You probably have an email marketing opt-in on your website that allows visitors to enter their email address to receive your newsletter. Through this process, anonymous visitors receive a ‘face’ so it therefore comes under the GDPR. Below we will explain what you have to consider in email marketing from now on.
t is critical that you thoroughly document consent to send emails. Documentation is normally undertaken by your newsletter tool. However, you also have to ensure that the visitor actually consented to receive the newsletter.
Important: Silence or inactivity are not considered to be effective consent (e.g. through systematically checking a box). Rather, a clear action such as an opt-in is necessary. Therefore, for registration, you must use the double opt-in procedure which is common in Germany.
After signing up to your newsletter, a visitor should receive an email in which they must actively confirm that they also really want to receive the newsletter. Only then will their address be added to your list. Test this process during set-up to ensure that the visitor also goes through the process completely.
Make sure you can prove that a double-opt in exists at any time.
During the registration process, the customer must be transparently informed for what they are giving their consent (e.g. email newsletter). In addition, information must be provided that the consent can be revoked at any time and that the revocation has no retrospective effect. This should also be explained if you use tracking (e.g. click rates). Finally, it is also still recommended to reference the data protection policy.
Example: You have a person (Bob Smith) who has signed up to your online marketing newsletter. You now also have a special newsletter about IT law. However, Bob Smith hasn’t signed up for this newsletter. Even if you can assume that Bob Smith is interested in this topic, you are not allowed to send him this newsletter as you don’t have separate consent.
We have formulated a text template for you for this with which you meet all the minimum requirements for valid consent.
You need to change the text to match your individual situation in case of additional measures such as tracking:
„Subscribe to the newsletter of XYZ. You can cancel your consent to the newsletter at any time. The revocation of consent does not affect the legality of the data processing carried out on the basis of the consent until the revocation. Further information can be found in our Data Protection Policy.”
Data minimization: When asking for information during the newsletter registration on your website, follow the motto: As little data as possible, as much as necessary (privacy by design and default). This means that the email address is obviously necessary, whereas first and last name and other possible information should be optional and provided on a voluntary basis.
You need special consent for every newsletter in advance.
Only the circle of people who have actively consented may receive your newsletter - and exclusively only these.
Existing consents remain valid if
a) you received them via a double opt-in and
b) the newsletter contains only the promised information.
In addition to the requirements listed above, you must also ensure that your imprint and functioning unsubscribe link are included in your emails.
In Austria, before you send the newsletter, you also need to match your mailing list with the so-called ECG list and exclude any of the email addresses present there.