GDPR is Here - Is Your Email Signature Ready?
Time nearly has run out for compliance with the EU's General Data Protection Regulation (GDPR). On May 25, every business that stores personal information on citizens of the European Union is expected to comply with it. And you do not have to be based in the EU — essentially, every business around the world is impacted. How enforceable it will be varies from one case to another, but any business with a presence in the EU is within reach. The presence could be as little as a sales office or a server.
The big issues with GDPR concern collection of personal data, obtaining consent, using it for various purposes, and telling people how it is being used. Smaller issues arise as well and need attention. Email itself may not seem like a major concern, but it opens the door for widespread complaints (and in turn, some pretty hefty fines for non-compliance).
The email signature opens up an entirely different set of challenges around GDPR (as well as opportunities). Being careless with your email signatures, though, could lead to liability under the GDPR.
Identify the Sender
The GDPR requires explicit and active consent to receive marketing email. The opt-in process has to be specific about what the recipient is agreeing to receive (or not receive). The consent form might specify the monthly newsletter, special announcements, and other list categories.
To know whether the message is compliant, the recipient has to know who sent the message and what the subscription is based on for it. The signature should include the sender's business name, matching the one the recipient subscribed under. The email signature should make it clear what the recipient will receive with language such as, "You are receiving this message because you asked to have the Widget Company's monthly newsletter sent to you." Language such as, "You are receiving this message because you agreed to accept email from us" isn't specific enough.
Allow for an Easy Opt Out
The message needs to provide an easy way to opt out. This means not only unsubscribing from the email but having one's personal information expunged, if desired. A simple "unsubscribe" link isn't enough when it comes to GDPR. The link should offer full removal of data, or it should offer more than one option.
The best approach is for the link to take the user to a preferences page that lets them opt out from specific lists, from all lists, or from having their information used at all.
Logging in shouldn't be required. People forget their passwords, and it makes the process more complicated. Instead, the link in the email signature should be personalized to the user. It should provide a URL parameter that's unique to the user but contains nothing a third party can use as identifying information.
Provide Contact and Compliance Information
Giving the impression of seriousness about compliance is almost as important as the compliance itself. The email signature should include enough information to reassure the recipient on that point.
A link to the sender's GDPR compliance policy will go a long way toward achieving that goal. The policy should explain in plain language how the company's actions, including its email, conform to GDPR. If there is a specific person or department to contact for privacy issues concerning the mailing list, it should be in the signature. Otherwise it can be in the policy.
Avoid Useless Disclaimers
Some people like to put a disclaimer in their email that is fairly generic and has no grounds for legal enforcement. Something like, "If this message reached you by mistake, you are forbidden from doing anything with it." However, there is no way to unilaterally impose a confidentiality obligation on a stranger.
Worse yet, it reads like an attempt to intimidate recipients. Spammers often use such text, and they really do intend it to intimidate the recipient, often in an attempt to ignite some sort of action.
A related mistake is to put "unsubscribe" links reflexively on all mail. A company might send a one-time receipt and include a link to unsubscribe, just to be safe. The effect is the opposite. It implies that the recipient has subscribed to ongoing email without actually giving consent. People can reasonably take this approach as a GDPR violation and file a complaint.
Removing unnecessary disclaimers makes the signature shorter and easier to read. Readability in notifications is an important part of GDPR compliance.
Creating email signatures with the necessary content, in a way that people can easily read, may not be the top issue in GDPR compliance, but it's one that's easy to proactively make an effort on compliance. Doing it properly will avoid spam complaints, give customers control over where they are opting in or out, and help put you on a path to compliance (and avoiding unnecessary penalty fees), so everyone wins.