I added email subscriptions to my blog1 and, in the process, signed up for four different email providers to test them out. A week later, I noticed I was getting marketing emails from all of them. I thought this was weird ā Iām based in the European Union, and thought that the GDPR forbade companies from emailing me without asking. Iām also usually careful about āsign me up for email marketingā checkboxes, so I thought it was weird that Iād missedā¦ all four of them?
Time to investigate.
The products Iāll discuss today are:
Signing up
The methodology:
- Sign up for an email marketing provider
- Object to every possible marketing email in the sign up process
- Wait a week ā°
- See which emails we received!
Mailchimp
Hereās a completed sign-up form for Mailchimp. Note the sneaky āreverse consent checkboxā - āI donāt want to receive emails about new Mailchimp products, best practices, or special offersā.
Mailchimpās signup form. SNEAKY.
I hate sneaky reverse consent checkboxes. I missed this one the first time I signed up.
Later on, youāre presented with another email sign up form. This, in contrast, is the best kind of sign up form ā explicitly-labelled optional signups. Nothing sneaky going on here. š
Choose your News āØ
Mailjet
Thereās no newsletter checkbox on the sign up formā¦
ā¦ because itās in the second step of the onboarding. Itās an opt-in checkbox; I havenāt checked it. Good.
Extremely tiny signup checkbox! I donāt know why itās so small, considering itās an opt-in š¤·š»āāļø
CampaignMonitor
No checkboxes! Just a signup flow.
ConvertKit
Also no email subscription checkboxes!
Emails, a week later
Hereās the emails I received from each of these services after waiting a week.
Mailchimp
I got exactly one email from Mailchimp. Itās an automated report about my subscriber count! I didnāt sign up for this explicitly, but Iām ok with it, because it feels account related.
There was one signup; It was me. š
Mailjet
Three emails!
Recall that I carefully avoided opting-in to emails when I signed up. You are apparently subscribed to these ones by default, regardless of your choices.
CampaignMonitor
One email! Itās a sign-up / welcome email.
ConvertKit
Six. Six emails.
Wait. Hang on:
Eight emails.
Summary
Hereās a neat summary table. I made it with emoji āØ:
- š”
POUTING FACEis for a promotional email I never signed up for - šØ
INCOMING ENVELOPEis for a transactional-ish email (providing info about the account)2 - š„
FIRE(think Dumpster Fire) is for emails that got marked as spam š
| Provider | Received emails in a week |
|---|---|
| Mailchimp | šØ |
| Mailjet | šØš”š” |
| CampaignMonitor | šØ |
| ConvertKit | šØš”š”š”š”š”š„š„ |
What are the actual rules again?
I felt like some of these email practices might have been a violation of the GDPR when I first noticed. Indeed, the first draft of this blog post was called āItās 2020, and these email marketing companies are still doing the GDPR wrongā.3
But before making claims about companies being non-compliant, I thought it might be prudent toā¦ yāknow, actually read the GDPR.
What legislation is involved?
Iāve been talking about this as if email marketing is the domain of the GDPR, but actually, itās the domain of both the GDPR and the ePrivacy Directive. The ePrivacy Directive was written in 2002, and the GDPR refers to it, and explicitly does not replace it. It turns out that a lot of the legislation related to electronic direct marketing is grounded in the ePrivacy Directive.
Itās worth noting that Regulation and Directive are technical terms ā Regulations are binding law, which apply to all countries in the EU. Directives, are more like āstatements of goalsā, which member states must implement in their own national laws. Note that the GDPR is a Regulation, but the ePrivacy Directive is just a directive, and so implementation of the ePrivacy Directive varies between EU countries.
What are the rules on direct marketing?
Hereās my current understanding of when youāre allowed to send direct marketing emails to EU-based users4:
You have the freely-given, specific, informed consent of the user. This is a user clicking a checkbox saying āIād like your emails, please!ā Or, entering your email address and clicking āSIGN ME UP PLZ!ā on my email updates form. This is also what Mailchimp is doing on their email sign-up interstitial.
Two very good examples of freely-given, specific, informed consent.
You collected the userās email as part of the āsale or negotiation of a product or serviceā, and youāre marketing your own similar products, and you gave them the opportunity to object upon sign-up and in every communication.
This is like what Mailchimp are doing with the donāt email me checkbox at the start of the signup process! I was really surprised to discover that this was still allowed under some circumstances (even if it is kinda shady).
Mailchimpās opt-out checkbox. Feels shady, is technically legit.
The user is actually a business! The GDPR only applies to protecting the data of people (not businesses!), and the ePrivacy Directive has been implemented differently by different member states. In some jurisdictions, therefore, youāre theoretically allowed to spam businesses! Itās hard for direct marketers to be sure of whether theyāre emailing people or businesses, though, and what about sole traders? I canāt help but wonder if this is part of the reason why business name / business email are always required on the sign-up forms, though itās probably unrelated and I think that would probably be a pretty bad defence. š¤
The shadiest5 reason for email-marketing people without explicit consent relies on a principle in the GDPR called legitimate interest. The idea is, when companies use your data, theyāre balancing your right to privacy against their own legitimate interests. They are allowed to do some things without your explicit consent, so long as theyāve got a legitimate interest to do so. To my surprise, this can also include direct marketing!
