Towards LGPD and Beyond – You’ve Gotta Have a Plan!

As the GDPR deadline of May 25th, 2018 approached, one of the biggest mistakes many European senders made was to leave everything to the last moment. By that stage, many email subscribers were completely overwhelmed by inbox overload, and their simplest response was “ignore everything!” As a result, lists were decimated – research from Yieldify showed one-third of marketers lost over 30 percent of their email lists, with Travel (37 percent), IT/Telecoms (32 percent) and Finance (28 percent) being the most impacted. We also saw individual programs that lost over 90 percent of their lists!

In the first two posts of this series we considered the legal bases for email marketing, and the importance of having robust deliverability to ensure your subscribers receive their LGPD emails. In this post, we’ll talk about strategies for making sure those messages get a response!

1. Start Early

The Royal Society for the Protection of Birds (RSPB) introduced its new sign-up form a full year before the GDPR deadline. Note how their approach is explicit, granular, and requires positive action to opt-in.

By the time GDPR became law, a large part of RSPB’s list was already organically compliant, meaning far less last-minute re-permissioning. They also saw much higher engagement levels from new subscribers, with open rates increasing by 1.15X and click rates by 1.9X!

2. Spread the Load

We’ve already explained the importance of avoiding sudden changes in volume. Mailbox Providers (MBPs) don’t like this behavior, because it indicates potential spam activity, or even that a program may have been compromised. In the UK one sender who tried to mail their entire base 1 day before the May 25th deadline saw over 80 percent of their emails sent to junk folders as a result.

Tesco understood this importance and took a more pragmatic approach, mailing approximately three percent of its database each day across a four-week period. In this way, volume impact was blended into Tesco’s daily activity. It also meant more conservative connection and throughput settings could be applied, which is good practice when mailing to less engaged audiences.

3. Don’t Rely on Just One Shot!

Successful re-engagement/win-back programs take a multi-email approach. If you only fire a single shot, you’re more likely to miss, as our previous research shows! Waitrose recognized this, and they ran a structured program of communications over the weeks leading up to GDPR, maximizing their opportunity to secure re-permission.

The first two emails focused on creating awareness of the new legislation, then explaining the benefits of remaining a member of the program (offers and discounts, recipe ideas, events, and tastings, etc.)

As the May 25th deadline grew closer, Waitrose increased the urgency of the language that used to persuade subscribers to continue with their program membership:

4. Maximize Your Marketing Real Estate

You don’t want to send LGPD messages to your email audience every day (although some UK and European senders did just this, generating serious program fatigue in the process!). But there are other ways of reinforcing the message while remaining reasonably subtle!

Clarks made use of the emails’ pre-header text, which read “We’ve updated our privacy policy and need to confirm you want to keep hearing from us.” This was a smart approach because most email clients now show 70-80 characters of pre-header text, meaning a good chance of the message being seen even without opening the emails.

Selfridges took a more visual approach, and for a 30-day period included the grey “Don’t lose touch” box in the top third of every marketing email they sent. As a result, they achieved exceptional subscriber retention rates, although engagement rates suffered because less promotional content was immediately visible to openers during this time.

5. Think Multichannel

Remember email doesn’t operate in a vacuum! It is part of a complex multi-channel ecosystem and your retention efforts should recognize this. Make sure you provide LGPD reminders when your customers login to their accounts. Also make them part of your postal, social and push messaging strategies if you use these channels.

If your marketing program operates above the line, also consider broader approaches to your LGPD messaging. We saw this memorable example from Manchester United football club, with re-permissioning messages shown on the digital advertising boards at Old Trafford stadium!

Another important element is Point of Sale (POS). Direct Marketing Association (DMA) research shows around 40 percent of new program sign-ups now take place in-store (almost 60 percent in the 18-34 segment). The Yieldify research also showed the single most effective tactic for post-GDPR list rebuilding was encouraging account registration and opt-in at checkout.

