Saturday 20th October 2018

Popular email marketing platforms disagree over how to interpret the GDPR

AWeber and MailChimp appear to disagree over how best to obtain consent from users under the GDPR.
Jason Smith
by on 18th May 2018

Email marketing platforms have begun implementing new features and functionality, as well as providing informational resources, to assist customers concerned about compliance with the European Union’s GDPR.

And there appears to be some disagreement.

In response to widespread concern about GDPR compliance, email marketing platform MailChimp has begun offering what it refers to as “GDPR-friendly” forms and features, while Aweber, in a recent blog post about common myths around GDPR, appears to take aim at MailChimp.

In a blog post titled “6 myths about the GDPR and email marketing debunked,” last updated on 16th May, AWeber states, “another rumor floating around is that you need to add checkboxes to your signup forms in order to be GDPR compliant. Some are even calling these ‘GDPR-friendly signup forms’.

“This is false. Checkboxes are not required, and are completely optional. Nowhere in the GDPR does it state that you need to add checkboxes to your signup forms”.

According to a post on MailChimp’s blog, last updated on 11th May, “The GDPR says you must obtain freely given, specific, informed, and unambiguous consent from your contacts”.

According to recital 32 of GDPR, which is titled “conditions for consent”:

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.

It goes onto state, “This could include ticking a box when visiting an internet website…”

One question users are likely to have is, if a checkbox isn’t required for the purposes of obtaining consent ‘[through] a clear affirmative act’, then how do they obtain it?

The two also appear to disagree on whether organizations need to reconfirm consent from existing subscribers.

According to MailChimp, “You’ll also need to collect GDPR-friendly consent from the contacts you already have. Send an email to everyone on your list that includes a link to update their settings”.

Meanwhile, AWeber states in its blog post, “One myth we see everywhere is the idea that you must have all of your subscribers reconfirm their consent in order to be compliant with the GDPR.

This is false. Sort of”.

It goes onto say, “It all depends on whether you can prove consent from your subscribers, or you have other lawful grounds for processing data, according to the GDPR” and “If you cannot prove consent for all of your existing subscribers, you should send a re-engagement email to obtain that consent”.

It then outlines a series of questions organizations should ask about their signup processes, including whether:

  • They can prove consent;
  • They clearly articulated what the data will be used for and what communications would be sent; and
  • Subscribers can easily opt-out from further communications.

Needless to say, when email marketing platforms with legal teams differ over their interpretation of GDPR, or about how to obtain consent or what steps should be taken to ensure GDPR compliance, what hope do the organizations utilizing their tools have?