I added email subscriptions to my blog1 and, in the process, signed up for four different email providers to test them out. A week later, I noticed I was getting marketing emails from all of them. I thought this was weird – I’m based in the European Union, and thought that the GDPR forbade companies from emailing me without asking. I’m also usually careful about “sign me up for email marketing” checkboxes, so I thought it was weird that I’d missed… all four of them?
Time to investigate.
The products I’ll discuss today are:
- Sign up for an email marketing provider
- Object to every possible marketing email in the sign up process
- Wait a week ⏰
- See which emails we received!
Here’s a completed sign-up form for Mailchimp. Note the sneaky “reverse consent checkbox” - “I don’t want to receive emails about new Mailchimp products, best practices, or special offers”.
I hate sneaky reverse consent checkboxes. I missed this one the first time I signed up.
Later on, you’re presented with another email sign up form. This, in contrast, is the best kind of sign up form – explicitly-labelled optional signups. Nothing sneaky going on here. 🎉
There’s no newsletter checkbox on the sign up form…
… because it’s in the second step of the onboarding. It’s an opt-in checkbox; I haven’t checked it. Good.
No checkboxes! Just a signup flow.
Also no email subscription checkboxes!
Emails, a week later
Here’s the emails I received from each of these services after waiting a week.
I got exactly one email from Mailchimp. It’s an automated report about my subscriber count! I didn’t sign up for this explicitly, but I’m ok with it, because it feels account related.
Recall that I carefully avoided opting-in to emails when I signed up. You are apparently subscribed to these ones by default, regardless of your choices.
One email! It’s a sign-up / welcome email.
Six. Six emails.
Wait. Hang on:
Here’s a neat summary table. I made it with emoji ✨:
POUTING FACEis for a promotional email I never signed up for
INCOMING ENVELOPEis for a transactional-ish email (providing info about the account)2
FIRE(think Dumpster Fire) is for emails that got marked as spam 🙃
|Provider||Received emails in a week|
What are the actual rules again?
I felt like some of these email practices might have been a violation of the GDPR when I first noticed. Indeed, the first draft of this blog post was called “It’s 2020, and these email marketing companies are still doing the GDPR wrong”.3
But before making claims about companies being non-compliant, I thought it might be prudent to… y’know, actually read the GDPR.
What legislation is involved?
I’ve been talking about this as if email marketing is the domain of the GDPR, but actually, it’s the domain of both the GDPR and the ePrivacy Directive. The ePrivacy Directive was written in 2002, and the GDPR refers to it, and explicitly does not replace it. It turns out that a lot of the legislation related to electronic direct marketing is grounded in the ePrivacy Directive.
It’s worth noting that Regulation and Directive are technical terms – Regulations are binding law, which apply to all countries in the EU. Directives, are more like ‘statements of goals’, which member states must implement in their own national laws. Note that the GDPR is a Regulation, but the ePrivacy Directive is just a directive, and so implementation of the ePrivacy Directive varies between EU countries.
What are the rules on direct marketing?
Here’s my current understanding of when you’re allowed to send direct marketing emails to EU-based users4:
You have the freely-given, specific, informed consent of the user. This is a user clicking a checkbox saying “I’d like your emails, please!” Or, entering your email address and clicking “SIGN ME UP PLZ!” on my email updates form. This is also what Mailchimp is doing on their email sign-up interstitial.
You collected the user’s email as part of the “sale or negotiation of a product or service”, and you’re marketing your own similar products, and you gave them the opportunity to object upon sign-up and in every communication.
This is like what Mailchimp are doing with the don’t email me checkbox at the start of the signup process! I was really surprised to discover that this was still allowed under some circumstances (even if it is kinda shady).
The user is actually a business! The GDPR only applies to protecting the data of people (not businesses!), and the ePrivacy Directive has been implemented differently by different member states. In some jurisdictions, therefore, you’re theoretically allowed to spam businesses! It’s hard for direct marketers to be sure of whether they’re emailing people or businesses, though, and what about sole traders? I can’t help but wonder if this is part of the reason why business name / business email are always required on the sign-up forms, though it’s probably unrelated and I think that would probably be a pretty bad defence. 🤔
The shadiest5 reason for email-marketing people without explicit consent relies on a principle in the GDPR called legitimate interest. The idea is, when companies use your data, they’re balancing your right to privacy against their own legitimate interests. They are allowed to do some things without your explicit consent, so long as they’ve got a legitimate interest to do so. To my surprise, this can also include direct marketing!