Senders with a physical presence should therefore think carefully about how they provide in-store LGPD education, providing advertising in the POS area, and equipping checkout staff with scripts and training to assist with these conversations.

Also, be aware LGPD will probably have impact on the way e-receipts are issued. In the UK, guidance was clear that: 1) e-receipts can not contain any marketing content (the consent to receive the e-receipt is not consent to receive marketing); and 2) customers must be provided with an opt-out from receiving email marketing at POS (meaning POS staff must be trained to ensure this happens. Read my DMA blog for more on this topic.

In summary, key points from this post are: start your LGPD preparations as soon as possible; spread out your broadcast schedule; don’t rely on a “one shot only” approach; and cover as many of your multi-channel bases as possible to communicate your LGPD messaging to your customers.

In the next—and final—installment of this series, we’ll provide guidance around effective use of language and creative to maximize the impact of your emails during the inbox overload period we are expecting as next August approaches.


Towards LGPD and Beyond – Getting Delivered

In the first post in this series about learnings from GDPR as Brazilian email marketers prepare for LGPD, we focused on acquiring new customers and prospects. Now we’ll look at approaches for existing subscribers. In Europe, senders generally took one of three routes:

  • Re-permission: Compared with previous data privacy legislation, GDPR imposed a higher duty of care. For senders using Consent as their legal basis, this meant refreshed permission would be needed for all existing address owners.
  • Privacy Notification: For senders who relied on Legitimate Interest as their legal basis, they needed to inform subscribers of the changes made to their privacy policies to achieve GDPR compliance.
  • “Blended” Approach: Some senders took a “blended” approach, using Legitimate interest for previous purchasers, with refreshed Consent being sought for the remainder of their lists.

All approaches meant good deliverability was critical. Many senders needed to email every member of their lists – at exactly the same time every other email program was doing the same thing! Any high traffic period like Black Friday/Cyber Monday sees deliverability taking a hit—even the biggest mailbox providers have finite bandwidth and processing capacity, and inbox placement is negatively impacted as a result:

GDPR was no different—as I reported in a DMA blog post last year, average spam filtering rates went up 25 percent as May 25th approached, and some individual senders saw over 90 percent of their email traffic ended up in the junk folder!

This was critical—re-permissioning campaigns failed because subscribers couldn’t respond to emails that never delivered. There was also a big implication for the privacy policy updates because of the right to be informed. There is a strong argument that if these emails fail to deliver this right has not been observed.

There would also have been a big impact on subscriber trust, with many consumers believing the senders had unilaterally changed their privacy policies without even bothering to inform the data subjects!

What steps can Brazilian senders take to avoid these pitfalls?

1. Don’t Attempt to Raise the Dead . . .

Our Frequency Matters report identified that 9 percent of a typical email list is formed of “Dead” addresses—created then abandoned. This is hardly surprising—email lists typically churn at between 25 percent to 30 percent per year, meaning average time on list is somewhere between 3 and 4 years—even for best-in-class programs.

There is little point in attempting to send LGPD email communications to these addresses—they will never respond, and they could cause significant deliverability problems. A good starting point is to carry out a bulk validation exercise using a solution like BriteVerify. In this way, the dead addresses can be identified and suppressed, before the business-critical LGPD broadcasts happen.

2.. . . Then Draw a Line in the Sand

In Europe, many senders attempted to contact every address on their database, regardless of how old they were. One of my colleagues received this re-permissioning email despite having last been to summer camp in 2002!

This was ill-advised—our Lifecycle Benchmark 2019 report showed only 31 percent of new subscribers continue to interact with an email program beyond 12 months. Data decays over time, and older addresses are more likely to either not work (point one above), or—if they do work—to complain. There is also a real possibility that some have been re-purposed as spam traps. These factors combine to have a major negative impact on deliverability, which also means good addresses get junked too!

A key principle of the new laws is “minimization”—including that personal data should only be held for as long as it is needed. Also remember the mailbox providers have far more aggressive opinions on recency—30 days in the case of Gmail! We recommend all senders should define a sensible recency threshold, and then delete older records unless there is a legal requirement to continue holding them. 

