Towards LGPD and Beyond – You’ve Gotta Have a Plan!

As the GDPR deadline of May 25th, 2018 approached, one of the biggest mistakes many European senders made was to leave everything to the last moment. By that stage, many email subscribers were completely overwhelmed by inbox overload, and their simplest response was “ignore everything!” As a result, lists were decimated – research from Yieldify showed one-third of marketers lost over 30 percent of their email lists, with Travel (37 percent), IT/Telecoms (32 percent) and Finance (28 percent) being the most impacted. We also saw individual programs that lost over 90 percent of their lists!

In the first two posts of this series we considered the legal bases for email marketing, and the importance of having robust deliverability to ensure your subscribers receive their LGPD emails. In this post, we’ll talk about strategies for making sure those messages get a response!

1. Start Early

The Royal Society for the Protection of Birds (RSPB) introduced its new sign-up form a full year before the GDPR deadline. Note how their approach is explicit, granular, and requires positive action to opt-in.

By the time GDPR became law, a large part of RSPB’s list was already organically compliant, meaning far less last-minute re-permissioning. They also saw much higher engagement levels from new subscribers, with open rates increasing by 1.15X and click rates by 1.9X!

2. Spread the Load

We’ve already explained the importance of avoiding sudden changes in volume. Mailbox Providers (MBPs) don’t like this behavior, because it indicates potential spam activity, or even that a program may have been compromised. In the UK one sender who tried to mail their entire base 1 day before the May 25th deadline saw over 80 percent of their emails sent to junk folders as a result.

Tesco understood this importance and took a more pragmatic approach, mailing approximately three percent of its database each day across a four-week period. In this way, volume impact was blended into Tesco’s daily activity. It also meant more conservative connection and throughput settings could be applied, which is good practice when mailing to less engaged audiences.

3. Don’t Rely on Just One Shot!

Successful re-engagement/win-back programs take a multi-email approach. If you only fire a single shot, you’re more likely to miss, as our previous research shows! Waitrose recognized this, and they ran a structured program of communications over the weeks leading up to GDPR, maximizing their opportunity to secure re-permission.

The first two emails focused on creating awareness of the new legislation, then explaining the benefits of remaining a member of the program (offers and discounts, recipe ideas, events, and tastings, etc.)

As the May 25th deadline grew closer, Waitrose increased the urgency of the language that used to persuade subscribers to continue with their program membership:

4. Maximize Your Marketing Real Estate

You don’t want to send LGPD messages to your email audience every day (although some UK and European senders did just this, generating serious program fatigue in the process!). But there are other ways of reinforcing the message while remaining reasonably subtle!

Clarks made use of the emails’ pre-header text, which read “We’ve updated our privacy policy and need to confirm you want to keep hearing from us.” This was a smart approach because most email clients now show 70-80 characters of pre-header text, meaning a good chance of the message being seen even without opening the emails.

Selfridges took a more visual approach, and for a 30-day period included the grey “Don’t lose touch” box in the top third of every marketing email they sent. As a result, they achieved exceptional subscriber retention rates, although engagement rates suffered because less promotional content was immediately visible to openers during this time.

5. Think Multichannel

Remember email doesn’t operate in a vacuum! It is part of a complex multi-channel ecosystem and your retention efforts should recognize this. Make sure you provide LGPD reminders when your customers login to their accounts. Also make them part of your postal, social and push messaging strategies if you use these channels.

If your marketing program operates above the line, also consider broader approaches to your LGPD messaging. We saw this memorable example from Manchester United football club, with re-permissioning messages shown on the digital advertising boards at Old Trafford stadium!

Another important element is Point of Sale (POS). Direct Marketing Association (DMA) research shows around 40 percent of new program sign-ups now take place in-store (almost 60 percent in the 18-34 segment). The Yieldify research also showed the single most effective tactic for post-GDPR list rebuilding was encouraging account registration and opt-in at checkout.

Senders with a physical presence should therefore think carefully about how they provide in-store LGPD education, providing advertising in the POS area, and equipping checkout staff with scripts and training to assist with these conversations.

