Businesses, large and small, are in the midst of preparing for compliance with the European Union’s (EU) new data privacy laws: The General Data Protection Regulation, or the GDPR, which will go into effect on May 25, 2018.
The GDPR is very broad in scope and can apply to businesses both in and outside of the EU.
Businesses that don’t comply with the GDPR could face heavy fines.
Here’s what you need to know about GDPR. (Note: you should consult your own legal counsel to determine if you are subject to the requirements of GDPR.)
What is GDPR?
GDPR is short for the General Data Protection Regulation that goes into effect on May 25, 2018. It was passed by the European lawmakers to create a harmonized data privacy law across all the EU member states. Its purpose is to:
- support privacy as a fundamental human right;
- require companies that handle personal data to be accountable for managing that data appropriately; and
- give individuals rights over how their personal data is processed or otherwise used.
What is personal data?
In a nutshell, GDPR defines personal data as “any information relating to an identified or identifiable natural person.”
Ok, so what does that mean?
In addition to the kinds of information you might think about – name, address, email address, financial information, contact information, identification numbers, etc., personal data can in some cases be information related to your digital life, like an IP address, geolocation, browsing history, cookies, or other digital identifiers.
It also could mean information about a person, including their physical, mental, social, economic or cultural identities.
In short, if information can be traced back to or related in some way to an identifiable person, it is highly likely to be personal data. You can find out more about the GDPR here.
What rights does the GDPR provide to individuals?
There are several rights an individual may exercise under the GDPR, including:
- Right of access: Individuals can ask for a copy of the personal data retained about them and an explanation of how it is being used.
- Right to rectification: Individuals have the right to correct, revise or remove any of the personal data retained about them at any time.
- Right to be forgotten: Individuals can ask to delete their personal data.
- Right to restrict processing: If an individual believes, for example, that their personal data is inaccurate or collected unlawfully, the individual may request limited use of their personal data.
- Right of portability: Individuals have the right to receive their personal data in a structured, commonly used and machine-readable format.
- Right to object: Where an individual decides that they no longer wish to allow their personal data to be included in analytics or to receive direct marketing emails or other personalized (targeted) marketing content at any time, the individual may opt out of use of their data for these purposes.
Please note that these rights are not absolute, and limitations/exceptions may apply in some cases.
What is Constant Contact doing to comply with the GDPR?
If you exercise any of these rights as an individual Constant Contact customer or representative of a Constant Contact customer, Constant Contact will respond in accordance with our Privacy Statement.
The Constant Contact Privacy Statement explains what information we collect about you as a Constant Contact customer and how we handle your personal data in this context where the GDPR applies. This statement includes descriptions of how your personal data may be used by Constant Contact.
We suggest that you review how this applies to you. Note that we will be updating our privacy statement to align with GDPR. No worries, though, we’ll send all users a notice letting you know that it will be changing, so you’ll know what to expect.
Where required, we will also support you, as a Constant Contact customer, in fulfilling GDPR related data subject requests you receive from your contacts.
We are also certified under the EU-US and Swiss-US Privacy Shields, which means we transfer and protect the personal data from the EU and Switzerland consistent with the requirements of the Privacy Shield program, governed by the Federal Trade Commission and approved by the EU Commission so that you can transfer your data and that of your customer to us in compliance with the data transfer restrictions in the GDPR.
Some responsibilities of the GDPR you should understand
Generally speaking, there are two types of parties that have a responsibility regarding the handling of data: the “controller” and the “processor.” It is important to determine whether you are acting as a controller or a processor and understand your responsibilities accordingly.
A “controller” determines the purposes and means of the use of personal data.
A “processor” on the other hand, only acts on the instructions of the “controller” and processes personal data on their behalf.
So, what does this mean?
Constant Contact is the controller in relation to your personal data provided to us as a customer. You are the controller in the relation to the contact data you upload and use in your Constant Contact account.
Constant Contact is your processor when we provide our services to you. For example, when facilitating the sending of emails to contacts and providing tools to manage your contact lists we are acting as a processor on your behalf.
