Is your e-mail marketing strategy creating a data privacy risk

Is your e-mail marketing strategy a privacy risk? Marketing is a critical part of any successful business, and e-mail marketing is key component of a mature marketing strategy. It is important to understand how successful our e-mail campaigns are at getting our message to our audience, and ultimately measuring conversion rates. To do this we need to be able to track how many recipients opened and read our message. This is a standard practice for many marketing teams; however, we may be creating a privacy risk or breech when we conduct this type of activity. There is no official decision from GDPR or other privacy authorities on how e-mail tracking should be handled; however, many privacy professionals believe that e-mail tracking will be viewed as surveillance and will require explicit consent before the information can be collected. This requirement will make it very difficult for marketing teams to get the data they need in order to achieve their goal. I believe that the solution to this problem is hidden in the goal. What is the goal of marketing teams when tracking e-mail open, read and click through activity? My marketing friends helped me understand that they need the data to analyze patterns and improve the effectiveness of marketing efforts. Ultimately, they are trying to improve their ability to target individuals who will read the e-mail.  Ideally, they will be able to relate that action of reading the e-mail to a “conversion” where the recipient has purchased a product or service that was promoted in the e-mail.  As a side effect, the data can be used to help eliminate unwanted e-mails for those who don’t read them. This seems like a legitimate goal; but does the end justify the means? Balancing the end against the means Assessing the means as a valid method to achieve the goal, with minimal risk to the privacy of an individual, is an important part of managing data privacy. In the case of e-mail tracking, we need to determine if can we achieve the same result using anonymous / aggregated data. If we can, that is the best way to protect the privacy and reduce your compliance risk. The challenge is that even if we can achieve our desired result with anonymous or aggregated data, we still need to start by tracking the e-mail activity of each data subject.  This is where we get into the issue of consent; do we need it? Consent is not always required to process personal data. For GDPR, the requirement is that we have a valid legal basis for the processing activity and that we are transparent about what we are doing. If we can prove that we have a legitimate interest for the processing and we have conducted a balancing test to confirm there is no tangible risk to the data subject, we do not need to obtain consent. However; we are required to be transparent about what we are doing and to give the data subject the ability to object to the processing.

 

The important thing is that you have someone responsible for asking these questions and being able to provide viable options. Need help?