If your company operates within the EU, the way you send email to your customers is regulated by the General Data Protection Regulation (GDPR).
There are two basic types of automated emails that most businesses send:
- Marketing emails - designed to promote commercial products and services (such as ads, promotions, campaigns, etc.).
- Transactional emails - are not promotional in nature, and might be triggered by interactions with your site (such as receipts, shipping notices, password reminders, etc.).
To comply with the GDPR, your transactional emails need to be limited in their purpose.
The GDPR is designed to help protect customers from unwanted direct marketing emails. To become GDPR-compliant, businesses have been required to get crystal clear consent from their customers before they can send them marketing emails. The days of pre-ticked boxes and presumed consent are over.
But what about transactional emails? These are emails that you need to send, right? Surely a sales receipt or notification of changes to your terms of service can't be considered spam? Well, from the customer's point of view - they might feel like spam. And from the perspective of the GDPR, they might be pretty close to it.
Emailing Without Consent
Data Processing First Principles
Sending transactional emails is an act of data processing - you have your customer's personal data (their name and email address, at the very least), and you're using it to communicate with them.
All processing of personal data in the EU must conform to the principles of the GDPR. These are set out at Art. 5 (1) of the GDPR.
Two principles of the GDPR are particularly relevant to transactional emails are:
- Transactional emails need to be used in a lawful, fair and transparent way.
- You can only use your customers' data for a limited purpose. You need to consider the scope and purpose of any emails you send.
Your Lawful Basis For Sending Transactional Emails
So, how can you make sure you are sending transactional emails in a legally compliant way?
Like any act of data processing under GDPR, you need to establish a lawful basis for processing your customers' personal data.
There are six lawful bases under the GDPR, set out at Art. 6 (1). These two are most relevant to sending emails:
- Consent
- Legitimate interests
The Problem with Consent
As mentioned above, the GDPR is big on consent. While it is possible, under very specific circumstances, to send marketing emails without consent and still remain GDPR-compliant, gaining clear consent is by far the safest option for any business engaging in direct marketing.
Consent is defined at Art. 7 of the GDPR. It must be:
- Clear - e.g. your customers have ticked a box clearly indicating that they give consent
- Affirmative - only "opt-in" - never "opt-out"
- Freely given - if you're forcing your customers to consent to marketing in order to agree to your terms, you aren't giving them a real choice.
- Revocable - your customers should be able to withdraw their consent at any time.
So there's a problem with using consent as your legal basis for sending transactional emails. These are emails you need to send - they contain important information, and sometimes you'll be legally obligated to send them. Your customer can't meaningfully consent to receiving them.
Your Legitimate Interests
The solution is to establish legitimate interests as your lawful basis for sending transactional emails. This is a slightly tricky concept, defined in Recital 47 of the GDPR.
A good way to understand what "legitimate interests" means is as follows: EU citizens have the right not to have their personal data unlawfully processed. If they wish to receive a service or product from your company, they might reasonably expect you to send them transactional emails. So long as these emails are a necessary and proportionate means of communicating important information with your customers, it's in your legitimate interests to send them.
Your Privacy Policy will need to explain this, in clear terms that your customer can understand.
Sending GDPR Compliant Transactional Emails
For every type of transactional email your company sends, ask yourself:
- Does the customer need to receive this?
- Does it contain anything that could be considered marketing?
- Can I give the customer an option to unsubscribe?
- How can I explain this to my customers?
This email footer from RealSelf is a great example of how to explain the nature of transactional emails to your customers:
Don't Use Your Transactional Emails for Marketing
Art. 21 (2) of the GDPR says this about email marketing:
"Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time"
This is why you see unsubscribe options on marketing emails, such as this one from Audible:
Because your customers can't usually unsubscribe from transactional emails - but must be allowed to unsubscribe from marketing emails - you need to make sure that your transactional emails don't contain marketing.
How Not To Send Transactional Emails
Let's see what can happen if your transactional emails look more like marketing emails.
UK supermarket Morrisons sent an email to over 250,000 of their customers, supposedly with the intention of prompting them to update their account details. The email incentivized customers to change their subscription options by offering coupons. These customers had previously opted out of receiving direct marketing emails.
Unfortunately for Morrisons, one of these customers took exception to the email. He reported Morrisons to the UK's data protection authority, and Morrisons was fined £10,500. Morrisons said that they were only trying to provide "helpful information" and were "disappointed" that it was considered direct marketing.
The moral of the story? Be extremely careful about what you send your customers.
Password Reset Emails
Password reminder/reset emails are an essential type of transactional email. A customer can't unsubscribe from or opt-out of these emails, so there's no need for an unsubscribe link - but you can still link to your Privacy Policy, like eBay does here:
Because you can't give the customer an opt-out of password reset emails, you can't include anything resembling marketing material in your password reminders.
Security Alerts
Art. 34 (1) of the GDPR requires you to inform your customers of any potential data breaches:
"[...] the controller shall communicate the personal data breach to the data subject without undue delay."
Plus, Recital 47 of the GDPR states:
"The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned."