Also, be aware LGPD will probably have impact on the way e-receipts are issued. In the UK, guidance was clear that: 1) e-receipts can not contain any marketing content (the consent to receive the e-receipt is not consent to receive marketing); and 2) customers must be provided with an opt-out from receiving email marketing at POS (meaning POS staff must be trained to ensure this happens. Read my DMA blog for more on this topic.

In summary, key points from this post are: start your LGPD preparations as soon as possible; spread out your broadcast schedule; don’t rely on a “one shot only” approach; and cover as many of your multi-channel bases as possible to communicate your LGPD messaging to your customers.

In the next—and final—installment of this series, we’ll provide guidance around effective use of language and creative to maximize the impact of your emails during the inbox overload period we are expecting as next August approaches.


Towards LGPD and Beyond – Getting Delivered

In the first post in this series about learnings from GDPR as Brazilian email marketers prepare for LGPD, we focused on acquiring new customers and prospects. Now we’ll look at approaches for existing subscribers. In Europe, senders generally took one of three routes:

  • Re-permission: Compared with previous data privacy legislation, GDPR imposed a higher duty of care. For senders using Consent as their legal basis, this meant refreshed permission would be needed for all existing address owners.
  • Privacy Notification: For senders who relied on Legitimate Interest as their legal basis, they needed to inform subscribers of the changes made to their privacy policies to achieve GDPR compliance.
  • “Blended” Approach: Some senders took a “blended” approach, using Legitimate interest for previous purchasers, with refreshed Consent being sought for the remainder of their lists.

All approaches meant good deliverability was critical. Many senders needed to email every member of their lists – at exactly the same time every other email program was doing the same thing! Any high traffic period like Black Friday/Cyber Monday sees deliverability taking a hit—even the biggest mailbox providers have finite bandwidth and processing capacity, and inbox placement is negatively impacted as a result:

GDPR was no different—as I reported in a DMA blog post last year, average spam filtering rates went up 25 percent as May 25th approached, and some individual senders saw over 90 percent of their email traffic ended up in the junk folder!

This was critical—re-permissioning campaigns failed because subscribers couldn’t respond to emails that never delivered. There was also a big implication for the privacy policy updates because of the right to be informed. There is a strong argument that if these emails fail to deliver this right has not been observed.

There would also have been a big impact on subscriber trust, with many consumers believing the senders had unilaterally changed their privacy policies without even bothering to inform the data subjects!

What steps can Brazilian senders take to avoid these pitfalls?

1. Don’t Attempt to Raise the Dead . . .

Our Frequency Matters report identified that 9 percent of a typical email list is formed of “Dead” addresses—created then abandoned. This is hardly surprising—email lists typically churn at between 25 percent to 30 percent per year, meaning average time on list is somewhere between 3 and 4 years—even for best-in-class programs.

There is little point in attempting to send LGPD email communications to these addresses—they will never respond, and they could cause significant deliverability problems. A good starting point is to carry out a bulk validation exercise using a solution like BriteVerify. In this way, the dead addresses can be identified and suppressed, before the business-critical LGPD broadcasts happen.

2.. . . Then Draw a Line in the Sand

In Europe, many senders attempted to contact every address on their database, regardless of how old they were. One of my colleagues received this re-permissioning email despite having last been to summer camp in 2002!

This was ill-advised—our Lifecycle Benchmark 2019 report showed only 31 percent of new subscribers continue to interact with an email program beyond 12 months. Data decays over time, and older addresses are more likely to either not work (point one above), or—if they do work—to complain. There is also a real possibility that some have been re-purposed as spam traps. These factors combine to have a major negative impact on deliverability, which also means good addresses get junked too!

A key principle of the new laws is “minimization”—including that personal data should only be held for as long as it is needed. Also remember the mailbox providers have far more aggressive opinions on recency—30 days in the case of Gmail! We recommend all senders should define a sensible recency threshold, and then delete older records unless there is a legal requirement to continue holding them. 

