GDPR and Email Marketing

Even GDPR Can’t Kill Email by Kath Pay and Tim Watson

By Kath Pay

CNBC recently carried a news grabbing clickbait headline about email marketing being decimated by GDPR.

As this is not what I’m seeing, I discussed with Tim Watson of Zettasphere, a long-time friend and fellow email marketing consultant, to get another opinion. Having both worked together on the UK DMA Email Marketing Council for 10 years each to raise the email channel, we both have been keeping abreast of all things email and GDPR for the past couple of years.

Together we’ve explained what best practice is, the true impact and action going forwards for GDPR – not to mention how many ways CNBC got it wrong.

1. Email and GDPR – GDPR is much more than email permission

GDPR covers much more than email, but so many articles we’ve read seem to only focus on email. Yes, it does affect the permission side of things of email, but it also affects other channels as well with regards to permissions – such as permission to set cookies and permission to process the data subject’s data, just to name a couple. Simply put, GDPR is about data, not about channels. Let us say that again. GDPR is there to protect the consumer on how data is being used and stored and email is just one of the channels affected.

So why are all the headlines focusing on email? Most likely because (secretly) they know the value of an email database. Email is the backbone of digital marketing. It is the valuable push channel that enables us to send our messages to our databases, prompting them to visit the website throughout the customer journey and the lifecycle of the customers. We don’t need to wait for them to come to us (like websites, search and social), instead, we drive them to the website, social and even search channels.

Unlike social, where we rely upon the social channel existing (think of the recent Facebook fiasco), we ‘own’ our databases and if Facebook or another social channel disappears, our list won’t disappear with it. Companies are bought and sold on the value of their databases.

The statement of:

MailChimp estimates about 20 percent of all marketing emails get opened..”

leads you to believe that only 20% of your database ever opens your emails. This is a totally misinformed statement. If this was the case then there would be no possibility of email marketing delivering the best ROI out of all channels, as shown by the latest Econsultancy’s Email Marketing Census Report.

For the past 10 years, this survey has shown that email delivers the highest or second highest ROI. If we were to read Mailchimp’s report correctly, then it is obvious that the 20% of emails opened mentioned, is on a campaign basis – not an overall basis. Most brands we deal with have an Open Reach Rate (total of individuals opening an email over a period of time such as one year) of around 60-80%.

Econsultancy Email Marketing Census Report 2018

So, putting all this together, the fear of not being able to market to your database is real … or is it?

2. Why GDPR isn’t killing email – or anything else either

We email marketers have been quietly getting on with the job of email marketing, building brands and revenues for many years, raising the occasional eyebrow at the forecasts of email and email marketing being dead only to return to continued success.

Google trends shows the ‘email is dead’ meme has been a continuing story.

Google Trends - email is dead

Zuckerberg said it was dead in 2010, Benioff in 2013 and many more people since.

To a large part the people saying it’s dead are those who wish they could own and control an email system – because they know how valuable and powerful it is.

It’s the biggest social network on the planet.

Has email changed and will it continue to change? Sure.

Have new communication channels come (gone) and will more come (and go)? Sure.

But they all have trouble to replace email for some very simple reasons

  • Everyone online has an email address.
  • It’s one of only two universal digital channels – the other being SMS.
  • Nobody owns it. It’s not subject to commercial pressures of a single brand owner
  • It’s an open system. Anyone can join in.
  • It’s very low cost.
  • It’s easy for users to understand. Works for beginners or experts.
  • It’s fast. Messages usually take just a few seconds.
  • It’s flexible. You can send many different types of information.
  • It’s got a huge installed infrastructure. It takes something x10 better to get that replaced
  • It works.

If any digital channel is threatened it’s more likely to be SMS. Because Google has failed to create its own IM system, they have pushed instead a new open standard for IM, now with support from mobile carriers. This is more of a threat to closed IM message eco-systems of WhatsApp, Messenger, Skype and others than it is email.

And GDPR? As we explore below, going forwards it has remarkably little impact on email.

