Email best practices
Email personalization and data privacy: What marketers need to know
Personalization is important in an advanced email strategy, but how can all that data impact privacy concerns and compliance? Find out what our data protection officer has to say about balancing email personalization with privacy.
PUBLISHED ON
More than ever, people seem to care an awful lot about protecting the privacy of their personal data. Does that mean the days of blindly checking the “Agree” box for terms and conditions are over? Will consumers start poring over the privacy policies of every website they do business with?
Honestly, probably not. But prioritizing personal data protection is a trend that’s turned into a movement with no signs of slowing down.
At the same time, consumers are expressing a desire for more personalized experiences from brands. And marketers are more than willing to use personal data to make that happen.
A highly personalized brand experience requires personal data. So, where do these two lines cross? How can marketers use the power of personalization to build unique and engaging emails for subscribers while being vigilant about data privacy at the same time?
Table of content
1. Obtaining consent for email personalization
2. Opting out of emails
3. Collecting data for email personalization
4. Storing and deleting data for email personalization
5. Transferring email marketing data
The privacy paradox and its impact on personalization
The privacy paradox (sometimes called the internet paradox) describes a disconnect between how people feel about data privacy and how they behave online. To be blunt… it means people say they want their personal data protected and privacy respected, but they’re still using Password123! to log in to most of their online accounts.
That’s a bit of an extreme example, but it’s not hard to imagine, is it?
Of course, it’s not just cyber-crime that concerns people. In recent years, many consumers were shocked to find out how their data is being used by legitimate brands. That’s thanks in part to big stories like Facebook’s data privacy scandal, which impacted more than 87 million people.
According to Cisco’s 2021 Consumer Privacy Survey, 89% of people say they care about data privacy and want more control. That sounds like a lot. But there’s a difference between talking the talk and walking the walk.
Cisco’s survey also found that 79% of consumers are willing to take action to protect sensitive personal data. However, only 32% of those surveyed are what Cisco calls “Privacy Actives” – or those who’ve actually acted on their data privacy concerns.
One of the main ways people take action is to leave online platforms and providers because of inadequate data privacy policies and protections. Cisco found a third of Privacy Actives have ended relationships with social media brands while 17% have left email platforms over privacy concerns.
Consumers’ desire for highly personalized marketing experiences only adds to the privacy paradox. McKinsey & Company’s Next in Personalization 2021 Report found more than 70% of consumers expect personalization and 76% get frustrated when brands don't provide personalized experiences.
Successful email marketers are pursuing personalization as an important trend. Our own Inbox Insights 2022 report revealed that 49% of best-in-class email marketers planned to use more personalization in the year ahead. That made it the top trend in our survey.
But enough statistics for today. Let’s explore the ways marketers can take advantage of email personalization while respecting the privacy and security of subscribers.
Meet your personalization and privacy expert
To get some answers, we talked with Darine Fayed, General Counsel and Data Protection Officer (DPO) at Sinch Mailjet. That’s right. Darine is a real-life lawyer who deals with the legalities of email and privacy all the time. Every week, she’s on calls answering our customers’ data privacy questions and addressing their concerns.
She believes respecting the privacy of your subscribers is an investment that will pay off.
“At the end of the day, it’s about ROI. People are much more aware of privacy risks as well as their rights. They want to trust brands, but they also expect brands to treat their personal data with care and respect.”
Darine Fayed, General Counsel & DPO, Sinch Mailjet
This article takes a high-level look at the intersection of email personalization and data privacy protection. However, it’s always important for brands to get their own professional legal advice for in-depth guidance. Your organization's personalization and privacy situations are unique.
Five keys to balancing email personalization and privacy
When the European Union’s General Data Privacy Regulation (GDPR) entered the scene back in 2018, a lot of marketers were freaking out. Then, most ethical email marketers breathed a sigh of relief after realizing they were already following many of the rules.
Since then, GDPR has been a model for new data privacy legislation and updates to existing laws around the world. One place where data privacy laws are still a bit murky is the United States. While there is the California Consumer Privacy Act (CCPA) and other state laws,
Darine Fayed says some sort of national U.S. privacy is needed, but will likely take some time.
“We’re seeing states enacting these data protection bills that are looking more and more like GDPR. But we’re waiting on a federal bill in the United States. And that probably won’t happen for at least a year or two.”
Darine Fayed, General Counsel & DPO, Sinch Mailjet
The reality of online commerce and a connected global market means even small businesses have to consider how data privacy laws impact email marketing. So, let’s review common practices connected to email personalization and how they relate to data privacy.
1. Obtaining consent for email personalization
You can’t personalize emails for anyone until you get their email address and basic information. It should go without saying that buying a list of emails is a bad idea. So, most new contacts are acquired after they fill out online forms and willingly subscribe to your emails.
