transactional email GDPR

When it comes to transactional email and GDPR, many senders have questions about whether it is reasonable for transactional senders, such as SaaS applications and ecommerce stores, to deliver an email without consent.

For example:

Does a SaaS app like Shopify need consent to deliver a password reset to a customer?

And what about an ecommerce store like Amazon? Does Amazon really need consent to send shipping notifications to EU customers?

This is a key question at the intersection of transactional email, GDPR, and deliverability. And we’ll cover the answer to this topic in great detail throughout this post.

The first step to understanding transactional email and GDPR is to look at what GDPR is and why it even exists in the first place.

Ready? Let’s dive in!

What is GDPR?

The topic of “GDPR email compliance” is a very complicated topic that makes for some great late-night bedtime reading if you’re having trouble falling asleep. In fact, GDPR itself is eleven chapters long, containing 99 articles of mind-numbing legal content — each of which lays out exact steps for how you must handle personal data of EU citizens.

But don’t worry! I got hyped up on caffeine and dug into all 11 chapters of GDPR for you.

So, what is GDPR?

GDPR was designed to strengthen an individual’s rights when it comes to how their personal data is handled. This privacy law also unifies data protection rules across the EU by restricting data handling requirements through stronger GDPR email security standards.

Article 4(1) of GDPR defines personal data as anything that we can consider personally identifiable information (PII). This includes data like a person’s name, email address, IP address, device IDs, birthday, and more.

When it comes to email, GDPR requires you to acquire consent from each individual to send marketing messages to recipients. This not only safeguards customer data, but also protects people from receiving unwanted marketing emails.

But what about transactional emails? Do you really need consent to send someone a password reset or shipping notification? The answer to this question lies in understanding the GDPR principles of data processing, which we’ll discuss below.

GDPR and Transactional Emails: Emailing Without Consent

To answer the question of whether you can send transactional email without consent, we first need to discuss the GDPR principles of data processing.

Article 5(1) of GDPR lays out the foundational principles to processing personal data. There are six principles for GDPR transactional data processing within this article. For the sake of time and simplicity, we’ll focus on the one that relates the most to transactional email:

Principle A) — Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

This principle states that you must send transactional email in a legally compliant way.

How?

Well, Article 6(1) of GDPR, titled Lawfulness of Processing lays out six lawful bases for sending email. The two that are most relevant to transactional email are:

  • (a) Consent: The data subject (your recipient) has provided consent to processing of their personal data. Article 7 (Conditions for Consent) defines consent as being clear, affirmative, freely given, and revocable — meaning that customers can withdraw consent at anytime. The problem with transactional email is that your customers can’t always meaningfully consent to receive transactional messages. For example, it would be crazy to require a GDPR email opt-in just to make a customer consent to a legally required privacy policy update, since they can’t “opt-out” of a message that you’re legally required to send in the first place.
  • (f) Legitimate interests: Processing is necessary for the purposes of legitimate interests. Recital 47 of GDPR lays out six situations when processing personal data is lawful.

So how do you send transactional emails if consent is required? The solution is to establish a legitimate interest for sending your transactional emails.

Legitimate interests essentially says that you can send emails without consent, so long as the emails are a proportionate means of communicating vital information to your customers or users.

Think of it this way:

When an EU citizen buys your product, they might reasonably expect that you will send them information related to the product since you have a legitimate interest to do so.

For a software company it’s reasonable to expect that a SaaS application will deliver a transactional email receipt at the end of a billing period. Therefore, GDPR does not require the SaaS application to gather consent from users just to receive billing receipts.

Another example — it’s reasonable to assume that an ecommerce store will send a shipping notification to a customer who purchased a product. Under GDPR, the customer’s data is being used for limited purpose and the alert is a proportionate means of communicating vital information about the original transaction.

While it’s safe to send transactional email without consent, you should always ask yourself these five transactional email GDPR questions before you press send.

5 Questions to Ask yourself Before You Send Transactional Email

Before you send any transactional email to EU citizens, ask yourself these five questions:

1) Does my customer really need this email?

Whether you’re sending transactional email or not, it’s always a good idea to stop and ask yourself if your customer really needs the email. If the answer is “no”, then think twice before you send it.

2) Does the transactional email contain marketing content?

The differences between marketing and transactional emails are very clear. However, the lines become blurry when you begin to add marketing content into your transactional emails. If you’re sending transactional email to EU citizens, then you should avoid mixing any marketing content into your transactional emails.

3) Should I give my customers an unsubscribe option?

While an unsubscribe link is required for marketing emails, it’s not required for transactional email. This is because it usually doesn’t make sense to provide an unsubscribe link in a transactional message. However, that doesn’t mean that you shouldn’t use one.

If you’re uncomfortable with adding an unsubscribe link to your transactional email, consider adding an Email Preference Center. This way, you can give your EU citizens a way to opt-out of certain transactional emails that may not truly be necessary.

4) Do I have a privacy policy?

You can use your Privacy Policy to explain why your EU citizens are receiving transactional email that they didn’t explicitly consent to receive. It’s also a good idea to include a Privacy Policy in the footer of your email.

5) Will my customers understand why they are receiving this email?

Finally, the email footer is a great place to explain to recipients why they are receiving your transactional emails.

A good footer explanation might read something like this:

“This email was sent to {{[email protected]}}. This is a required notice about {{insert reason}}; it is not a marketing or promotional email. That is why this email does not contain an unsubscribe link and why you are receiving this email even though you may have unsubscribed from our marketing emails.”

Adding a simple message like this at the bottom of your email may help prevent confusion, especially in situations when EU customers already unsubscribed from your marketing messages.

Sending Email from a GDPR Compliant Transactional Email Service

If you’re sending transactional email to EU citizens then we suggest using a GDPR compliant transactional email service, like SocketLabs.

SocketLabs is dedicated to data protection and GDPR compliance. We offer a GDPR compliant Data Processing Addendum to customers.

Disclaimer — While we specialize in transactional email deliverability at SocketLabs, we are not attorneys and this blog post is not legal advice. If you’re seeking legal advice related to transactional email GDPR or any other kind of email and GDPR, we strongly suggest that you consult with an attorney who specializes in GDPR.