Post Creative Blog

Articles and tutorials to help you use your website to do great things.

A few weeks ago we blogged about GDPR. Today I want to look into email marketing and how the new law will affect our processes around how we communicate with our customers, leads and network.

Verifiable consent

Following the introduction of GDPR all businesses need to have legal justification for storing the personally identifiable information of EU citizens. You may have different legal basis for storing different types of information, but when it comes to email marketing the majority of you will be relying on consent.

Consent needs to be verifiable. This means that there needs to be a written, reference-able record of when consent was provided. Anytime someone signs up to your newsletter through a email signup form on your website their consent is recorded and timestamped. This can be accessed from within your mailchimp account and exported via CSV.

Withdrawing consent

Under GDPR individuals have the right to access personal information you hold on them, they have the right to remove consent and the right to have the information you hold on them erased. Mailchimp emails all contain the options to unsubscribe. They also allow individuals to access the information you store about them and edit their preferences.

Explicit consent

Explicit consent means that your audience needs to actively consent. The opt-in can’t use a pre-checked box. Sign up forms should also contain an opt-in message where you must state all the ways you intent to use personal information you collect.

When someone subscribes to your Mailchimp email list they need to be aware that they are consenting to the following

  • Transfer of their contact information to MailChimp
  • Storing their contact information in your MailChimp account
  • Sending them marketing emails from your MailChimp account
  • Tracking interactions

Where does Mailchimp store it’s data?

Mailchimp do not plan to store EU citizens accounts in EU member stats. GDPR doesn’t require that data be stored in the EU but it does require that transferring data outside of the EU meet certain conditions. The Data Protection Act says that:

Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Source: ICO website

The Privacy Shield framework constitutes one such example of an adequacy decision. MailChimp participates in and has certified its compliance to the Privacy Shield framework.

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

Source: Privacy Shield Framework

The Legacy data dilema

The information commissioner made it clear that if your existing information doesn’t meet the requirements for consent you will have to seek fresh consent or find a different legal basis for holding that information.

For most people proof of consent is going to be the most difficult aspect of compliance with regards to legacy data. The challenge is to get fresh consent without breaking the current PECR – The UKs Privacy and Electronic Communications Regulations.

PECR gives businesses rules around sending marketing emails, text messages or conducting telemarketing calls. PRCR will exist along side GDPR until 2019 when it will be revised to become the EU ePrivacy Regulation (for electronic communication) which will be enforced inline with GDPR.

PERC currently has provision for “soft-opt” in and this will still apply in the run up to GDPR. The following conditions must be met.

  • you obtained an individual’s personal data in the course of a sale or negotiations for a sale of a product or service;
  • the communications you send are only marketing similar products or services; and
  • the individual was provided with a simple opportunity to refuse marketing when their details were collected, and if they didn’t opt out at this point, they are given a simple way to do so in all future marketing communications

Source: Data Protection Network

So, if your email list was created using any of the methods described above you can re-establish consent that is explicit and verifiable by sending out a re-consent email in which you outline why you have their information, what you are using it for, where it is stored and how they can access it, change it and unsubscribe.

I suggest that you create a new signup forms for your lists and ask them to subscribe. This will give you a timestamp for consent and proof of explicit consent. The old lists can then be deleted.

The re-consent campaign is also a great opportunity to direct them to your privacy policy which should contain your businesses over-arching statement about how you will collect, store and secure the information of those who use your products or services. It’s a good opportunity to build trust.


In this article we talked mainly about the legal basis of consent. For some groups of people you email you may have a different legal basis. If you are unsure about the legal basis you are relying on please consult a data protection specialist or a lawyer.

Hit us up with any questions in the comments below.