One thing you cannot do is include pre-ticked checkboxes on those online forms. The Court of Justice for the European Union ruled this tactic does not comply with GDPR. Let’s be honest, this was always a sneaky move based on the assumption that people wouldn’t notice the pre-ticked box.
There are cases in which brands may have implied consent to email someone. That would include certain transactional emails such as order confirmations and shipping updates as well as directly replying to someone who filled out a contact form to reach support.
However, implied consent does not mean you’ve got permission to send contacts marketing emails. To do that, you’ll need express consent, which means they knowingly and willingly signed up to get those communications.
The bottom line on email consent
Make it very clear what people are signing up for when they fill out a form. If they’re downloading an ebook or subscribing to your newsletters, let them know you’re also going to send them marketing emails or product news (assuming that’s your plan).
To take things a step further, build a preference center where subscribers can choose the types of email communications they want to receive from your brand.
Another smart idea is implementing a double opt-in sign-up process, which ensures new subscribers truly want to be on your list. And the confirmation email can also be your opportunity to build trust with your customer as to your data privacy commitments.
2. Opting out of emails
In the world of data privacy compliance, consent can be taken away as easily as it was given. Or at least, it should be.
Data privacy laws, like GDPR, indicate that people should be allowed to change their minds about opting in to your emails. That means marketers should make it simple and easy to unsubscribe. So what is simple and easy? Well, most of us know what it’s not.
For example, it’s still quite common to see a teeny-tiny unsubscribe link at the bottom of emails. Imagine how that might impact a subscriber with low vision. It’s definitely not supporting an accessible inbox experience.
On the other hand, we occasionally notice marketers who remind subscribers how they got on the list, why they’re getting the emails, and even offer a way to unsubscribe at the top of the message. That’s a great way to build trust.
You’re only hurting yourself if you make opting out difficult. It means subscribers are more likely to mark your emails as spam. As Darine reminds us, it hurts your sender reputation and brand reputation.
“People end up hating brands that make it hard to unsubscribe from email communications.”
Darine Fayed, General Counsel & DPO, Sinch Mailjet
The right to opt-out is one of five consumer rights outlined in the CCPA. Although, this specifically refers to giving consumers the power to restrict companies from selling their personal information.
The bottom line on opting out
We get it, unsubscribes can hurt an email marketer’s ego. And you certainly need to keep an eye on the unsubscribe rate to make sure there aren’t bigger problems.
However, it’s natural, normal, and even good to have people leave your list. Those subscribers are just dead weight that drags down your other metrics. You don’t need them anyway.
While list cleansing and email address verification aren’t regulatory requirements, Darine calls them smart proactive moves that support email deliverability. For one thing, they prevent spam complaints from inactive contacts who forgot they ever subscribed. Darine also suggests asking for consent again when you attempt to re-engage or reactivate dormant subscribers.
3. Collecting data for email personalization
Now we’re getting down to the real, juicy data – the insights you need to personalize your emails and build those relevant inbox experiences for individual subscribers.
One of the first places you’ll collect personal info about new contacts is on a sign-up form. Beyond a name and email, your forms may ask for phone numbers, employers, job titles, location, family and marital status, or other personally identifiable information (PII).
Make sure every form used to collect email addresses also provides a link to your privacy policy. That’s where people can find out exactly how their data might be used. Here’s Darine’s solid advice on the language in your brand’s privacy policy.
“Your grandma should be able to buy something online and understand the privacy policy behind it.
Any privacy policy needs to be clear, understandable, and transparent. That means you need to tell your subscribers and customers what data you collect, what you plan to use it for, how long it’s stored, and if it is transferred anywhere.”
Darine Fayed, General Counsel & DPO, Sinch Mailjet
That includes data collected after the form is filled out. You may be personalizing email experiences based on how people engage with your emails – like what campaigns they open and what they click on. You can also use things like content consumption, purchase history, and the pages they visit on your site to support an email personalization strategy.
The bottom line on data collection
Just because you can collect certain personal data, it doesn’t mean you necessarily should. Responsible marketers only ask for the information they truly need to provide an ideal email experience. Collecting more than that could put you and your subscribers at risk in the event of a cybersecurity breach.
Darine points out that there are different levels of personal data. Certain information, like social security numbers, bank accounts, and health information is considered highly sensitive personal data. It requires special attention and extra protection.
Depending on your industry, you may have to follow specific privacy laws. For example, the US has the Health Insurance Portability and Accountability Act (HIPAA), which protects the privacy of a patient’s health information.
4. Storing and deleting data for email personalization
Earlier, we mentioned the right to opt-out. Data privacy laws also define other common consumer rights. They include the right to access and the right to be forgotten.
