How to Write Emails to Get Consent for GDPR (and CASL)

The European Union’s General Data Protection Regulation (GDPR) comes into effect May 25th. From that date onwards, an organization must be able to demonstrate they are being lawful and prove compliance with this regulation.

Because GDPR governs data security and protection (unlike CASL with governs commercial electronic messages — for more information on the differences between GDPR and CASL click here) an individual or organization may reference one of the six lawful bases to justify the collection of data of their clients, leads, partners, members, marketing contacts, etc.

Because email is such a key medium for our business transactions and marketing communications, it’s important to note that any organization sending emails to individuals in the European Union is subject to GDPR, regardless of the originating country of the emails.

Now then, specifically for your marketing contacts, you’re going to want to know about Consent as a Lawful Base, to justify the collection and storage of your marketing contacts’ information.

“Consent” as a lawful base is one of the ways, and the easiest for email marketers, to prove lawfulness and compliance in the eyes of GDPR. However, there are strict requirements and you will need to obtain explicit consent (note that there is no such thing as implied consent under GDPR) moving forward from all your marketing communication subscribers or from anyone that fills out forms on your web pages to receive communications from you.

If you use “Consent” as a lawful base.

• Consent must be specific to distinct purposes.
• Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data. A double opt-in procedure is the best and safest way forward.
• Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent. The opt-in message that is used has to state all the ways you could possibly use the personal data you collect and how you are protecting that data. (ex.: state that you take data protection seriously by including a link to your Privacy Policy, and indicate that a person can access, rectify, or erase their data at any time.)
• Consent must be verifiable and requires a written record of when and how someone agreed to let you process their personal data.

For those marketing contacts that you already have in your database (that are not clients, partners, members, employees or associates —as other lawful bases are easier to use for those contacts, although you can still send them the following email to ask them for their consent as there’s no harm in being safe than sorry) here is how you are going to want to ask them for consent.

N.B.: For those doing business in Canada, under CASL, if you already have implied consent for your contacts, and if you are still within the allowed time period (ex.: A person, who fills out a web form on your website, is considered to have given you “implied consent”, and you have a 6-month time frame in which you can communicate with them), the following email is valid to obtain explicit/express consent.

From name and subject line

These are the two elements that are the most crucial part of any email, as these items determine whether we’ll open an email or not.

For the “From” name, you’re going to want to make personal (from a real person, because as humans we prefer interacting with other humans) and professional (company name).

Ex. Rebecca Coggan | CompanyName, or Rebecca @ CompanyName, or use your full name and add the company name to the subject line.

For the subject line, you’re going to want to include the words “action required”.

TIP: Typically, when these words are surrounded by square brackets and in all caps, ex. [ACTION REQUIRED], we tend to take it more seriously.

And of course, in the subject line, you’ll also need to add the reason why you are contacting the person.

Example of all the elements together:

Other variations are possible. Be sure to make it your own.

Body copy

The three most important things when it comes to body copy is that it needs 1) to be brief, 2) to clearly demonstrate the “what’s in it me” for the recipient of the email and 3) written using an empathetic tone.

N.B.: By the way, if you respect these three key elements in your body copy, your open rates will steadily increase and your audience will trust you more and more.)

TIP: When it comes to these specific types of communications (updating information, account status etc.), text-based emails tend to be taken more seriously, are read more than scanned, and are acted upon more than ignored.

Example of all the elements together:

The body copy also includes many essential items: person’s name, deadline, the action required, incentive, instructions for future requests, a warm thank-you, and detailed sender information.

Here too, other variations are possible depending on your own situation. You can also send a follow-up email if you don’t get a response or action as quickly as hoped for. Be sure to make it your own.

So there you have it. Simple and easy.