It is your responsibility to ensure that you have the necessary notices and/or consents in place in order to transfer personal data to us for use.
In addition, we are reviewing and updating, as necessary, our agreements with you and with our subcontractors (to include the necessary GDPR terms), as well as notices, policies and internal processes, features, and templates to assure our compliance and help you achieve compliance.
How does the GDPR affect my business?
Individuals, companies, or businesses that have a presence in the EU or, if no presence, offer goods or services to, or monitor the behavior of, individuals in the EU need to comply with this law. Please consult with your own legal counsel about whether GDPR applies to you and your business.
What do I need to do differently to comply with GDPR?
If the GDPR applies to you, there are various obligations you will need to comply with in order to send emails to your contacts. Luckily, not all of these obligations are new, so you should be complying with some of them already.
The most important differences in this context are as follows:
- More information about your use of personal data must be communicated to your contacts. You should make sure that your privacy notices/policies are updated to reflect the new requirements of the GDPR, including setting out the purposes of your processing personal data, how long you are retaining such data, and what legal basis for use of personal data you are relying on. Also, you should ensure that the email sign-up forms you use include clear and specific language about all the possible ways you will be using your contacts’ personal data. For example, you can set their expectations by adding additional language such as “We’ll be sending you our monthly email newsletter, including the latest news about our events and new products, plus advance notice of occasional sales.”
- You should determine the legal basis for your use of personal data: If you are relying on consent to use your contact’s data you should ensure that the consent you have meets the new requirements of the GDPR (more details on this below). Please note that sending marketing emails to contacts may require, in certain circumstances, prior opt-in consent from your contact. As a reminder, you have already agreed through acceptance of our terms of service to lawfully obtain and process all personal data appropriately and have attested that you have permission to email contacts uploaded to your account.
- You will also need to comply with the rights provided to individuals by the GDPR. See section above “What rights does the GDPR provide to individuals?”
To the extent that you have these obligations, we have tools in place to help support your compliance efforts – we’ll get into some detail about this below. These include methods for you to document consent to email your existing contacts, as well as ways for you to confirm and document consent for new ones, too.
You should consult with your legal counsel on the above and your other obligations under GDPR.
What consent is required under the GDPR?
The GDPR requires documented consent from your contacts.
You may be familiar with implied consent from CAN-SPAM legislation in the U.S. and CASL in Canada where consent may be inferred based on a contact’s actions. For example, a contact may have implied consent by having an existing business relationship with you, including making a purchase from you or a donation to you.
When in doubt, and you are relying on consent to send emails to your contacts, express consent is typically your best option. You obtain and document express consent when you explicitly ask your potential contacts for permission to send them emails, and they agree, and that agreement is recorded. Constant Contact has ways for you to indicate whether you have obtained express or implied consent from a contact, outlined in more detail below.
There may be circumstances where you can rely on something similar to implied consent for sending emails to contacts even when subject to the GDPR. This is called a “soft opt-in” where –
- you have obtained their contact details in the context of a sale of a product or service,
- you are sending emails relating to similar products or services
- the contact has the ability to opt-out of receiving such emails when they first provided their data when making a purchase and in every subsequent email from you.
You should consult with your legal counsel to determine whether you can rely on the soft opt-in going forward under the GDPR. If you have contacts with soft opt-in consent, you can store them as implied consent in Constant Contact, but you will need to maintain your own documentation about how you obtained that soft opt-in consent.
Contacts should also be given an easy way to withdraw their consent in order to comply with the GDPR. Constant Contact provides a SafeUnsubscribe link at the bottom of every email which is sent by your Constant Contact account.
How is Constant Contact helping me comply with GDPR?
Constant Contact has tools to help you obtain and manage consent within your account.
As always, contacts can opt-out of receiving emails at any time by clicking the SafeUnsubscribe link included at the bottom of every email you send with your Constant Contact account.
Tools for documenting consent using the Constant Contact Service
When a contact gives consent through one of the methods listed below they will be tracked and documented as having provided express consent within Constant Contact:
- GDPR Email Confirmation: Documenting Consent for your Existing Contacts
We’ve created a fully-editable email template that you can customize and send to your email contacts. It’s a fast, easy way for you to gain documented consent for your existing contacts that have opted in to receiving emails from you.
