a GDPR-proof consent request has to meet.
Double opt-in: it was not (and will not be) a requirement
A single opt-in is not enough to verify whether an email address was submitted by its owner or by a third party. That makes it harder to prove that you received proper consent, which was – and will continue to be – mandatory. If you want to play it safe, you can use a double opt-in. You can then easily prove who consented to what and when via your email service provider (e.g. Webpower). You should also keep the other advantages of a double opt-in in mind, such as a reduced bounce rate and fewer complaints of spam. After all, your database will be of a higher quality.
Note that the GDPR allows you to choose either method (opt-in or double opt-in) to collect email addresses and consent, as long as you can meet your burden of proof. For now, legislators have ruled that one may assume that the person submitting information is the same person to whom the information actually belongs. Using a double opt-in process is (and was) therefore not a requirement.
Offline contact with a potential customer
In practice, it is common to acquire email addresses offline, e.g. via business cards given to you during a tradeshow. You are allowed to use these email addresses for direct marketing purposes if you can prove that you received consent to do so.
An example: suppose you own a bicycle shop and you set up a promotion in which people can win a bike. You (also) want to send participants commercial emails from your company. Participants write down their email address and their slogan on a form, which they drop in a special bin. It is important to make sure that participants check a box on this form with which they consent to receiving your commercial emails. Note that the consent request on this form also has to meet the requirements of the GDPR. For more information on this topic, you can consult our registration text checklist.
You can take a picture of the situation and the relevant conditions and save all offline forms, but it is much easier to once again use a double-opt-in procedure. In other words: you send the participants a confirmation email (double opt-in) with which they can confirm their consent to receiving your commercial emails. Make sure to list the relevant conditions as well. Doing so ensures your digital burden of proof is in order.
Conclusion: if you do not have a customer relationship with someone, they have to opt in to receiving your email newsletters. We recommend using a double-opt-in process.
2: Customer relationship
The rules regarding the sending of emails to existing customers are more lenient compared to situations in which no customer relationship exists. In concrete terms, this means that you can ask for consent in a passive manner. In our field, that means offering customers an opt-out option. Of course, you must always act within the applicable frameworks, which we will explain below with examples for B2B and B2C customers.
An example: suppose you own a webshop and you want an easy way to ask new customers for consent to send them your newsletter. During the final phase of the purchase process, you can include a checkbox that is checked by default. This lets a new webshop customer decide if they want to withdraw their consent by unchecking the box (opt-out) to indicate that they do not wish to receive your commercial emails.
Note that this only applies to the final phase of the order process, when an existing customer relationship has already been formed.
B2B customer relationship
If an organisation enters into an agreement with another organisation, this usually results in multiple customer relationships within one and the same business. In that case, make sure to determine whom you are forming what type of relationship with and adjust your communication accordingly. For example, you form a customer relationship with the company’s decision-maker, but indirectly also with the employees who use your product or service.
An example: suppose you own a wholesale company that sells car parts and many of your customers are workshops. You maintain contact with the owners of these workshops, who purchase your products and services. You can send the owner of a workshop emails about offers and new products or services. However, you are not allowed to include all employees of all workshops in your database for commercial emails.
Note that you must have given the buyer (the workshop owner in this case) the option to opt out of or object to receiving your emails. A pre-checked checkbox is not the only way to acquire opt-out consent; you can also send your relations a neutral email in which you inform them about your sending of commercial messages and clearly let them know how they can opt out of receiving these messages.
In short: you are allowed to send B2B emails that suit the type of customer relationship you have with the recipient. You are only allowed to send commercial emails to all other employee email addresses in the organisation if the owners of these addresses have given you their consent via an opt-in.
Note: service emails versus service-related emails
Be careful not to confuse the term “service emails” under the GDPR with emails that you perceive as services related to your product or service. Under the GDPR, service emails are e.g. track & trace emails or text messages or emails that inform customers that their flight is delayed. You are always free to send such messages.
However, if you e.g. offer free clothing advice through your webshop, that is considered a service rendered by your business. You can only send customers emails about such matters if you follow the aforementioned rules.
Conclusion: you do not need an opt-in if there is an existing customer relationship. Although it would be the decent thing to do, it is sufficient to offer customers an opt-out option as long as you operate within the applicable frameworks. If you send B2B emails, you do not need an opt-in (or opt-out) as long as the messages you send suit the type of relationship you have with a customer.
What is going to change? Follow the “Road to the GDPR”
Of course, it is important to make sure that your internal processes are all in compliance with the GDPR. When can you use what type of personal data? Can you prove that you received consent to use someone’s data? Other aspects pertaining to the GDPR to pay close attention to include storage periods, processor agreements and purpose limitation.
Would you like to know more about what is going to change when the GDPR enters into force? Following our “Road to the GDPR” helps you make your marketing department (more) GDPR-proof. After completing this health check, we will send you practical guidelines that you can put to good use right away.
It is important to us to handle the new privacy legislation correctly. The contents of this blog have therefore been verified by ICTRecht. We provide this information to you so you can gain a better understanding of what the GDPR can mean to marketers. The purpose of this blog article is to share knowledge and it should not be viewed as official legal advice. In reading this article, you safeguard Webpower, ICTRecht and the author against any legal implications. We recommend always consulting a legal adviser before implementing any GDPR-related measures in your organisation.