3. Know What the Mailbox Providers are Expecting from You

All major mailbox providers publish helpful bulk sender guidelines, and many of the most important recommendations are common to all of them:

  • Use active opt-in for new subscriptions
  • Provide one-click unsubscribe functionality (List-Unsubscribe)
  • Remove invalid and inactive recipients
  • Sign up to all available feedback loops
  • Authenticate using SPF, DKIM and DMARC
  • Publish meaningful reverse DNS records
  • Be consistent in use of from addresses, IP addresses, and sending domains

Detailed guidance can be found at the mailbox providers’ postmaster sites: Gmail (here); Outlook (here); and Verizon (here), as well as our excellent Marketers’ Field Guide (here). It’s all common-sense advice, and the mailbox providers are clear that having them implemented will help improve email deliverability.

4. Audit Your Reputation

It’s essential to know how mailbox providers see you as a sender. Many calculate their own versions of reputation scores, and poor scores will see senders getting blocked or junked, meaning an immediate negative impact on LGPD messaging.

One of the best-known reputation checkers is Sender Score ( where email programs can plug in an IP address or sending domain to get their current reputation score. Senders want to be in the top tier (91-100) – our recent 2019 Sender Score Benchmark report showed senders in this tier achieve average delivered rates of 91 percent, while those in the next tier down achieve 71 percent – a 20 percent variance.

Reputation is determined by factors such as: complaints; unknown users; spam traps; authentication; black-listings; and subscriber engagement. Senders who are currently scoring outside of the top tier should address these causes before they start their LGPD campaigns.

5. Get Certified

The above points explain the deliverability challenges posed during high volume periods. Fortunately, there is a solution—members of the Return Path Certification program (the red line) typically see less impact. This is because they carry a higher level of trust, and therefore benefit from better placement and faster throughput.

In Europe, Certified senders saw a pronounced benefit in the form of higher inbox placement rates, and significantly greater subscriber retention as a result. This had a major financial implication—the DMA’s Marketer Email Tracker 2019 report calculated average subscriber lifetime value at £37.32 (almost R$200!) For a sender with a 1M address list, every 1 percent increment in subscriber retention was worth ± £300K (almost R$2M!)—a strong argument for Brazilian senders to invest in their LGPD readiness.

In this post we have examined how to build a platform for successful LGPD email broadcasts. In the next article in this series we’ll consider the importance of timing—when to start sending, how to ramp up activity, and the critical importance of not relying on a “single-shot” approach.

Towards LGPD and Beyond – Legal Bases for Email Marketing

Brazil’s new Lei Geral de Proteção de Dados (LGPD) data protection legislation is now less than 12 months away, becoming effective in August 2020. While being a near carbon copy of Europe’s General Data Protection Regulations (GDPR), there are subtle differences:

Source: IAPP – GDPR matchup: Brazil’s General Data Protection Law (full version here)

For Brazilian marketers, as in Europe, a major decision will be whether to rely on Consent or Legitimate Interest as the legal basis for marketing communications. LGPD does not directly reference email, and more specific legislation (like Europe’s Eprivacy laws) does not currently exist. The Brazilian Code of Conduct for Email Marketing recommends using Consent, but acknowledges a soft opt-in can exist where an existing commercial or social interest can be demonstrated (effectively legitimate interest).

In Europe, the preference was to rely on Legitimate Interest if possible, because of the reduced impact on list churn. This required a Legitimate Interest Assessment (LIA), where this basis is tested for purpose, necessity, and balance. Where senders could not demonstrate Legitimate Interest, Consent was then required as the legal basis. Some senders took a so-called “blended” approach, applying a combination of both.

GDPR was seen by some as a great opportunity for marketers to build stronger relationships with their customers. Marketo produced a report categorizing GDPR compliance as “legal first” or “marketing first” and showing the latter are more likely to achieve business objectives. A great example came from insurance provider Homeserve, which is now seeing better engagement, fewer complaints, and saving money too! This year’s DMA Marketer Email Tracker report showed across-the-board uplifts in deliverability, opens, clicks, conversions, and ROI!