3. Know What the Mailbox Providers are Expecting from You

All major mailbox providers publish helpful bulk sender guidelines, and many of the most important recommendations are common to all of them:

  • Use active opt-in for new subscriptions
  • Provide one-click unsubscribe functionality (List-Unsubscribe)
  • Remove invalid and inactive recipients
  • Sign up to all available feedback loops
  • Authenticate using SPF, DKIM and DMARC
  • Publish meaningful reverse DNS records
  • Be consistent in use of from addresses, IP addresses, and sending domains

Detailed guidance can be found at the mailbox providers’ postmaster sites: Gmail (here); Outlook (here); and Verizon (here), as well as our excellent Marketers’ Field Guide (here). It’s all common-sense advice, and the mailbox providers are clear that having them implemented will help improve email deliverability.

4. Audit Your Reputation

It’s essential to know how mailbox providers see you as a sender. Many calculate their own versions of reputation scores, and poor scores will see senders getting blocked or junked, meaning an immediate negative impact on LGPD messaging.

One of the best-known reputation checkers is Sender Score ( where email programs can plug in an IP address or sending domain to get their current reputation score. Senders want to be in the top tier (91-100) – our recent 2019 Sender Score Benchmark report showed senders in this tier achieve average delivered rates of 91 percent, while those in the next tier down achieve 71 percent – a 20 percent variance.

Reputation is determined by factors such as: complaints; unknown users; spam traps; authentication; black-listings; and subscriber engagement. Senders who are currently scoring outside of the top tier should address these causes before they start their LGPD campaigns.

5. Get Certified

The above points explain the deliverability challenges posed during high volume periods. Fortunately, there is a solution—members of the Return Path Certification program (the red line) typically see less impact. This is because they carry a higher level of trust, and therefore benefit from better placement and faster throughput.

In Europe, Certified senders saw a pronounced benefit in the form of higher inbox placement rates, and significantly greater subscriber retention as a result. This had a major financial implication—the DMA’s Marketer Email Tracker 2019 report calculated average subscriber lifetime value at £37.32 (almost R$200!) For a sender with a 1M address list, every 1 percent increment in subscriber retention was worth ± £300K (almost R$2M!)—a strong argument for Brazilian senders to invest in their LGPD readiness.

In this post we have examined how to build a platform for successful LGPD email broadcasts. In the next article in this series we’ll consider the importance of timing—when to start sending, how to ramp up activity, and the critical importance of not relying on a “single-shot” approach.

Towards LGPD and Beyond – Legal Bases for Email Marketing

Brazil’s new Lei Geral de Proteção de Dados (LGPD) data protection legislation is now less than 12 months away, becoming effective in August 2020. While being a near carbon copy of Europe’s General Data Protection Regulations (GDPR), there are subtle differences:

Source: IAPP – GDPR matchup: Brazil’s General Data Protection Law (full version here)

For Brazilian marketers, as in Europe, a major decision will be whether to rely on Consent or Legitimate Interest as the legal basis for marketing communications. LGPD does not directly reference email, and more specific legislation (like Europe’s Eprivacy laws) does not currently exist. The Brazilian Code of Conduct for Email Marketing recommends using Consent, but acknowledges a soft opt-in can exist where an existing commercial or social interest can be demonstrated (effectively legitimate interest).

In Europe, the preference was to rely on Legitimate Interest if possible, because of the reduced impact on list churn. This required a Legitimate Interest Assessment (LIA), where this basis is tested for purpose, necessity, and balance. Where senders could not demonstrate Legitimate Interest, Consent was then required as the legal basis. Some senders took a so-called “blended” approach, applying a combination of both.

GDPR was seen by some as a great opportunity for marketers to build stronger relationships with their customers. Marketo produced a report categorizing GDPR compliance as “legal first” or “marketing first” and showing the latter are more likely to achieve business objectives. A great example came from insurance provider Homeserve, which is now seeing better engagement, fewer complaints, and saving money too! This year’s DMA Marketer Email Tracker report showed across-the-board uplifts in deliverability, opens, clicks, conversions, and ROI!

