GDPR and Transactional Emails

If you send transactional emails to your customers within the European Economic Area (EEA), the way you send these emails is regulated by the General Data Protection Regulation (GDPR) and another EUL law called the ePrivacy Directive.

This article will explain how to navigate both laws when sending transactional emails to your customers.

Transactional Emails

Transactional emails are not the same as marketing emails.

• Marketing emails - designed to promote commercial products and services (such as ads, promotions, campaigns, etc.).
• Transactional emails - are not promotional in nature, and might be triggered by interactions with your site (such as receipts, shipping notices, password reminders, etc.).

To comply with the GDPR, your transactional emails need to be limited in their purpose.

The GDPR and ePrivacy Directive can help protect customers from unwanted direct marketing emails. Businesses must get crystal clear consent from their customers before they can send them marketing emails. The days of pre-ticked boxes and presumed consent are over.

But what about transactional emails? Let's consider how to make sure you can send your customers essential information without the risk of legal violations.

Data Processing First Principles

Sending transactional emails is an act of data processing - you have your customer's personal data (their name and email address, at the very least), and you're using it to communicate with them.

All processing of personal data in the EU must conform to the principles of the GDPR. These are set out in Article 5 (1) of the GDPR.

Two principles of the GDPR are particularly relevant to transactional emails are:

• Transactional emails need to be used in a lawful, fair and transparent way.
• You can only use your customers' data for a limited purpose. You need to consider the scope and purpose of any emails you send.

Your Lawful Basis For Sending Transactional Emails

Like any act of data processing under GDPR, you need to establish a lawful basis for processing your customers' personal data.

There are six lawful bases under the GDPR, set out Article 6 (1). These two are most relevant to sending emails:

• Consent
• Legitimate interests

Do You Need Consent to Send Emails to Your Customers?

When it comes to marketing emails, the ePrivacy Directive generally requires consent. There are exceptions, as explained in our article Legal Requirements for Email Marketing, but getting consent is normally the only option.

Consent is defined at Article 7 of the GDPR. It must be:

• Clear - Your customers have taken action (e.g. ticked a box) clearly indicating that they give consent
• Affirmative - Consent is only "opt-in" and never "opt-out"
• Freely given - Don't force your customers to consent to marketing emails
• Revocable - Your customers should be able to withdraw their consent at any time.

Getting consent makes perfect sense in the context of marketing emails, as your customers don't need to receive them. But there's a problem with using consent as your legal basis for sending transactional emails. These are emails you need to sendas they contain important information.

As such, your customers can't meaningfully consent to receiving transactional emails. You'll need to find another lawful basis.

Your Legitimate Interests

Instead of getting people's consent for sending transactional emails, you should normally use legitimate interests as your lawful basis.

You can rely on "legitimate interests" as your lawful basis for processing personal data if:

• You need to process personal data to fulfill a particular purpose
• The purpose is legitimate (i.e., lawful, fair, and in line with people's reasonalbe expectations)
• The processing benefits you or a third party

These conditions will normally apply in the context of sending transactional emails.

Consent is defined at Article 7

For more information about legitimate interests, check out our article: Legitimate Interests Under the GDPR

Sending GDPR Compliant Transactional Emails

For every type of transactional email your company sends, ask yourself:

• Does the customer need to receive this?
• Does it contain anything that could be considered marketing?
• Can I give the customer an option to unsubscribe?
• How can I explain this to my customers?

This email footer from RealSelf is a great example of how to explain the nature of transactional emails to your customers:

How Not To Send Transactional Emails

Don't use your transactional emails for marketing.

Article 21 (2) of the GDPR says this about email marketing:

"Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time"

This is why you see unsubscribe options on marketing emails, such as this one from Audible:

Because your customers can't usually unsubscribe from transactional emails - but must be allowed to unsubscribe from marketing emails - you need to make sure that your transactional emails don't contain marketing.

Let's see what can happen if your transactional emails look more like marketing emails.

UK supermarket Morrisons sent an email to over 250,000 of their customers, supposedly with the intention of prompting them to update their account details. The email incentivized customers to change their subscription options by offering coupons. These customers had previously opted out of receiving direct marketing emails.

Unfortunately for Morrisons, one of these customers took exception to the email. He reported Morrisons to the UK's data protection authority, and Morrisons was fined £10,500. Morrisons said that they were only trying to provide "helpful information" and were "disappointed" that it was considered direct marketing.

The moral of the story? Be extremely careful about what you send your customers.

Password Reset Emails

Password reminder/reset emails are an essential type of transactional email. A customer can't unsubscribe from or opt-out of these emails, so there's no need for an unsubscribe link - but you can still link to your Privacy Policy.

Here's how eBay does it:

Because you can't give the customer an opt-out of password reset emails, you can't include anything resembling marketing material in your password reminders.

Security Alerts

Article 34 (1) of the GDPR requires you to inform your customers of any potential data breaches:

"[...] the controller shall communicate the personal data breach to the data subject without undue delay."