A combination of more robust consent, clearer setting of expectations, and greater provision of choice means there are now higher levels of trust between consumers and brands. They are providing better quality data, making them more engaged and likely to transact.

So Brazilian marketers can feel positive about LGPD, but whichever approach they take the way their new subscribers are acquired will need to reflect the new law’s requirements. We’ll look at some great examples of how their European counterparts achieved this.

1. Straight Talking

GDPR defined consent as follows:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

The British Broadcasting Corporation (BBC) was widely praised for meeting these requirements with its clear and informative sign-up process:

Note the following:

  • Consent is for the email channel only (granular)
  • Consent is separate from terms and conditions and the privacy policy (unbundled)
  • The text is specifically about BBC programs and online (named)
  • The “Yes please” button must be clicked to provide consent (active opt-in)
  • Consent can be easily withdrawn (unsubscribe at any time)

Also note the “layered” approach—instead of providing all information at point of sign-up, the BBC uses drop-down boxes to provide more information.

2. Make Mine a Double!

In Europe, there was debate around whether all programs would need to implement double opt-in (DOI). This was in response to the requirement to record consent—keeping a record of when and how the consent was obtained, and exactly what individuals were told at the time. Many practitioners felt double opt-in would be the only water-tight means of establishing this, but ICO guidance simply says, “you must have an effective audit trail of how and when consent was given.”

That said, the new legislation does place a premium on obtaining accurate data. Double opt-in ensures only valid address owners can sign up, and it also proves there is a genuine interest in signing up. For sensitive personal data (ethnicity, religious beliefs, etc.) double opt-in also satisfies the additional requirement for explicit consent.

There is also a favorable argument for DOI when it comes to return on investment. Litmus reported programs using double-opt-in achieve average ROI of 45:1 compared with 40:1 for single opt-in.

Source: Litmus – 2018 State of Email Analytics

3. Make a Decision

Some senders decided to “force” a consent decision—“Yes please” or “No thanks”—as this Sainsbury’s examples illustrate:

The rationale is that human beings are naturally lazy! When a box is unchecked, the easiest thing is to leave it that way. Providing a “Yes please/No thanks” decision means one option has to be selected. While there will be opt-outs, this approach also increased the number of opt-ins. For more insights read this excellent report from Holistic Email Marketing/Pure360.

4. Legitimate Interest

Relying on Legitimate Interest (soft opt-in) still requires providing data subjects with the opportunity to object to having their personal data processed—at the point its acquired, as well as all future communications. In this example from Currys new customers can opt-out before the purchase is completed.

Currys also provides another good example of “layering” where customers can click on the icon to learn more about how they will benefit.

Also ensure other points where personal data is captured are equally robust. DMA research shows 4 in 10 programs now acquire email addresses instore, often when customers are asked if they want an e-receipt. The same rules apply, and point of sale operators require training to ensure customers are given the opportunity to opt-out, and that this is recorded. See my previous DMA article for more reading on this topic.

5. Cookies

A core objective for most email programs is driving traffic to their websites, so marketers must also consider their use of cookies. These are useful because they allow a website to recognize a users’ devices and their previous browsing behavior, but it means the processing of personal data is often involved. As a result, website owners must seek consent from data subjects before cookies are used:

Note the clear explanation around the reason for the cookies, how they will be used, and the granularity that allows users to choose which cookies they are happy with. In addition, a layered approach is taken so users can find out more about each cookie type.

Many programs have also introduced a standalone cookie policy—separate from the privacy policy—as we saw with the earlier BBC example.

This post has highlighted considerations for acquiring new subscribers in a way that meets both the letter and the spirit of the new laws. In the next part of this series, we’ll look at the challenges of informing existing subscribers the way their personal data is being used will change, and we’ll also highlight some of the biggest mistakes European senders made!

