GDPR has now been in effect for over three months, and even though much of the dust surrounding the regulation has settled, there is still so much that keep businesses unsure. Every company that sells to or operates in the European Economic Area (EEA) has been adjusting to the new regulation, learning the ropes of how GDPR works in practice and working out its long-term implications is an ongoing process.
Despite this progress for data privacy, one of the constant challenges for B2B businesses is marketing to companies within Europe. Since these companies rely on various traditional strategies to connect with prospective customers (not least the ability to cold email), GDPR has interrupted decade-old business practices for many businesses in the B2B sphere.
In an earlier article, we presented insights into how B2B companies could have a legitimate basis to process personal data under the GDPR using the rule of “legitimate interest.” This rule provides a lawful basis to continue direct marketing in some situations. What has become evident, though, is a lack of clear emailing guidance since GDPR has come into force. In this article, we will attempt to shed some light on this murky topic, so that businesses have a clearer perspective of how to use email as a form of direct marketing to organisations throughout the EU.
Differences across the EU
One of the biggest challenges faced by member states is conformity – the GDPR must be observed but as some nations have their own derogations of the PECR these inconsistencies present a real challenge for businesses, governments and data protection authorities alike”
Some countries are maintaining a more relaxed approach to B2B email marketing, while others have opted for stricter regulations. If your business is operating in or selling to the EEA, you need to understand what these differences are and how they are applied throughout Europe. Crucially, your business needs to recognize the differences between ‘opt-out’ countries, ‘single opt-in’ countries, and ‘double opt-in’ requirements and in which countries these standards apply.
Opt-out: In an opt-in system, the recipient must perform an affirmative action—such as checking a box—to subscribe to an email or newsletter list. In an opt-out system, the recipient does not need to take this action but must be given an easy way to opt out of receiving emails from your business. If someone opts out of receiving communications from you, then you must respect their wishes—both now and in the future. If someone has not opted out and you are doing business in an opt-out country, you can continue to communicate with them.
- Single opt-in: Both single opt-in and double opt-in are forms of the opt-in system described above, where the user must take a “positive action” to subscribe to your email list. In a single opt-in system, the user only has to take one action—such as signing up for your emails via subscription form—for you to add them to your email list legally.
- Double opt-in: In a double opt-in system, the user must take two separate positive actions to consent to your emails. Usually, these two steps take the form of filling out a subscription form of some sort (1) and then clicking a link in a confirmation email to enable their subscription (2). In double opt-in regimes, you cannot start email marketing to a prospect until he or she has completed both opt-in steps.
Understand that all countries in the EU have to abide by the GDPR. However, with regards to the Privacy and Electronics Communication Regulation (PECR) directive, each member state can have its distinct derogations provided these meet the minimum required levels of privacy and protection. As mentioned above, some member states have opted for the strictest levels of regulation (i.e., double opt-in for email marketers) and others have decided to implement a more lenient approach.
Below, we will run through the GDPR countries list and highlight the ones that follow opt-out, single opt-in, and double opt-in regimes. However, depending on where your company is doing business, you will want to do more in-depth research into the email laws that are active there.
This map is intended to illustrate the different levels of opt-in required in the EEA on a country-by-country basis, for businesses looking to use email for direct B2B marketing communications.
Opt-Out countries (highlighted in green) do not require any prior opt-in from the intended recipient. Instead, an easily identifiable and accessible option to opt out from receiving further communication is required. For email marketing, this “easily identifiable and accessible option” usually takes the form of a link at the bottom of the email, which users can click to unsubscribe from all future communications.
Single Opt-In countries (highlighted in yellow) typically require that you have some form of consent from a person before you send them email marketing messages. However, if the data was obtained in the course of the sale of goods or the provision of services, then consent is not required to promote similar goods or services.
Double Opt-In countries (highlighted in red) are those that have chosen to implement the strictest requirements for B2B communications. These countries legally require consent from customers that is clear, explicit, and freely given. Lacking this consent—which must play out in a two-stage system, as discussed above—your business cannot send any marketing communications to individuals or businesses in these countries.
