GDPR and Cold Email Explained in 4 Rules
A discussion on the rules to follow when prospecting in Europe.
GDPR? What is that?
Broadly speaking, the GDPR (or General Data Protection Regulation) is a law that came into force on May 25, 2018, and aims to protect European citizens' data.
Ah yes, is this new law preventing us from sending emails to people who have not given us their consent?
Not really… To be honest with you, I've heard everything so I ended up doing my research. We will detail all you need to understand when it comes to B2B prospecting. And we're going to simplify it into 4 easy-to-remember rules.
The GDPR is a text that is 88 pages long if you have the courage or cannot sleep tonight, you can consult it here in the language of your choice.
Rule #1: Have a legitimate interest (Article 47)
What we are trying to figure out by reading this text is: can I send a prospecting email to someone I have never met? And the answer is yes, provided that the latter has a legitimate interest in your solution.
Legitimate interest? What does that mean exactly? How do we define a legitimate interest?
Well, it's not 100% clear. Legitimate interest is what they wrote in the text. This amounts to correctly targeting your prospects (and cleaning up your lists) so that they are at least interested in what you are selling to them. To caricature, sending an email to sell a TV to a blind man or accounting software to marketers breaks this rule.
I see. We can say that this legitimate interest clause was added to put spokes in the wheels of spammers who send hundreds of thousands of emails a month without taking time to target correctly.
Yes, and it makes sense if you think about it a little. Prohibiting prospecting means reducing Europe's GDP in the coming years and putting a lot of people out of work because many B2B companies will be in trouble. The rule is simple. Your recipient must have a legitimate interest for you to contact them.
Rule #2: Contact on a professional email
Another thing to know is that the GDPR has not reinvented everything. In France, for example, we have the CNIL, which has long set the rules concerning prospecting. For instance, it stipulated that c but that it was authorized on a professional email. This rule has not changed. Also, as you can imagine, each country has its regulations. Except for a few exceptions that I am unaware of, the vast majority prohibit prospecting on a personal email.
So, I'm not a lawyer, so check well before if you are in this case, but there seems a profession that could derogate from this rule: recruiters. At least, that's what one of them told me. And after all, that would make sense. If you don't have a job, you don't have a professional email.
Interesting, but there's something I've been wondering about for a while now. If I am a company not in Europe, say, in the United States, does the GDPR concern me?
If you are a non-European company, you do not have to comply with the GDPR if you do not prospect for any European citizen and establishment in Europe. Otherwise, you are concerned (and fortunately). We tend to forget that the European regulators did not make this law to prevent startups from prospecting but to put in place a well-defined legal framework to protect the data of European citizens. As if to avoid the digital giants of today and tomorrow from continuing to do anything.
Rule #3: Allow unsubscription (Article 21)
Another critical point to respect concerns the fact of allowing the recipients of your emails to unsubscribe from your sequence. There must be a clear and visible way to opt-out of your emails.
There must be an unsubscribe link as we are used to in newsletters?
Yes, for example. Or a sentence at the bottom of the email that states that they can reply to this email indicating that they are not interested and do not wish to be contacted again.
The problem with the link is that it shows that it's automated. It doesn't sound very human or natural.
Yes, it's true. I tend to put a short sentence at the end of the message. Another benefit is that it slightly increases deliverability as mail services see people responding to our emails.
So clearly, if someone unsubscribes from my sequence, can no one in my company contact them again to offer them this same service?
Yes. Hence, it is essential to use your CRM as a source of truth between teams and set it up properly to avoid this scenario.
Rule #4: Accept deletion of data (Article 17)
Another point that must be anticipated when prospecting is that a user can request that we delete all personal data concerning him (and his email address is one of them).
So basically, I delete it from my CRM?
Exactly and every other place it may be. It's something you have to honor and can sometimes be more complicated than you think, especially in large companies with many nested solutions. For startups, the process should be reasonably quick overall.
In conclusion ?
And what do we risk in the end if we do not respect any of these rules?
Well… In most cases, a fine. The text stipulates that this can reach 20 million euros or 4% of annual income depending on the circumstances.
Alright. We put the key under the door in the end.
I was able to see a few startups that were sanctioned, and of course, the fines did not reach an amount close to the maximum amount. It all depends on the context and the seriousness of the violation. In 2020, according to a study by DLA Piper, European regulators imposed $188 million in fines, the majority of which came from big players: Google ($56.6 million), British Airways ($26 million), and Marriott ($23.8 million).
The bottom line is that the GDPR is overall (in my opinion) a good law. It aims to protect the interests of European citizens against the excesses of certain companies. If you do it right and follow the rules laid out here, you shouldn't worry. Again, this regulation aims not to kill email marketing but to prevent aggressive and harmful behavior. This law has also inspired countries such as Brazil, Australia, and Japan to toughen their rules on protecting their citizens' data. There is no reason why things should not continue to go in this direction in the years to come. Hence the interest in taking the wave now in your outbound strategy.
Of course, I'm not a lawyer. If you still have doubts about what you can or cannot do, I encourage you to contact people who are experts on the subject to answer your questions.