Staying on Top of Your Data Down Under: Lessons from GDPR for Australian Marketers

Australia is currently reviewing its data privacy laws. As with Europe in 2018, there is recognition that laws originally drafted in a semi-pre-digital age need refreshing to be relevant in our current world of Facebook, WhatsApp, re-targeting and artificial intelligence. Proposed recommendations1 include:

  • Broader definition of personal information, including technical and location data
  • Stronger consent requirements weighted in favor of the consumer
  • Measures to require personal information to be erased on request
  • Direct right of action for individuals for serious invasions of privacy

There are some distinct similarities with Europe’s General Data Protection Regulations (GDPR). For example, the proposals require that “consents are given freely and that they are specific, unambiguous, and informed.”

Understandably, Australian marketers are a little nervous about the implications for their customer databases. However, they should take heart from Europe, where 18 months post-GDPR many marketing programs are showing big performance uplifts. This is a direct outcome of improved data quality, a better setting of expectations, and broader choice—generating increased trust, and delivering more revenue.

Here’s a selection of examples:

  • Marketo produced a report shortly after GDPR became effective, where marketers were classified as “legal first” or “marketing first” based on the approach they had taken to achieve compliance. The latter had embraced GDPR to build stronger, more effective relationships with their customers, and are 72 percent more likely to exceed their business objectives as a result.
  • A new report from Capgemini shows businesses who reported as fully compliant are performing better across a range of metrics compared with those not fully compliant. Quality of marketing leads, consumer ratings, customer trust and satisfaction, and revenue all showed uplifts of between 13 percent and 18 percent, while 92% percent of executives from compliant firms believe they have gained a competitive advantage.
  • Recent research from the Data and Marketing Association (DMA) shows the majority of email marketers have seen increased open rates (74 percent) and click-through rates (75 percent) over the past 12 months, while many have reported a reduction in opt-out rates (41 percent) and spam complaints (55 percent) over the same period. As a result, they have seen a marked increase in returns on every £1 spent on email, from £32.28 in 2017 to £42.24

While much of the marketing world’s GDPR focus was on legal bases (primarily consent versus legitimate interest), at least three of the key principles (i.e. the ones that can result in €20M fines!) are all about data quality:

  1. Accuracy—data held should not be incorrect or misleading and should be corrected/erased if it is
  2. Minimization—data held should be adequate, relevant, and limited to the stated purpose
  3. Storage Limitation—the data should not be held for longer than strictly needed.3

These principles all feel like they should be data best practices, followed as a matter of course—not because there is a legal obligation to do so. Unfortunately, the reality is very different. Validity EVP Wayne Parslow blogged “the average business estimates that 22 percent of its contact data is inaccurate. Almost a quarter! The estimate is even higher among marketing professionals like you, who believe 30 percent of their customer records are erroneous. Alarm bells!”

In the UK, Royal Mail Data Services (RDMS) calculated the cost of poor data at 5.9 percent of a typical company’s annual revenue. In Australia there are just under 2M small businesses, earning average revenue of $368K per year at an average profit margin of 11.7 percent4. If the RDMS figures hold true down under, then each small business is losing around $20K each year as a result of bad data – almost half of their total profits! For medium/large businesses (annual turnover $2M+) these figures will be much larger . . .

European data controllers have been obliged to get their data quality houses in order, and now they are reaping the benefits. Their Australian counterparts don’t need to wait–there is a strong positive business case for starting right now! And if you’re not quite sure where to start, the great news is Validity has a powerful set of CRM software solutions like DemandToolsPeopleImport, and DupeBlocker to help CRM admins and users keep customer data clean, standardized, and free of duplicates.

Want to start boosting those missing profit margins today? Contact us now to find out how!


  1. Office of the Australian Information Commissioner: OAIC welcomes privacy law update to protect Australians’ personal information (
  2. ZDNet: Australian privacy law amendments to cover data collection and use by digital platforms –
  3. Information Commissioners Office¨ The Principles –
  4. Australian Small Business & Family Enterprise Ombudsman: Small Business Counts (Small Business in the Australian Economy) – (

GDPR: One Year Later & Email is in Good Shape!

A year ago, and email in Europe was in turmoil. The May 25th deadline for the new General Data Protection Regulations (GDPR) had finally arrived, and many email programs were frantically trying to get out their privacy policy updates, or their re-permissioning emails (or both!) in time. Overwhelmed by volume, many consumers simply chose to do nothing, secure in the knowledge it would soon end. It was the email apocalypse, which I later wrote about in a DMA blog post.