As per Recital6 47:
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
The legitimate interest defence is apparently a little risky though – if the regulator has a problem with your use of it, you need to be able to back up your reasoning and prove that you’ve made the correct assessment right from when you started using that personal data.
So… why am I getting all these emails?
I still can’t say with certainty, but let’s step through the reasons described above.
I personally don’t think signing up for a “free forever” account constitutes entering into a sales negotiation, and either way, I didn’t get a chance to explicitly opt-out of email marketing when my email address was collected (except from Mailchimp!).
I’m also not a business, and I haven’t signed up using a business email address, though maybe the email providers who are emailing me have clearly made that assumption7. From the stuff I read, this seems like a bad assumption to make.
I suspect that Mailchimp is relying upon the “sale or negotiation” reason, judging by the fact that:
- they’ve given me a choice, but
- that choice is an opt-out.
I’m less clear regarding Mailjet and ConvertKit. My hypothesis is that they have both decided that they have a “legitimate interest” in sending me emails, and they’ve probably justified it by the fact that a lot of what they’re sending me is tutorial / onboarding stuff. Maybe my interest in receiving tutorial information is implied by the fact that I signed up for the product8. Maybe they somehow don’t consider this as marketing.
Having said all of that, even if “legitimate interest” is legally justifiable, that doesn’t mean it’s classy.
I’d like stricter, more consistent standards for this.
I thought the GDPR prevented companies from sending me marketing emails without asking first, but I was wrong. Through this investigation, I’ve become more sure that requiring explicit, affirmative consent is a good thing. We shouldn’t make people figure out if they need to tick a checkbox to opt-in, or uncheck a tickbox to opt-out, or unbox a tickcheck to opt-it-all-about.
I’m also extremely unconvinced by the “legitimate interest” defence of direct marketing. I really can’t imagine a situation in which the expected return generates enough value to justify the annoyance. Won’t customers explicitly sign up if they actually care? I suspect that part of the problem here is that we’re still in the habit of asking people to subscribe at signup, rather than solving the design problem of asking for email consent once we’ve demonstrated that we’ll communicate valuably.9
If you’re building a product, have enough faith in your actual product to believe that your users will stay engaged without regular email reminders that you exist.
I learned a lot from researching this! But there’s a pretty high chance I’ve misunderstood a nuance somewhere – law is really complicated and it is not my job. If I’ve said something egregiously imprecise or you want to commiserate, you have my freely-given, specific, informed consent to send me an email ✨
Resources / Further Reading
- Legislation! Give it a shot, it’s not that bad:
- Direct Marketing Guidance (pdf) from the UK’s Information Commissioner’s Office. This is about the UK Privacy and Electronic Communications Regulations (PECR, which implements the EU ePrivacy Directive) and the GDPR. This is 58 pages of extremely high-quality, pragmatic advice – but it’s also UK-specific.
- Direct Marketing Under the GDPR: Consent vs. Legitimate Interests
- Direct Marketing and Privacy: striking that balance (pdf, mostly about the new ePrivacy Regulation, which supercedes the ePrivacy Directive, and, at time of writing, is still under discussion).
- The ePrivacy Regulation - What to Expect covers some of the expected changes when the ePrivacy Directive (which, as a directive, has been implemented differently by different EU member states) will be replaced by the ePrivacy Regulation (which, as a regulation, is directly applicable and requires less additional legislation at the member-state level).
Update Jun 2022: When I wrote this, I was using CampaignMonitor because I wanted a fancy post-to-automatically-email pipeline, but then (1) it didn’t work so well, (2) I was paying €9 a month (3) I’ve only got 15 subscribers and they’re all my friends 🤷♀️
I got sign-up confirmations from three providers, and counted them as transactional, even though some are extremely marketing-ish. Sign up emails are useful because if you forget what the service is called or which address you signed up with, it’s easy to track that info down again! ↩︎
Actually, this is kinda fun and spicy and maybe partially true? Maybe I should’ve gone for it. ↩︎
‘Shady’ isn’t a legal term, this is opinion, not fact, etc etc ↩︎
Mailchimp, Campaign Monitor, and Mailjet ask for ‘Business / Company / Organisation Name’ in the signup process, and ConvertKit starts their signup process with the question “Do you currently use an email marketing tool in your business?” ↩︎
This is a bad defence, apparently! As per the UK Information Commissioner’s Office:
[the suggestion] that marketing is in the interests of individuals…is unlikely however to add much weight to [a marketer’s] balancing test".
A lot of things also don’t have to be emails! For example, you can put new feature notifications in your app (Slack does this!), and have tips and news in loading interstitials / on dashboard screens. ↩︎