Bonus material: The future of email [PDF]

by Matt Gonzales

VP of Product & Compliance, Kickbox

Data privacy is a highly visible issue due to evolving regulation like the GDPR and publicized data breaches. Businesses need to be transparent about their data collection and processing activities and about changes they make to these practices. Email marketers, therefore, need to be aware of how this all impacts their own practices or processes: data collection, subscriber consent, and data privacy as a whole.

Businesses should be hypersensitive to the liabilities involved with consumer data privacy under the GDPR and should obtain appropriate consent for all data collection and use. This means email marketers must be more deliberate about the data they’re collecting, where and how they’re collecting it, and for what purpose(s) they’re processing it. This is mandated by the GDPR to give more power to consumers over their personal data and can have large impact on a business if done without care.

It’s no longer acceptable to simply “stray” from the original data processing scope as defined by an organizational privacy policy or other agreements – onboarding new vendors, establishing new data partnerships, spinning up new and novel marketing campaigns – without first understanding the impact to data privacy and, where necessary, notifying consumers and obtaining their consent prior to any material change.

Data security policies and procedures have to be both present and demonstrable. While this may be standard operating procedure for many organizations, the new reality is that there are formal, regulatory procedures in place to enforce this. It is important for email marketers to be aware of the dynamics here because their collection and processing activities must adhere to all data privacy and security standards set by the organization.

As one means of strengthening data privacy practices, organizations are now entering into more verbose and specific contracts that define how both they, the data controller, and their processors/subprocessors will process consumer data. This adds an element of contractual obligation beyond simply trusting in a privacy policy or other service agreement.

Creating or maintaining policies can sometimes be difficult because quantifying data risk can be hard to do. Regulations like the GDPR provide sufficient motivation to figure it out and recommend bringing in a Data Protection/Privacy Officer (DPO) to assist. Now, when data breaches occur, or when data privacy complaints are brought forward, companies are held accountable to government bodies under the GDPR.

Bad business reviews are now the least of a business’ worries when regulations like the GDPR carry hefty penalties of 4% of global revenue plus additional percentages mandated by each member state of the EU. This doesn’t account for lost business opportunities from organizations who are looking for a GDPR compliant service and will overlook any organization who adds to their own liability (lack of GDPR compliance). This becomes an important factor in email marketing, particularly in trying to attract or retain EU customers.

Various countries, including the US, are looking to the GDPR for inspiration and a global standard is coming that further increases risk for international organizations.

This article is from our white paper ‘The Future of Email’. To download your free copy, head to