The European General Data Protection Regulation (GDPR) will introduce numerous changes, with implications for the widest range of sectors. You can gain an overview of some of the possible consequences for email marketing here.

The norm is:

“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data”.

This means that it is now expressly stipulated that the users of data, including senders of commercial emails, must be able to prove that the recipient him/herself has given his/her consent.

This is of course not completely new. Previously, in the event of a dispute, users also had to prove that they had obtained consent from the email holder or authorized person. Up until now, this has “only” applied as a result of the general principles for burden of proof in court proceedings.¹ However, a clean double opt-in procedure (DOI) has so far been the only method recognized by the courts. In the so-called DOI procedure, the user confirms his or her identity and consent by clicking on a link in an email sent to him or her which returns a corresponding confirmation email. The alternative single opt-in is highly susceptible to abuse, since anyone can also enter a third-party email address in a fraudulent and unchecked form for receiving a newsletter; such fraudulent registration does not constitute effective consent.

It is precisely for this reason that, for some years now, the CSA has been recommending the DOI process as a means of ensuring lawful email marketing – and this is not to mention the benefits for marketing and protection against misuse.

What is new are the possible consequences for violations of this regulation. Any data subject concerned may lodge a complaint with the supervisory authority.² If a violation of Art. 7 of the GDPR is established, this may result in a fine of up to 20 million Euro or, in the case of a company, up to 4% of its total annual turnover.³

This new regulation, combined with the high penalty threat, means that the DOI procedure is now more or less indispensable.

Authors: Legal Team of the Certified Senders Alliance

¹ Datenschutz-Grundverordnung Kommentar, Hrsg. von Peter Gola, 2017, Art. 7 Rn. 60 ff. (GDPR Regulation Commentary, edited by Peter Gola, 2017, Art. 7, Recitals 60 ff.)

² see. Art. 77 GDPR

³ see Art. 83 Para. 5 GDPR