As per Recital6 47:
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
The legitimate interest defence is apparently a little risky though ā if the regulator has a problem with your use of it, you need to be able to back up your reasoning and prove that youāve made the correct assessment right from when you started using that personal data.
Soā¦ why am I getting all these emails?
I still canāt say with certainty, but letās step through the reasons described above.
I personally donāt think signing up for a āfree foreverā account constitutes entering into a sales negotiation, and either way, I didnāt get a chance to explicitly opt-out of email marketing when my email address was collected (except from Mailchimp!).
Iām also not a business, and I havenāt signed up using a business email address, though maybe the email providers who are emailing me have clearly made that assumption7. From the stuff I read, this seems like a bad assumption to make.
I suspect that Mailchimp is relying upon the āsale or negotiationā reason, judging by the fact that:
- theyāve given me a choice, but
- that choice is an opt-out.
Iām less clear regarding Mailjet and ConvertKit. My hypothesis is that they have both decided that they have a ālegitimate interestā in sending me emails, and theyāve probably justified it by the fact that a lot of what theyāre sending me is tutorial / onboarding stuff. Maybe my interest in receiving tutorial information is implied by the fact that I signed up for the product8. Maybe they somehow donāt consider this as marketing.
Having said all of that, even if ālegitimate interestā is legally justifiable, that doesnāt mean itās classy.
Iād like stricter, more consistent standards for this.
I thought the GDPR prevented companies from sending me marketing emails without asking first, but I was wrong. Through this investigation, Iāve become more sure that requiring explicit, affirmative consent is a good thing. We shouldnāt make people figure out if they need to tick a checkbox to opt-in, or uncheck a tickbox to opt-out, or unbox a tickcheck to opt-it-all-about.
Donāt do this. This is terrible. (Codepen)
Iām also extremely unconvinced by the ālegitimate interestā defence of direct marketing. I really canāt imagine a situation in which the expected return generates enough value to justify the annoyance. Wonāt customers explicitly sign up if they actually care? I suspect that part of the problem here is that weāre still in the habit of asking people to subscribe at signup, rather than solving the design problem of asking for email consent once weāve demonstrated that weāll communicate valuably.9
If youāre building a product, have enough faith in your actual product to believe that your users will stay engaged without regular email reminders that you exist.
Thatās it!
I learned a lot from researching this! But thereās a pretty high chance Iāve misunderstood a nuance somewhere ā law is really complicated and it is not my job. If Iāve said something egregiously imprecise or you want to commiserate, you have my freely-given, specific, informed consent to send me an email āØ
Resources / Further Reading
- Legislation! Give it a shot, itās not that bad:
- Direct Marketing Guidance (pdf) from the UKās Information Commissionerās Office. This is about the UK Privacy and Electronic Communications Regulations (PECR, which implements the EU ePrivacy Directive) and the GDPR. This is 58 pages of extremely high-quality, pragmatic advice ā but itās also UK-specific.
- Direct Marketing Under the GDPR: Consent vs. Legitimate Interests
- Direct Marketing and Privacy: striking that balance (pdf, mostly about the new ePrivacy Regulation, which supercedes the ePrivacy Directive, and, at time of writing, is still under discussion).
- The ePrivacy Regulation - What to Expect covers some of the expected changes when the ePrivacy Directive (which, as a directive, has been implemented differently by different EU member states) will be replaced by the ePrivacy Regulation (which, as a regulation, is directly applicable and requires less additional legislation at the member-state level).
Update Jun 2022: When I wrote this, I was using CampaignMonitor because I wanted a fancy post-to-automatically-email pipeline, but then (1) it didnāt work so well, (2) I was paying ā¬9 a month (3) Iāve only got 15 subscribers and theyāre all my friends š¤·āāļø
Now instead, Iām just doing this out of a Gmail account, inspired by a friend writing on chronicpizza.net. Sign up here! ā©ļø
I got sign-up confirmations from three providers, and counted them as transactional, even though some are extremely marketing-ish. Sign up emails are useful because if you forget what the service is called or which address you signed up with, itās easy to track that info down again! ā©ļø
Actually, this is kinda fun and spicy and maybe partially true? Maybe I shouldāve gone for it. ā©ļø
It could be wrong in places! IANAL, and if Iāve said something egregiously wrong here please tell me. ā©ļø
āShadyā isnāt a legal term, this is opinion, not fact, etc etc ā©ļø
The EU directives have both Articles (the actual law bit) and recitals, which are designed to communicate intent and use less legalese than the articles. ā©ļø
Mailchimp, Campaign Monitor, and Mailjet ask for āBusiness / Company / Organisation Nameā in the signup process, and ConvertKit starts their signup process with the question āDo you currently use an email marketing tool in your business?ā ā©ļø
This is a bad defence, apparently! As per the UK Information Commissionerās Office:
ā©ļø[the suggestion] that marketing is in the interests of individualsā¦is unlikely however to add much weight to [a marketerās] balancing test".
A lot of things also donāt have to be emails! For example, you can put new feature notifications in your app (Slack does this!), and have tips and news in loading interstitials / on dashboard screens. ā©ļø