Since we are a permission-based email marketing company, under our terms of service, you agree that you have obtained consent to email your contacts where required to do so by law, but the GDPR requires you to have documented evidence of such consent.
You do not need to send this email if you already hold GDPR compliant documented consent for these contacts. You can easily see whether you have implied or express consent within Constant Contact by turning on the Advanced Email Permissions. See below for more information on documented consent. See how the “GDPR Consent Confirmation” email works. Please note: you will need to log into your account to access this template. Get template.
- Sign-up forms: Obtaining Consent from your New Contacts
Constant Contact sign-up forms where contacts can subscribe to receive your emails will automatically document your contacts’ consent to receive emails if they sign up through those channels.
If you want to have an extra level of comfort to make sure you have documented consent, you can also turn on confirmed opt-in — also known as double opt-in — in your account. This requires new contacts to confirm their subscription by clicking a link before you can send them additional emails after they have opted in to receiving emails from you. Please make sure that you review our documentation about confirmed opt-in to understand how this works.
Reports to view documented consent using Constant Contact
When you export your contacts to a file you will be able to view permission status, email status, and date of opt-in allowing you to track consent within Constant Contact.
- Check your email permissions
When you view a contact profile within your Constant Contact account, you’ll be able to see if you have permission to send or if the contact has unsubscribed. Further, you can turn on the Advanced Email Permissions to see if consent is implied or express when viewing a contact profile. Please note that for EU contacts, GDPR requires documented consent in order to send email to them.
- Export your contacts
When you export your contacts, you will have the option to export data showing you which email addresses have provided consent. Additional data fields you can export include:
- Permission status (implied vs. express)
- Email status (active, unsubscribed, confirmed, etc.)
- Date of confirmed opt-in (if the link/confirmed opt-in email is used)
- Specify implied or express permission on file import
When you upload a file of contacts, you will have the option of selecting if the list of contacts has provided express or implied permission and the contacts will be uploaded with that permission status. Please note that under GDPR, you should only upload lists of contacts who have provided consent. You should maintain your own offline documentation of these contacts’ consent.
If your list only includes contacts located outside of the EU (including contacts located in the U.S. and Canada), which are not subject to the GDPR, you may upload lists of contacts who have provided you with either express or implied consent, and you should select the applicable permission status as it pertains to the list you upload.
- Add or edit a single contact to specify permission
You can add a single contact and specify if you have express or implied permission when adding the contact. You can also edit the permission status of a single contact from within your account. For example, in the event you have received offline express consent from a contact, you can update that contact’s permission status from “implied” to “express.”
How to access and correct data
You can view and update a contact’s information on the contact profile page within your Constant Contact account.
Your contacts can also access and update their information and their marketing preferences by clicking the update profile line in the footer of each email that is sent to them by you using the Constant Contact service. By default, the update profile form only shows a contact’s email address. If you are storing more information about contacts, you can enable those fields to be visible to contacts as well.
How to export data
You can export your contacts’ data at any time.
What if you collect contacts offline?
If you use methods outside of Constant Contact to get new contacts, it’s up to you to ensure compliance with the GDPR to get and document consent to send them emails.
When you manually add contacts to your Constant Contact account, if you have the “advanced email permissions” setting turned on, you’ll be able to mark whether those new contacts have given you the express permission. If you don’t have advanced email permissions enabled, all contacts you add will be marked as implied permission.
What if you have more questions about GDPR?
If you have specific questions about GDPR, please, contact Support.
You may be aware that there is likely to be further change in the near future about the way in which you can send marketing emails to your contacts in the EU. The rules contained in the EU Directive on Privacy and Electronic Communications is under review and we are expecting a new ePrivacy Regulation to be finalized soon.
Once these new rules are finalized, we will be reviewing our forms and features again to provide our customers with the necessary tools to achieve compliance.
NOTE: The information included on this page is meant to guide you through the process of understanding GDPR and is not a substitute for legal advice. Find more information on the GDPR website.