However, some forward thinkers were already considering GDPR in a more optimistic light. An article from Information Age predicted, “GDPR is the perfect opportunity for businesses to rethink their approach to data and the enhanced customer relationships and experiences it allows”. Marketo identified the “two tribes of marketing” (legal-first vs marketing-first) and predicted the latter would benefit more as stronger consent, better data quality, and greater transparency combined to deliver stronger and more trusting relationships.

They were both correct, and it makes absolute sense. GDPR wrote into law a number of best practices that we have talked about for years, so improved performance was to be expected. In this article, we’ll examine the resulting uplifts through a few different lenses:

Better deliverability
Email deliverability has shown a significant YoY uplift. Comparing Return Path’s 2017 and 2018 Deliverability Benchmark reports produces the following inbox placement summary:

Email deliverability is informed by a broad set of signals that includes data quality (low unknown user rates, no spam traps) and positive subscriber engagement (good read rates, low complaint rates). GDPR has clearly moved the needle for these factors, and senders are benefitting as a result.

Reduced list churn
We have also been seeing signs that some of GDPR’s benefits will be longer-term in nature. At a 2018 data protection conference, Homeserve reported ”people are more receptive to and interested in what we are selling . . . plus we are receiving fewer complaints and unsubscribe requests.”

Return Path’s own data provides validation. As part of our GDPR thought leadership, we monitored a “basket” of 250 major senders. Average complaint rates for these senders have reduced by slightly more than half.

This will have a big positive commercial impact for email program owners. The US DMA’s 2018 Response Rate report shows email cost per acquisition at $22.50 (£17.65), while Bluecore’s Cost of an Unsubscribe report values each lost address at $17.92 (£14.05).

According to IBM Watson’s 2018 Marketing Benchmark report average list churn (bounces, unsubscribes, and complaints) for UK and Europe is 0.8 percent. Halving this metric will protect around £60K ($75K) of customer lifetime value (CLV) per million emails sent!

Enhanced performance
Program performance metrics have also shown big improvements. We plotted the YoY change in email read rates for the same basket of 250 senders, and identified the following:

Updating the privacy policy was generally the “legal-first” approach while marketing-first programs generally went the re-permissioning route, illustrating the greater benefit of the latter approach (note many programs took a blended approach, updating their privacy policy for existing customers, and re-permissioning their prospects).

Recent research from the DMA corroborates these findings, with respondents to the 2019 Marketing Email Tracker report identifying clear GDPR-influenced improvements in open rates, click rates, and conversion rates: 

Increased ROI
As a direct result of the improvements outlined above, email programs have become more profitable. In the DMA’s 2019 edition of its Marketer Email Tracker report, email return on investment (ROI) has increased YoY from £32.28 in 2017 to £42.24 in 2018, a 30 percent uplift.

Litmus provides a nice visualization of the comparative ROI between Europe and the US, and we can see that the European programs are currently >20 percent more ROI-effective than their US counterparts.

For the same period, subscriber lifetime value has also increased, rising from £28.56 in 2017 to £37.32, again an increase of 30 percent. Lifetime value is the most important metric email marketers are focused on in 2019. Programs that want to move the CLV needle can start by embracing GDPR’s core principles, even if they don’t fall within its jurisdiction.

The rest of the world is watching with great interest. India has already released its Personal Data Protection Bill, while Brazil’s General Data Protection Law (LGPD – blog post here) will become effective in early 2020. In the US, California’s new The California Consumer Privacy Act (CCPA) is expected by many to be the forerunner of similar federal legislation (see our great recent blog series on CCPA).

The key learning for email marketers is to embrace these changes as a force for good. While they are hard work to implement, the payoff is greater trust between senders and receivers, which in turn boosts program performance and ultimately generates greater returns.

As Michael O’ Leary, the irascible CEO of Ryanair once remarked: “If I had known being nice to people was so profitable I would have done it long ago!”