Laws like GDPR and CCPA give your subscribers the right to see all of the personal identifiable information (PII) you’ve collected about them… yes, all of it. That means you need a way to compile and deliver all of that information to them.
The right to be forgotten means more than just removing someone from your email list. It means deleting every piece of data you have on that individual. When complying with a request to delete a consumer’s data, it should be as if they never existed in your database (and any third party sub processors’ databases that you may use).
Just keep in mind, opting out or unsubscribing is not the same as exercising the right to be forgotten. To do that, contacts need a way to contact your organization and make a specific request. Data privacy laws like CCPA require at least one official way to request data deletion. It can be a phone number or a physical address, but it may be wise to set up a dedicated email address for this.
The bottom line on data storage and deletion
These requests are officially known as data subject access requests (DSARs). Your data needs to be stored in a way that protects it from bad actors. But you also need to be organized enough to comply with DSARs.
Darine says, in the early days of GDPR, Mailjet didn’t receive many access requests. The company was able to handle it manually. Over time, however, requests increased to thousands and we developed an automated internal process to handle DSARs.
That may not be feasible at your business, but there are other solutions.
“If companies are having trouble managing these requests, now there are tools that help you respond to DSARs easily. That could be a good option for smaller companies.”
Darine Fayed, General Counsel & DPO, Sinch Mailjet
Check out ratings and reviews of DSAR software on G2 to learn about some of these tools.
5. Transferring email marketing data
In addition to protecting private data stored in your infrastructure and marketing platforms, data privacy laws like GDPR and CCPA require that sensitive information is protected “in transit.” That would include when it’s sent via email. It also involves the process of transferring data from one email service provider (ESP) or marketing automation platform to another. So, it’s something to consider if you switch ESPs.
Darine calls data transfers a “hot topic” in the world of digital privacy. Much of the concern centers around the now-defunct EU-US Privacy Shield, which was a framework for exchanging data between the European Union (as well as Switzerland) and the United States.
After legal challenges from privacy groups, the European Court of Justice struck down the EU-US Privacy Shield, saying the framework didn’t do enough to protect EU citizens. As of early 2022, plans for “Privacy Shield 2.0” were underway, and the U.S. and the European Commission have recently committed to a new Trans-Atlantic Data Privacy Framework which will establish an important legal mechanism for transfers of EU personal data to the U.S.
However, Darine says all of this does not mean there is no secure way to transfer personal data across the Atlantic.
“It means any European company that wants to transfer personal data outside of Europe to the U.S. needs some kind of assurance that their data is protected at the same standard as GDPR. At Mailgun and Mailjet, that invalidation did not affect us because we never based any of our data transfers on the EU-US Privacy Shield alone.”
Darine Fayed, General Counsel & DPO, Sinch Mailjet
The bottom line on data transfers
There are three players in the data privacy game: data subjects, data processors, and data controllers. Data subjects are your subscribers and customers. Data processors handle data and information on behalf of controllers. If you’re collecting PII for email personalization, you work for a data controller.
And, while Darine says everyone is responsible for handling PII with care, data controllers have a greater responsibility to protect their customers.
“Anyone who touches personal data needs to be protective of it. But controllers need to be specific about how personal data should be stored, treated, and transferred to third parties. All of that needs to be done in a way that’s strictly compliant.”
Darine Fayed, General Counsel & DPO, Sinch Mailjet
Part of that means identifying vendors and third-party solutions you can trust. Find out more about data privacy and working with third-party solutions providers while complying with important regulations.
R-E-S-P-E-C-T: Take care, TCB
The topic of data privacy and digital marketing is a touchy one. However, for any company that cares about the people they serve, it’s worth the consideration and effort. Plus, when people see you putting their privacy first, it will boost your brand’s reputation.
“Don’t respect data privacy because you’re afraid of GDPR fines or whatever looming data protection authority that’s going to come and get you. That’s not why you should care. It’s a business decision. If you treat people with respect in terms of their privacy, they will come back.
Customers who feel safe working with you are happy customers, and happy customers are good for business.”
Darine Fayed, General Counsel & DPO, Sinch Mailjet
At Mailjet and Sinch Mailgun, we place an extremely high priority on security for our own customers as well as the privacy of the people and businesses that our customers serve.
Mailjet was founded in France and is the preferred email service provider for many companies in Europe. So, we’ve always placed a lot of value in closely following the rules of GDPR. You can find out more in our FAQ on Mailjet’s GDPR compliance and on Mailjet’s Security & Privacy page. And if you still have questions, email us at privacy@mailjet.com.
Want to learn more about data protection in marketing? Download our GDPR kit for marketers!