Plus, Recital 47 of the GDPR states:

"The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned."

From the customer's perspective, there's no getting around this one. If you're a Google user, you may have felt a pang of irritation at Google's insistence on sending push notifications and emails every time you log in on a new device. But if there's any danger of fraudulent activity on your account, you need to know about it.

Let's look at how Pinterest handles this. Here's an example of the alert that UK-based Pinterest users receive when a login occurs from an unknown device:

You'll notice at the bottom of the email that the user is invited to "unsubscribe." However, here's what happens when you click it:

It's a bluff! This is an effective way to explain to a customer why you're sending this type of transactional email.

Changes to Terms/Privacy Policy

Under the GDPR's principle of transparency, your customers need to be informed of any changes to your Terms and Conditions or Privacy Policy. In certain circumstances, you may also have to ask your customers to confirm that they accept and agree to the changes.

In any case, you will need to give your customers the option to review the new information so that they can decide whether or not to opt out (as per Art. 21 (1) of the GDPR). You may have received a lot of these sorts of emails in the run-up to the GDPR as businesses updated their Privacy Policies to ensure compliance.

There are a few ways to handle this sort of transactional email.

Proactively Informing and Refreshing Consent

Sometimes when you materially change or update your terms, you may need to refresh the consent you have from your users. You can do this by:

• Emailing (or otherwise contacting) your customers to let them to let them know of the nature of the changes to your terms or policies.
• Asking them to consent to the new terms or policies.

The Information Commissioner's Office (the UK's data protection authority) says:

"You should keep your consents under review. You will need to refresh them if anything changes - for example, if your processing operations or purposes evolve, the original consent may not be specific or informed enough."

Proactively Informing without Refreshing Consent

You may choose to email your customers about the changes to your existing terms or policies, but not ask them to refresh their consent. This might be appropriate in the following situations:

• If you're relying on consent as your lawful basis for processing your customers' personal data, and the changes are not very significant.
• If you're relying on another lawful basis (like legitimate interests) as your lawful basis for processing your customers' personal data, and the changes are significant.

You can actively inform your customers of the changes by emailing them and asking them to read through the new terms or policies.

Here's how Medium actively informed its users of a change to its Privacy Policy:

Passively Informing

If the changes to your terms and policies are not very significant, and you don't rely on the consent of your customers, you might not need to send out an email at all. You can simply let your customers know about the changes by putting a notice on your website.

Think carefully before you decide to passively inform your customers of changes to your terms or policies. This may be inconsistent with the GDPR's principle of transparency if the changes are deemed too significant.

Welcome Emails

Welcome emails are a grey area. They're transactional emails in the sense that they are triggered by a customer's interaction with your website. But they are a little different from shipping notifications, password resets, security alerts, etc., because they arguably aren't necessary.

So do you need your customer's consent to send them a welcome email? Or can you rely on legitimate interests? Let's say a customer signs up to your service, but doesn't consent to receive marketing emails. Can you still send them a welcome email confirming their signup?

This takes us into the area of reasonable expectations.

What Would Your Customers Reasonably Expect?

GDPR Recital 47 states:

"the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect [...] that processing for that purpose may take place."

Try to put yourself in your customers' shoes. You've signed up, but you've opted out of marketing. Would you expect to receive a welcome email when signing up for this service? What would you expect that email to contain?

Let's see how WordPress handles this. Here's a welcome email sent to an EU user:

You'll notice that while WordPress isn't trying to sell anything in this email, they do promote some free services. This seems like a clever way to get customers more involved without being in danger of sending marketing material without consent.

"Marketing" is not defined in the GDPR. Different EU Member States define it in different ways in their national law.

You may feel that WordPress is a little close to the line here - that's a matter for your own judgment about what a customer might reasonably expect. Just be aware that a welcome email is not automatically a marketing email.

Receipts, Invoices, Shipping Notices

Your customers need receipts for any purchases they've made. Some businesses send a purely functional email with just payment details and confirmation of the order. Others like to use this as an opportunity to deepen their relationship with their customer a little.

Here's an order confirmation from Amazon UK:

You'll notice that Amazon does include information about other products here. However, this is presented as information about the product that the customer has purchased.

This is how Amazon lets customers know that they'll be receiving this type of information:

Well, it is information related to a product the customer has purchased. Again - in the context of your company, you'll have to decide whether this is something your customers would reasonably expect to receive.

Summary

Apply the principles of the GDPR to anything involving processing EU citizens' personal data, including transactional emails.

Remember the following advice, and you'll be on the right track:

• For every type of transactional email you send, consider whether it is in your legitimate interests to send it.
• Make your legitimate interests clear in your Privacy Policy.
• Don't use transactional emails for marketing purposes.
• Where you can't offer opt-outs for certain types of emails, explain this to your customers.
• Always send transactional emails to alert your customers to security issues.
• Always send transactional emails to inform your customers about major changes to your terms and policies.
• If you're going to use transactional emails such as welcome emails and receipts to develop your relationship with your customers, be very careful that they don't resemble marketing materials.