GDPR and the EU and Opt-in Confirmation


There’s a lot of discussion going on about just what GDPR requires, and of who, and in which jurisdictions. German organizations in particular have been more aggressive than most about wanting to see opt-in confirmation for years and now seem to be adding “because GDPR” to their arguments.
I’m still not sure how this is going to shake out, but I’m beginning to see list owners take externally visible action.

I’ve been a subscriber for four or five years – it’s a good mailing list, run well, and I doubt it has any delivery issues beyond the unavoidable.
So this is a permission pass solely because they’re not sure whether I’m an EU resident, and aren’t 100% sure their opt-in confirmation data is squeaky clean (I subscribed as part of downloading an app of theirs, but after five years I couldn’t tell you whether that was technically confirmed opt-in or not, and I’m sure they can’t either).
Zoomdata aren’t taking any chances on confirmation. This isn’t a single “click to confirm you want to stay on the list” permission pass, rather it goes to a form that asks whether I’m an EU resident and if I am requires me to check an “Opt-in to email communications” checkbox and then click on a link in a confirmation email.
I’m not an EU resident today but may be an EU resident in the near future – yet my email address won’t change and nor will my mailing list subscriptions. That does make me wonder how valid it is to be capturing opt-in permission solely for recipients who are EU residents today.
Also are non-EU residents likely to claim they live in the EU because they’ll be treated better as far as their privacy is concerned, much the same as telling Facebook or Twitter you live in Germany provides you with better content filters?
I guess I’ll be seeing more of this in my inbox over the next few weeks. How are all y’all handling GDPR compliance?

About the author


This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • These days I spend most of my time helping organisations GDRPify their existing processes.
    When you strip away all of the FUD of the content marketing bubbles, the pain of complying with GDPR is essentially inversely proportional to how cavalier an organisation has previously been with customer data.
    While any moderately complex business will probably need to modify some processes (mainly lead capture and offboarding), if they previously regarded customer information with reverence then the hassle of those changes will not be too onerous.
    On the other hand, organisations that previously held a cavalier view of customer data will have a larger hill (or mountain) to climb.
    GDPR isn’t the boogie man that some make it out to be. Previously responsible marketers have probably very little to worry themselves with outside of changing a few processes or making the granting consent more explicit.
    All of our advice treats everyone the same, in that we don’t advocate customers treat non-EU contacts differently. We build the same processes for everyone.

  • About “solely because they’re not sure whether I’m an EU resident”. What if you don’t do anything? How can I know if you didn’t di that because you are not EU resident or because you don’t want to opt-in? If they don’t know which part of their DB is EU resident then their only way to be compliant is to ask opt-in to everyone…
    From my GDPR readings I’d say the GDPR applies in the following cases:
    1) The controller is an EU company (even if they only deal with non-EU data).
    2) The controller process data IN the EU countries
    3) The controller is not EU but deal with data of EU people
    4) The controller is not EU and deal with monitoring behaviour of non-EU that happens in the EU (e.g: you are american, but if you are tracked by an US company while you are in the EU then this tracking is subject to the GDPR).
    So, in theory (we’ll find the practice in a couple of years, I guess), if you use Mailchimp and do open tracking of an US citizen that in the very moment he/she opens the email is in the EU, then the tracking of that open is subject to GDPR. I don’t know if Mailchimp (or any other ESP) is prepared to disable open/click tracking by country if their customer doesn’t want to deal with GDPR.

  • Better to leave references to my last statement, given that if you look at GDPR summaries (like in wikipedia) you often don’t find this detail:
    So, official GDPR text:
    ## Article 3
    # Territorial scope
    2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
    b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

  • “What if you don’t do anything?”
    They’re treating this as a permission pass – if you don’t respond they remove you from the list. If you do respond you can either respond with “I’m not an EU resident” or “I am an EU resident, and I’ll check the you-have-permission-to-email-me box, and I’ll respond to your (re)confirmation email”
    I suspect we’ll find common practice amongst reputable list managers will gradually move towards GDPR-esque practices for all recipients. That has both good points and bad.

  • They all go with the “better safe than sorry” rationale proposed by their legal team, as far as I am concerned.
    The “funny” thing is that many of the detractors of needed re-engement/re-confirmation campaigns now are sending these “not-always-needed” permission passes. That shows that the strength of legal teams is greater than the strength of deliverability teams.
    Will we see a reduction in email volumes after the 25th of May? Time will tell!

By steve

Recent Posts


Follow Us