3. GDPR does not (did not) require blanket re-permission

Right off the bat CNBC open a first bullet of:

“The GDPR requires companies to send emails to people on their mailing list who have never bought anything, asking permission to keep emailing them.”

Which is and was untrue. This is just how it’s been interpreted by many people, CNBC included.

If the data held by a brand met the standards for GDPR then no re-permission was needed.

Even for a list subscriber who had never purchased.

Brands could and did selectively re-permission only where they needed to. For addresses with clear records of affirmative consent or using the case for legitimate interest for customers meant no new permission was necessary.

Only in the cases where the brand had no record of where and how an email was captured or was from a 3rd party source was re-permission the necessary route.

4. Poor advice and panic drove bad choices

Rather like the CNBC article, a lot of misinformation, was published in a game of Chinese whispers. As people read and re-hashed information circulated by others.

Along with the misinformation conveyed by so-called ‘GDPR experts’ that you must ‘blanket’ re-permission, another common one is that GDPR requires double opt-in for email marketing. Google it and you can find experts telling you just that.

GDPR was agreed two years ago and there was a two-year period for it to pass into law. It didn’t change in that period. That gave a chance for industry to adjust.

Sadly, not helped by the regulators taking much of that two-year period to publish guidance, the vacuum was filled by conflicting information and brands just waited for clarity.

As the deadline approached and lawyers started getting nervous, taking a very conservative approach – ‘if it’s not clear play safe’ – there was a last-minute knee jerk reaction, with some brands re-permissioning their databases unnecessarily and now regretting the fact that they did so. More often than not, it was under the advice from an external lawyer or GDPR consultant, whose remit was not to help create a viable and profitable business, but rather simply provide advice that was ‘safe’.

For example, one of our staff members received a re-permission email from a brand that he’d only just signed up to 2 weeks earlier!

Not all brands though panicked. For example, in the UK the RSPB, English Heritage, Manchester United and many more, planned in advance and reaped the rewards.

5. What smart marketers did – effective re-permission

The CNBC article did get one thing right when quoting;

“An email that says ‘privacy policy updates’ is never going to get opened”.

That’s true, a headline of ‘privacy update’ is not the most thrilling.

It just wasn’t typical. Brands know explaining benefits is needed for conversion, whether that’s purchase, permission or anything else. RSPB used a fitting headline of “Stay part of the RSPB family”.

The emails about ‘privacy policy’ updates were more typical in the cases when there was no re-permissioning, but the brand may have a legal requirement to let customers know of changes to their privacy policy once it was updated, however no action was required from the recipient.

Planning ahead was the smart move.

Manchester United Football Club started early and explained why you should say yes.

English Heritage included a message in all of their regular emails to confirm permission months in advance. A key part of a successful strategy was making the call to action more than once and over a longer period.

6. Best practice is opt-in anyway

We all love getting a good return on our investment – right? And as shown earlier in this article, email delivers the goods when it comes to ROI. One of the main contributing factors for such high ROI in Europe is because email is a permission-based channel. Our subscribers want to hear from us and so intentionally sign up to receive our emails. How fantastic is this!

Therefore, we believe we need to change our mind-sets and stop thinking negatively of GDPR ‘forcing’ us to do these things, but rather start embracing these requirements, and look for as many opportunities to gain permission as possible. Permission is a good thing!!

Quote from Kath

“Have the mind-set of being ‘transparent’, helpful and customer-centric when gaining permission. Everything will come naturally for you then when implementing your GDPR forms”

Yet again, another totally misinformed statement from the CNBC article was:

“Now, they all have to ask permission to keep sending emails to non-customers”

Since 2003, under the e-privacy Directive, all EU States have had to ask permission from non-customers to marketing messages. The only exception to this was under the UK PECR legislation, which allows you to send emails to B2B marketers under an opt-out basis. So, for the past 15 years, Europeans have had to gain permission from non-customers to send emails – GDPR has not changed this to any great extent.

