GDPR: Majority refrains from renewed email opt-in

“STOP: Last chance for your event news”, “Only 2 days left: click YES!” , “We'll miss you” — this or something similar were the subject lines of emails that users found in their inboxes around May 25, 2018. Because on this day, the new General Data Protection Regulation (GDPR) came into force and many commercial email senders wanted to protect themselves against the legal risks. The underlying dilemma faced by companies can be seen from the sometimes downright desperate subject lines: Experience has shown that only very few subscribers do so when I ask my users to expressly agree to new conditions (so-called re-permission campaigns). Loss rates of 80-90 percent — or more — are common. This significantly reduces the economic value of a recipient list, because it doesn't just sort out “file files.” Even users who are actually active often do not bother to give their consent again.

Majority acts according to the motto “Close your eyes and go through”

However, the hectic activity surrounding the GDPR masks an interesting finding that we made when analyzing over 3,000 German companies*: The clear majority (64 percent) simply did nothing at all. This is surprising at first, as the GDPR has triggered hectic activity in many companies. This in turn caused a contagion effect: If the boss receives dozens of re-permission emails, he will at some point ask himself whether “we don't have to do that too.”

GDPR mailings

In fact, a number of the companies we examined sent out new opt-in campaigns: 15% of all sending organizations received emails requesting single, confirmed or double opt-in. We'll go into more detail about the effectiveness of these campaigns later.

Even more companies (21%) have ostensibly elegantly pulled themselves out of the affair by simply sending their users an informational email that requires no action on the part of subscribers. However, the legal effect of such emails is zero: If a company complies with the GDPR, it does not need such a message. If it does not comply, the information letter has no legal value. This alibi measure therefore only appeases the conscience of the sender.

But the “silent majority,” almost two thirds of companies (64 percent), have decided to do nothing. Lists may have been cleaned up in some cases, but we continued to receive emails from these companies — without GDPR-specific content. This has given them a clear advantage over companies that have allegedly “destroyed” at least four fifths of their recipient lists through re-permission campaigns. The real economic consequences are likely to be clearly felt in some sectors.

A very different risk assessment can be seen from the different behavior of email marketing organizations: Although the email subscriptions collected in the past almost never meet the GDPR requirements during a formally strict audit, the practical legal risk and potential economic damage of a violation appears to many companies to be negligible. Especially when you put the risk in relation to the substantial economic loss caused by a drop in the number of emailable contacts of 80 to 90 percent. Conversely, many companies (36 percent) came to the opposite conclusion and took action.

Twice as bitter: Opportunity missed despite re-permission

The downright tragic thing about this: Most re-permission campaigns are unlikely to meet the high requirements of the GDPR. If you take data protection regulations seriously (and there are few good arguments for not taking applicable law seriously), there are a few things that, in our opinion, have been met almost nowhere in the past. On the one hand, this concerns the essence of consent: For example, it is not enough simply to document the location, time and origin (IP address) of a consent. The text that was approved must also be documented. On this point, by the way, many email marketing providers leave their users out in the cold because it is still not possible on their platform to save the respective legal texts when opting in. In addition, consent cannot be given in general terms — for example, the exact sender and scope of application must be clarified, and any possible personalization must be explicitly listed. All of these things should be done as part of a re-permission campaign. Fatally enough, however, this has been missed by many companies. This applies to all methods used.

• Single and confirmed opt-in usually uses a system in the sense of “click here to continue receiving our news.” The additional requirements of the GDPR are often not covered in the new texts of the re-permission emails — for example, there is no legal entity (who exactly sends out “our news”) or the purpose (what type of information is the information). Further aspects such as express consent to personalized information are also not included. Although the supposedly “simple solution” is simple, it is not a (sufficient) solution.
• Double opt-in campaigns require additional confirmation from subscribers. The higher effort on the part of the user leads to even higher bounce rates. A double opt-in as part of a re-permission campaign is actually absurd: The process is intended to prevent an email address from third parties being entered on a list. However, this risk does not exist at all with inventory lists, as the addresses have already been entered and verified! Double opt-in therefore does not offer greater legal certainty in re-permission campaigns; the problems lie in the consent texts, as with single opt-in.
• As already mentioned, pure informational mailings are more of a placebo, as there is no consent at all. This directly contradicts the principle of the GDPR of not sending anything to anyone that is not expressly desired. In this case, legal certainty in accordance with the GDPR is only available if the original recording of the opt-in was already complete.

In many cases, the result is doubly bitter: Although valuable recipients have been lost as a result of the re-permission campaign, compliance with GDPR as comprehensively as possible has not been achieved — a disaster.

Do what?

In our opinion, the path of least resistance taken by just under two thirds of companies (even 85 percent if you add in the info emails) has only one good thing: Here, non-valuable email mailing lists have been shrunk to such an extent that meaningful email marketing barely appears worthwhile due to a lack of mass.

That doesn't mean doing nothing is the right choice! Especially for the large group of hitherto “silent” companies, it is all the more important to remove the “dead wood” from their old e-mail databases: contacts who may not have shown a click response for years and are also not buying. Email contacts that can no longer be linked to sources and opt-in should also be subject to risk testing.

So much for the past related activities. Regardless of this, all email advertisers will have the same homework for the future (which has already begun on May 25): They must equip their subscription routes with transparent, formally flawless consent texts and document the opt-ins obtained more comprehensively than before. The good news is that this task is by no means insoluble.

conclusion

There is still a need for action on the part of the vast majority of email marketing operators. This applies to hitherto inactive companies as well as to companies that have made things too easy for themselves with their information and repermission campaigns. If you are looking for an optimal compromise between the highest possible level of legal certainty and at the same time the lowest possible impact on your inventory lists, there is no way around expert advice.

* The population is not representative; in addition to the 1000 top-selling German online shops (according to EHI Retail Institute), it includes numerous small and medium-sized companies with a B2B or B2C focus to whose e-mail newsletters we have subscribed — and which sent us at least one email during the investigation period.