Version 1.0, October 2019
The purpose of this document is to give an overview of the email marketing consent practises related to our Email Marketing Consent product. In the document we refer to companies who use Openli ApS’ (“Openli” or “we”, “us”, “our”) Email Marketing Consent product as "you" and "your".
By email marketing we mean communication by email of advertising or marketing material that is directed to particular individuals. This covers advertising or promotional material, leaving service emails and transactional emails out of scope. We also note that this document only focuses on standard email marketing consent, leaving consents related to industry-specific (health care, finance, child-directed content, etc.) and special category data (biometrics, etc.) out of scope.
Over the last few years we’ve seen an increased focus on data protection and privacy from governments, regulatory bodies and interest groups. This has resulted in significant changes to the legislative landscape, including how to collect compliant email marketing consent.
Today, jurisdictions around the world have legislation that regulate how companies may or may not carry out email marketing, and often multiple sets of rules apply, e.g. the GDPR and the Danish Marketing Practices Act. As a company, you will likely need legal support to understand the requirements in the jurisdictions where you do email marketing. You will need to build the requirements into your processes and solutions, and once everything is in place, you will need to maintain it all and, likely also with legal support, keep yourself up-to-date on the ever changing requirements. This is all very complex, time-consuming, costly, and not what Marketing teams should be spending their time on.
That’s why we decided to build our Email Marketing Consent product - to make easier for you to do compliant email marketing at a global scale.
In the following, we have outlined the requirements that we have taken into consideration when building our product.
Firstly, it’s important to know the nationality of the user. The reason is that the user’s nationality define which country’s rules that you must comply with. This is also called “jurisdiction”.
If you know the country of your user you should let the widget know. If you do not know the country, our product will automatically estimate the user’s country based on the information available.
Some jurisdictions require you to obtain prior consent from a user before you can send the user email marketing - otherwise you aren’t allowed to send out email marketing.
In some jurisdictions, this spam ban applies to all recipients, ie. whether the email is sent to a consumer, a company, a public authority, etc. Other jurisdictions allow for email marketing to be sent to business contacts (B2B) without consent while banning email marketing to consumers (B2C) without consent. In our product we therefore ask you to let the widget know whether your page is directed towards collecting consent from business contacts or consumers.
Furthermore, it differs from jurisdiction to jurisdiction how you must collect the consent. Some jurisdictions require a consent to include an explicit action from the user, e.g. the user must actively check a checkbox (opt-in). Other jurisdictions consider it sufficient that the user is given the option to not give consent, e.g. by the user unchecking a pre-checked checkbox (opt-out), while other jurisdictions consider it sufficient that the user is informed about giving consent when e.g. signing up to a service. And finally there are jurisdictions where there are no rules about collecting consent, i.e. you are allowed to send out email marketing without informing the user. In contrast there are jurisdictions that require the user to re-confirm their consent via email (double opt-in) in order for the consent to be valid.
It also differs from jurisdiction to jurisdiction whether different requirements apply when collecting consents first party, e.g. on your own web pages, versus collecting consent on third party pages, e.g. on signup pages for events where multiple companies take part. The same is the case for whether consent is collected through web or application based platforms.
Many jurisdictions require that the user is informed about what they consent to, but have different requirements to the specific consent text. This ranges from requiring the consent text to be clear, transparent and specific (example: “by signing up you agree to receive COMPANY A’s weekly product email newsletter”), to allowing a more generic text (example: “by signing up you agree to receive email marketing communication from us”).
Depending on the circumstances, there are rules in some jurisdictions that entail that the user must be able to proceed from the page even though the user has not given consent.
Many jurisdictions requiring explicit consent also require that you are able to proof that you have obtained compliant consent from users, e.g. in case the user disputes giving consent in the first place. However, the jurisdictions differ on what is required of you to provide such proof.
Furthermore, some jurisdictions have regulations regarding expiration of consents. If e.g. you you have not made use of the collected consents within a set time period, they might have lapsed.
Many jurisdictions have rules related to users’ ability to retract their email marketing consent (also called “unsubscribe”). The requirements vary across jurisdictions. Some require you to include an “unsubscribe link” and others accept a text in the emails explaining how to retract consent. How easy and simple it has to be for a user to retract their consent differs from jurisdiction to jurisdiction, including whether it’s possible to ask questions, get the user to select between different types of unsubscribe options, have questionnaires or information about how to subsequently give consent, etc.
How fast you must carry out a consent retraction also varies, e.g. from “immediately” to “as soon as possible” to “10 days” etc.
We carry out an assessment of the legislation of a jurisdiction before adding the jurisdiction to our product.
Each assessment identifies the legal requirements so that our widgets can act in a compliant way for a jurisdiction. We use expert law firms to assist with the assessments, and we implement the assessments as default in our product.
For non-assessed jurisdictions we apply Danish requirements.
To fully benefit from our product, you should embed our widget on the web pages where you will collect the consent, e.g. on the front page, on signup pages, on product pages, or on campaign landing pages.
As part of your implementation of the widget, you should for example provide the widget with your Openli customer id, the email of your user and the language that you would like the widget to be shown in.
You may also influence how the widgets behave on your page, where you e.g. could choose to show another text to the user than the one shown by default for the jurisdiction, or you could choose to use another way of collecting the consent than the one used for the jurisdiction by default.
When the user gives consent, the widgets will send the data to our data center, where we will capture the data and store it as part of your consent evidence.
You have the option to use our API instead of our widgets, however, this will entail that you need to ensure compliance with the legislation of the jurisdiction of the user.
Overview of the requirements managed by our widget (By default, the widget will reflect the requirements of your user's jurisdiction):
Overview of all requirements and where they are managed:
Overview of all requirements and where they are managed:
Review and revision of the document is completed at least annually and approved by our General Counsel.