Even those countries who have opt-out legislation, such as the USA’s CAN-SPAM ACT understand the value of permission, due to numerous restrictions being applied to marketers who send to non-permissioned lists, such as:

  • The majority of Email Service Providers (ESP’s) will not allow you to send email communications through their systems to rented or purchased lists. When uploading a list, many require you to digitally sign or agree that you have permission to send to this list.
  • ISP’s such as Gmail/, have long since rewarded best practice, by reputation scoring, relegating anyone not sending permission-based emails to the junk mail folder, instead of the inbox.

7. GDPR defines long held best practice

With regards to the CNBC statement:

Emails acquired through those annoying little pop-up messages for mailing lists, promises of special offers….. “those all have to stop unless the recipient opts in to continue getting them.”

The purpose of the pop-up messages (which, by the way are incredibly successful) IS to gain permission to send emails, and if the brand had been collecting permission via best practices prior to GDPR, then they wouldn’t have had to re-permission their databases.

Since 2003 and the e-privacy directive, European best practices for gaining permission have included the following:

  • Record the source and IP address
  • Don’t trick people into subscribing; confusing wording, hidden boxes, small fonts, double negatives, putting key facts five paragraphs down a in privacy policy etc.
  • Be clear about what you are offering and the benefits
  • Generally, avoid 3rd party data
  • Offer choices
  • Don’t use a pre-ticked checkbox
  • Link to the Privacy Policy at the point of subscription
  • Be clear and transparent with what you will do with their data

…just to name a few. We also have highlighted some best practices for GDPR and growing your list in our report.

When quickly scanning the above list, you may be forgiven for thinking that we have just listed GDPR’s requirements. This is simply because GDPR has now turned our past best practices for permission, into legislation. That’s all. When it comes to growing a permission-based database, we are not being asked anything more than what those who were abiding by best practices were doing. THIS is why many marketers did not need to re-permission their database – because they have been doing these practices for many years now.

8. A transparent future

The future of email marketing is bright. If anything, the loss of data from any deleting or re-permissioning exercises, and the associated fall in revenue, has highlighted email’s contribution to the total revenue earned by digital channels. The adage of ‘Every cloud has a silver lining’ is appropriate here.

It’s commonly known that email marketing is under-attributed when it comes to revenue. As we can see in the below chart from the UK DMA’s Consumer Email Tracker Report 2017, out of the top 8 actions, only one action taken by the subscriber, will be attributed to email.

DMA Email Tracking Report 2017

Historically, the best way to test for attribution of a channel within a multi-channel environment, has been to use a holdout group. However, most brands are hesitant to take this approach as they understand they will lose revenue from this holdout group when withholding them from receiving emails.

Well, it appears that holdout groups have now been inadvertently created by those who attempted to re-permission their customer database and only received a small percentage of opt-ins. Aside from using as many touch points and opportunities to recover their marketing permission, savvy email marketers will also use this opportunity to measure and record before & after (GDPR) metrics such as Average Order Value and Customer Lifetime Value, of those customers who were receiving emails but no longer do. These same savvy marketers will then use the results to quantify the value of the email channel and build a business case for additional resources and/or budget.

To support this point, we’ve drawn on an analysis that Mailchimp conducted, of 6 billion emails. Here are the findings:


  • Subscribers order at least 25% more frequently than non-subscribers.
  • Subscribers spend at least 6% more than non-subscribers.
  • Active subscribers are 38% more likely to return for a follow-up purchase than non-subscribers.
  • Inactive subscribers are 26% more likely to return than non-subscribers.

If anything, GDPR has reinforced the value of email as a channel, as well as the need for a quality permission-based database. Happily, we both know many brands whose main goal for 2018 is to grow their database, and are becoming skilled at leveraging every touch point, web form and channel to make this happen. Some of these re-permissioned and are keen to replenish their database, others didn’t face any loss, but the exercise of getting ready for GDPR, simply highlighted the value of the database and the benefits of growing their database.

…. Thank you for reading our guidance and we hope that clears it up, but if not, you can contact Kath for help.

Interested in finding out more? Check out how the awesome team at Holistic Email Marketing can help take your email programme to the next level.

Originally posted on Only Influencers