The Lenient Countries
As we will discuss going forward, each level of opt-in requirement forced by GDPR regulation has its own set of pros and cons for B2B email marketers. For many reasons, most B2B companies prefer the more lenient countries or those with opt-out laws rather than opt-in requirements. It is easier to send email marketing communications to any prospects—and to include the opt-out option—than it is to get single or double-layer consent to proceed with marketing activities.
At Leadiro, many of our customers need quality business data for countries outside of Europe and so are familiar with opt-out laws because the United States is an opt-out country. Businesses in the United States must comply with the CAN-SPAM Act. You can learn all about CAN-SPAM on the FTC website, but the most relevant requirements of the law to this particular conversation are its opt-out rules. Specifically, the FTC states that businesses marketing to customers in the United States must “tell recipients how to opt out of receiving future email” and must also “honor opt-out requests promptly.” There is no opt-in requirement, which means B2B companies doing business in the United States do not have to obtain consent to contact prospects via email. However, US businesses must adhere to the GDPR and PECR when contacting individuals in Europe.
Countries in the EU that follow a similar opt-out protocol include:
- United Kingdom
Obviously, the advantage here is that there isn’t a consent step. B2B marketers can move faster in opt-out countries (and with less fear of legal ramifications) because they satisfy privacy requirements by offering an easy way out. However, there are also disadvantages to this kind of system, because you might end up sending many unwanted emails. Consequently, your emails are more likely to be marked as spam, which can cause deliverability issues in the future.
The Medium-Leniency Countries
If the United States is a lenient country, then Leadiro’s other biggest hub of customers—Canada—falls into the “medium-leniency” countries. Canadian businesses must follow Canada’s anti-spam legislation or CASL.
The core of CASL is a rule that requires businesses sending “commercial electronic messages” (CEMs) “within, from, or to” Canada to obtain consent from the designated recipients. A CEM can be an email, a text message, or any other electronic message with a marketing angle. Businesses can obtain written or oral consent from recipients, including single opt-in consent via subscription forms or other similar systems. Consent can also be implied, such as when there is an existing business relationship or if the recipient has publicly published his or her contact information.
While other countries approach single opt-in systems a little differently than Canada/CASL, these EU countries follow similar levels of regulation:
- Czech Republic
Single opt-in requirements are something of a hassle for B2B businesses because they require some form of consent from prospects or customers. Companies can’t just send emails to whomever they choose. However, the advantage is that recipients in these countries are more likely to be familiar with your business, causing fewer SPAM complaints and leading to fewer deliverability issues.
The Strictest Countries
The good news is that it appears only two EU countries observe the strictest possible regulations for email marketing. The bad news is that these two countries—Germany and Switzerland—represent sizable business markets.
B2B marketers doing business in Germany should provide a double opt-in consent system unless they are sending marketing emails related to products or services that the recipient has purchased (from the sender) in the past. In such a case, Germany’s system takes on the qualities of an opt-out protocol, wherein the recipient is informed of their right to opt out.
Similar laws apply in Switzerland. Double opt-in is recommended in this country unless the sender collected the contact information for the recipient in the course of a product or service transaction. In such cases, the communication must 1) relate to products or services similar to what the recipient purchased in the first place, and 2) include an opt-out mechanism.
Double opt-in countries pose the biggest challenge for email marketers because they require the recipient to take not one but two positive actions confirming that they want to receive email communications. The perk is that contacts who have completed the double opt-in process are generally more engaged and more familiar with your brand.
Planning Your Email Strategy Accordingly
If your company is doing business in countries affected by GDPR, make sure you understand the specific email and data protection laws on the books in those countries. Above, we have provided a basic run-through of the levels of regulation that are active in each EU country. However, these bulleted lists do not reveal the nuances that different EU countries bring to the fore with their email marketing rules. Researching GDPR countries more thoroughly, where necessary, will help your business achieve GDPR compliance.