B2B email marketing: How to comply with GDPR
Disclaimer: This blog isn't legal advice. Please get a professional opinion before actioning any of our recommendations.
GDPR shook the email marketing world when it came into effect in May 2018. And it got a lot of marketers hot under the collar. But now the dust has settled, it’s clear you can still do email marketing well in the age of regulation. All you have to do is follow the rules.
In the FAQs below, you'll learn everything you need to know about GDPR in B2B email marketing. Scroll or use the menu to navigate through 👇
What is GDPR? | How does GDPR apply to B2B email marketing | How do GDPR rules differ for B2B and B2C marketers | What counts as consent? | What are the rules on marketing emails, texts, and calls? | What is PECR? | What does legitimate interest mean? | What does opt-out mean? | What does single opt-in mean? | What does double opt-in mean?
GPDR, or the General Data Protection Regulation, is a law created by the EU to safeguard its citizens’ personal data. It came into effect on May 25th 2018.
There is no specific mention of B2B email marketing in the GDPR framework. However, it sets out rules around the use of personal data. Many B2B marketing activities use personal data as defined by GDPR, such as using individual email addresses. Even someone’s work address is considered personal data by GDPR. Therefore, B2B marketers need to be aware of the ins and outs of the regulation.
Much of GDPR talks about "processing" data. This term covers a range of activities, including sending an email newsletter or other marketing comms.
GDPR lays down different rules for businesses marketing to consumers, rather than other companies.
In B2C marketing:
- Businesses need to obtain specific consent when handling personal data. (See "What counts as consent?" )
- If a consumer doesn't give consent to join a mailing list or be contacted again, businesses can't keep their personal information.
In B2B marketing:
- Marketers don't have to ask for consent specifically.
It’s important to note that when you market to sole traders and some partnerships, it falls under B2C rules, rather than B2B.
In the context of GDPR, consent is when someone makes a specific action that tells the business, clearly and unambiguously, that they're happy to let them process their personal data. Permission must be freely given, with no coercion. It also has to be easy to withdraw.
An example would be ticking a box clearly labelled "Join our mailing list".
In B2B marketing, to make a call or send a text or email, you do not need to ask for consent specifically. For example, you can send an email to a business address if there is a legitimate interest. (See "What does legitimate interest mean?" )
GDPR also sets out rules on how business can keep personal data. For example, if a recipient doesn't want to receive any more emails from you, you must abide by that. You must tell people what you'll do with their personal information, such as how long you plan to keep it and who you'll share it with. You also have to justify your reasons under the law for how you process personal data.
The Privacy and Electronic Data Regulations (PECR) are a set of laws that came into effect in 2003.
PECR safeguards privacy, relating to marketing calls, cookies, customer information and more.
Today, the PECR sits alongside GDPR. When it comes to B2B marketing, GDPR has given PECR renewed vigour. Marketers must still follow the rules laid down in PECR, as well as new GDPR rules.
Legitimate interest is when a business is allowed to process a person’s personal information because they have a clear business reason to do so.
For B2B email marketing, legitimate interest could include:
- A business benefit to sending the email
- Low impact on the recipient’s privacy
- The recipient would not be surprised to receive the email from this company
- It’s reasonable to assume the recipient would not withhold consent if asked
Legitimate interest is essential for B2B marketers to bear in mind. It means you need to target your approaches. No more spray and pray!
Opt-out is when someone you've emailed takes action to withdraw their consent.
There are two types of opt-out:
- Pre-emptive opt-out – Not offering consent before interacting with a business. For example, when the user unchecks a ticked box indicating they do not want to join a mailing list.
- Consent withdrawal – Taking away consent after contact. An example of this could be unsubscribing after receiving an email newsletter.
B2B marketers need to make sure they don’t send marketing emails to individuals who have opted out. If they do, they will be on the wrong side of GDPR, which could lead to heavy fines.
Single opt-in is when a user adds their email address to your list in one action. It could involve entering their address in a box on your site, or checking a box after a transaction, for example.
B2B marketers need to bear in mind that an email address that has only been through a single opt-in process may not have given consent, under GDPR rules. It depends on the exact wording of the process they went through.
Double opt-in is when a user goes through a two-step process to add their email address to your mailing list. For example, after they have entered their address in a box on your site, they receive an email where they have to click a link. They join the list only when they click the link.
Like single opt-in for B2B email marketing, double opt-in doesn't necessarily mean consent. GDPR doesn't specify that you need to get double opt-in for contacts on your list. However, it is best practice.
It’s clear that B2B marketers can still get results in the post-GDPR world. You just need to be thoughtful about who you contact and how. If you're handling data correctly, and only marketing to people who you believe will be interested in your business, you've nothing to fear. It’s what you should be doing anyway!