One of the fundamental steps needed to build your business especially online is to build your audience. Yes this can be done on Facebook, Instagram or whatever social media platform you would prefer or indeed via an email list. However, as you have probably been made aware the email list may be the better bet as you have some form of control of this information as opposed to it being on a platform that you have no control over. And by looking at the privacy notices Facebook probably would argue that they owned this information or anything that is on its platform anyway.

To see how Facebook utilises personal information, after all you don’t get something for nothing – when you have a chance review your data privacy score (a bit like a credit score), and then add Facebook into the mix – watch how your score drops as it evaluates the true level of the data it utilises when you are on the platform.

So it is probably agreed that it is a good idea for you to build your email list, which has a list of potential customers whom you know are interested in your products or services. There are a few things that you need to be aware of in relation to this:

Promise we won’t spam you – won’t cut it when you are subscribing people to your email list

o   If you are adding people onto a mailing list, you need to be able to evidence you have appropriate consent and that these individuals are consenting for you to add them onto your mailing list. Unless you aren’t using consent as your legal basis but then you will need to determine what an alternative reason is.

o   If you are providing them a lead magnet, you shouldn’t automatically add them onto your mailing list unless you can evidence consent.

o   Consent has to be specific, unbundled and needs to be freely given (generally there is no ‘soft opt in’) and it also needs to be reviewed on a regular basis.

o   It be must clear what you are doing with the data before people provide consent – tip provide a copy of your privacy policy at point of sign up.

o   It also must be easy for a client to revoked consent should they wish

But surely Mailerlite/MailChimp (insert whoever you use) – will make sure I am compliant?

Unfortunately, you can’t outsource compliance and I very much doubt these businesses will take responsibility for your compliance when you are the data controllers (i.e. you decide what happens to the personal information you collect).  As you are the data controller, you are therefore responsible for the personal information you share with these third parties. Whilst they can recommend appropriate wording and processes to enable you to manage your responsibilities, you are accountable for the data you share with them. You are the controller and they are the processors. In many cases these providers are not located in the UK so they will be adhering to their requirements, and the requirements that enable them to operate in the EU/UK.

You may not think this is a big deal and everyone is using lead magnets to collect email addresses so, I will just go along with it and apologise if it becomes an issue. However ICO (the regulator) is making it clear, by imposing fines, that companies are responsible for understanding their responsibilities and their actions around email marketing. and in the words of Lizzy Parsons ‘there is no insurance for ignorance’. If you operate in the UK and collect personal data you are responsible for adhering to the regulations, which are clearly stated and communicated.

So what do you need to do to be complaint?

·         If you adding someone onto an email marketing list – you need to ensure you cover PECR (privacy and electronic communication regulations) – in the majority of cases this will require you obtaining appropriate consent.

·         Consent is classified as the gold plated for legal basis, so if someone revokes their consent you can’t decide to process their personal information using another reason. You also need:

o   to be able to evidence when and how you obtained this consent

o   to be able to evidence this is refreshed on a regular basis – or deleted when you no longer have consent

·         You need to review your third party system and be confident that they are protecting the personal information you provide to them

·         You need to know where the personal information is in the event that some asks what information you hold about them or asks you to delete it – this includes your third party companies

·         Don’t assume clients who have unsubscribed automatically has their information deleted from your third party.

Want to know if your email marketing is compliant, check out the Website Audit service.