From the customer's perspective, there's no getting around this one. If you're a Google user, you may have felt a pang of irritation at Google's insistence on sending push notifications and emails every time you log in on a new device. But if there's any danger of fraudulent activity on your account, you need to know about it.
Let's look at how Pinterest handles this. Here's an example of the alert that UK-based Pinterest users receive when a login occurs from an unknown device:
You'll notice at the bottom of the email that the user is invited to "unsubscribe." However, here's what happens when you click it:
It's a bluff! This is an effective way to explain to a customer why you're sending this type of transactional email.
Changes to Terms/Privacy Policy
Under the GDPR's principle of transparency, your customers need to be informed of any changes to your Terms and Conditions or Privacy Policy. In certain circumstances, you may also have to ask your customers to confirm that they accept and agree to the changes.
In any case, you will need to give your customers the option to review the new information so that they can decide whether or not to opt out (per Art. 21 (1) of the GDPR). You may have received a lot of these sorts of emails in the run-up to the GDPR as businesses updated their Privacy Policies to ensure compliance.
There are a few ways to handle this sort of transactional email.
Proactively Informing and Refreshing Consent
Where your customers have consented to your terms or policies and the changes to your terms or policies mean that your agreement with your customers no longer applies, you need to:
- Email (or otherwise contact) your customers to let them to let them know of the nature of the changes to your terms or policies.
- Ask them to consent to the new terms or policies.
The Information Commissioner's Office (the UK's data protection authority) says:
"You should keep your consents under review. You will need to refresh them if anything changes - for example, if your processing operations or purposes evolve, the original consent may not be specific or informed enough."
Proactively Informing without Refreshing Consent
You may choose to email your customers about the changes to your existing terms or policies, but not ask them to refresh their consent. This might be appropriate in the following situations:
- If you're relying on consent as your lawful basis for processing your customers' personal data, and the changes are not very significant.
- If you're relying on another lawful basis (like legitimate interests) as your lawful basis for processing your customers' personal data, and the changes are significant.
You can actively inform your customers of the changes by emailing them and asking them to read through the new terms or policies.
Here's how Medium actively informed its users of a change to its Privacy Policy:
Passively Informing
If the changes to your terms and policies are not very significant, and you don't rely on the consent of your customers, you might not need to send out an email at all. You can simply let your customers know about the changes by putting a notice on your website.
Think carefully before you decide to passively inform your customers of changes to your terms or policies. This may be inconsistent with the GDPR's principle of transparency if the changes are deemed too significant.
Welcome Emails
Welcome emails are a grey area. They're transactional emails in the sense that they are triggered by a customer's interaction with your website. But they are a little different from shipping notifications, password resets, security alerts, etc., because they arguably aren't necessary.
So do you need your customer's consent to send them a welcome email? Or can you rely on legitimate interests? Let's say a customer signs up to your service, but doesn't consent to receive marketing emails. Can you still send them a welcome email confirming their signup?
This takes us into the area of reasonable expectations.
What Would Your Customers Reasonably Expect?
GDPR Recital 47 states:
"the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect [...] that processing for that purpose may take place."
Try to put yourself in your customers' shoes. You've signed up, but you've opted out of marketing. Would you expect to receive a welcome email when signing up for this service? What would you expect that email to contain?
Let's see how WordPress handles this. Here's a welcome email sent to an EU user:
You'll notice that while WordPress isn't trying to sell anything in this email, they do promote some free services. This seems like a clever way to get customers more involved without being in danger of sending marketing material without consent.
"Marketing" is not defined in the GDPR. Different EU Member States define it in different ways in their national law.
You may feel that WordPress is a little close to the line here - that's a matter for your own judgment about what a customer might reasonably expect. Just be aware that a welcome email is not automatically a marketing email.
Receipts, Invoices, Shipping Notices
Your customers need receipts for any purchases they've made. Some businesses send a purely functional email with just payment details and confirmation of the order. Others like to use this as an opportunity to deepen their relationship with their customer a little.
Here's an order confirmation from Amazon UK:
You'll notice that Amazon does include information about other products here. However, this is presented as information about the product that the customer has purchased.
This is how Amazon lets customers know that they'll be receiving this type of information:
Well, it is information related to a product the customer has purchased. Again - in the context of your company, you'll have to decide whether this is something your customers would reasonably expect to receive.
Lawful, Fair and Transparent
Apply the principles of the GDPR to anything involving processing EU citizens' personal data, including transactional emails.
Remember the following advice, and you'll be on the right track:
- For every type of transactional email you send, consider whether it is in your legitimate interests to send it.
- Make your legitimate interests clear in your Privacy Policy.
- Don't use transactional emails for marketing purposes.
- Where you can't offer opt-outs for certain types of emails, explain this to your customers.
- Always send transactional emails to alert your customers to security issues.
- Always send transactional emails to inform your customers about major changes to your terms and policies.
- If you're going to use transactional emails such as welcome emails and receipts to develop your relationship with your customers, be very careful that they don't resemble marketing materials.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.