A combination of more robust consent, clearer setting of expectations, and greater provision of choice means there are now higher levels of trust between consumers and brands. They are providing better quality data, making them more engaged and likely to transact.

So Brazilian marketers can feel positive about LGPD, but whichever approach they take the way their new subscribers are acquired will need to reflect the new law’s requirements. We’ll look at some great examples of how their European counterparts achieved this.

1. Straight Talking

GDPR defined consent as follows:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

The British Broadcasting Corporation (BBC) was widely praised for meeting these requirements with its clear and informative sign-up process:

Note the following:

  • Consent is for the email channel only (granular)
  • Consent is separate from terms and conditions and the privacy policy (unbundled)
  • The text is specifically about BBC programs and online (named)
  • The “Yes please” button must be clicked to provide consent (active opt-in)
  • Consent can be easily withdrawn (unsubscribe at any time)

Also note the “layered” approach—instead of providing all information at point of sign-up, the BBC uses drop-down boxes to provide more information.

2. Make Mine a Double!

In Europe, there was debate around whether all programs would need to implement double opt-in (DOI). This was in response to the requirement to record consent—keeping a record of when and how the consent was obtained, and exactly what individuals were told at the time. Many practitioners felt double opt-in would be the only water-tight means of establishing this, but ICO guidance simply says, “you must have an effective audit trail of how and when consent was given.”

That said, the new legislation does place a premium on obtaining accurate data. Double opt-in ensures only valid address owners can sign up, and it also proves there is a genuine interest in signing up. For sensitive personal data (ethnicity, religious beliefs, etc.) double opt-in also satisfies the additional requirement for explicit consent.

There is also a favorable argument for DOI when it comes to return on investment. Litmus reported programs using double-opt-in achieve average ROI of 45:1 compared with 40:1 for single opt-in.

Source: Litmus – 2018 State of Email Analytics

3. Make a Decision

Some senders decided to “force” a consent decision—“Yes please” or “No thanks”—as this Sainsbury’s examples illustrate:

The rationale is that human beings are naturally lazy! When a box is unchecked, the easiest thing is to leave it that way. Providing a “Yes please/No thanks” decision means one option has to be selected. While there will be opt-outs, this approach also increased the number of opt-ins. For more insights read this excellent report from Holistic Email Marketing/Pure360.

4. Legitimate Interest

Relying on Legitimate Interest (soft opt-in) still requires providing data subjects with the opportunity to object to having their personal data processed—at the point its acquired, as well as all future communications. In this example from Currys new customers can opt-out before the purchase is completed.

Currys also provides another good example of “layering” where customers can click on the icon to learn more about how they will benefit.

Also ensure other points where personal data is captured are equally robust. DMA research shows 4 in 10 programs now acquire email addresses instore, often when customers are asked if they want an e-receipt. The same rules apply, and point of sale operators require training to ensure customers are given the opportunity to opt-out, and that this is recorded. See my previous DMA article for more reading on this topic.

5. Cookies

A core objective for most email programs is driving traffic to their websites, so marketers must also consider their use of cookies. These are useful because they allow a website to recognize a users’ devices and their previous browsing behavior, but it means the processing of personal data is often involved. As a result, website owners must seek consent from data subjects before cookies are used:

Note the clear explanation around the reason for the cookies, how they will be used, and the granularity that allows users to choose which cookies they are happy with. In addition, a layered approach is taken so users can find out more about each cookie type.

Many programs have also introduced a standalone cookie policy—separate from the privacy policy—as we saw with the earlier BBC example.

This post has highlighted considerations for acquiring new subscribers in a way that meets both the letter and the spirit of the new laws. In the next part of this series, we’ll look at the challenges of informing existing subscribers the way their personal data is being used will change, and we’ll also highlight some of the biggest mistakes European senders made!