Category Archives: Permission

Yahoo! Changes will Impact More than just Email Marketers

Not to be outdone by its rivals caught up in the PRISM ‘scandal’, Yahoo! has decided the best way to deal with lapsed users is to give their private details to the first person that asks for it.  Okay, well it isn’t really that bad but their recent announcement that they will start recycling dormant email accounts on August 15th will have significant repercussions for the both ecommerce and the email industry.

About two years ago my iTunes account was hacked using a well known Apple scam.  The hackers just need your account ID, which they use to download apps. How can they download apps without the password you may ask? They can’t, but when you unlock your password those apps are downloaded to your device and they get the cash because it was their app that was being downloaded. The whole ordeal around getting this sorted is another post for a different blog, but the important thing here was the remedy I used to fix it, which was to create a Yahoo! account using a random password generator to create the bit before the ‘@’. So far so good, no dictionary attack has cracked this email account.

The problem is, that I don’t ever log into the account (clearly I will have to add this to the list of monthly tasks like cleaning out the washing machine filter and checking the smoke detector). What would happen if I missed this announcement from Yahoo!? Come the middle of August somebody could take this email address from me and suddenly have access to my iTunes account.  The password reset would go to the address that they control and away they go.  If I was like many people including Mat Honan of Wired Magazine, this email address would also be used for other things and I would have lost control of all of them.

This will also clearly have implications for me as an email marketer.  Loads has been written over the past few years about removing data that has not opened or clicked in more than twelve months from your list. The thinking is that inactive addresses are being used as spam traps, although there has been a lot of disagreement on this by email experts such as Dela Quist. Regardless of which side of the fence you fall on this topic, you need a plan in place to be executed between the 15th of July and the 15th of August because if you email a recycled address – you will have spammed them.

Yahoo! will hard bounce all of the addresses that are to be recycled during this thirty day period, so you need to take this opportunity to tidy up your Yahoo! addresses.

There are well over 3 Billion email addresses in the world. It is not surprising that the email application providers want to start recycling them. Let’s face it, jimsmith@yahoo is a lot better than jimsmith345@yahoo. This is going to become a regular part of our world, so we better develop some strategies to address it.

The Draft EU Data Protection Regulations and the Other Compliance Obligations

As our series of blogs on the proposed EU Data Protection Regulation is almost at an end, I think it’s fair to say that they made for very informative reading. I hope you would agree with me that many marketers can learn something from them. A lot of the main topics within the proposal have been covered. But what are the changes to the compliance obligations which organisations need to consider in their day to day activities if the proposal was to be passed in its current version?

Data processing is featured heavily in the proposed Regulation. One of the changes is around notifying the relevant national data protection authority, in the case of the UK the Information Commissioner’s Office (ICO), of your organisation’s data processing activities. Currently, providing such notification to the ICO has been a matter of course, whereas the proposal states that full records of data processing activities must be kept by the organisation and only supplied to the relevant national data protection authority on request.

The use of data in many organisations is crucial for marketing purposes, as well as general interaction with customers. If you work client-side, just think of the number of email campaigns your organisation sends out to your customers, whether the customers are active, prospective, lapsed or otherwise. Your data would have had to be processed in some way before emailing, whether it’s cleaning or segmenting for a targeted campaign; therefore keeping a record each time the data is processed with specific information would add another compliance burden to the activity. The obligation to keep records of processing activities is also extended to agencies where dealing with data is an integral part of running of the organisation, such as list rental and lead generation activities. With this in mind, if you think of your own organisation’s activities as well as the number of organisations involved in a typical data processing chain, then the number of data processing activities that will need to be recorded is overwhelming. The ICO is concerned that there is a danger that organisations will focus on the ‘paperwork’ rather than on actual data protection compliance. The removal of the notification fee, which organisations currently pay to the ICO when they complete the notification form, does raise questions as to how the ICO will be adequately funded to carry out its data protection work effectively.

Another change in the proposal which will have a big impact is the requirement for organisations with 250 or more staff to have a designated independent data protection officer. Even though data is crucial to a lot of organisations, the size, reasons for its use and frequency the data is handled and processed amongst organisations varies. The ICO believes that “a simple head-count criterion for the designation of a data protection officer is not the best approach.” Some low head count organisations may process a large amount of information about a lot of people and are therefore high risk. On the other hand, large head count organisations may carry out relatively small –scale and low risk processing. Read the ICO’s report on the draft regulations here

The additional bureaucratic requirements relating to these proposed new compliance obligations will certainly create extra administrative costs, particularly for smaller organisations. As well as the increased documentation of all data processing activities, consider the revision and issue of new terms and conditions, and the amount of employee guidance and training around these changes.

These new compliance obligations , as well as implementing the right to be forgotten, and explicit consent for data processing will mean that all organisations will have to review their day to day activities.

Opt-In & Opt-Out – Definitions of Consent according to the draft EU Data Protection Regulations

As a consumer, I am always in favour of legislation which seeks to protect individual freedoms, and reduce ambiguity in what organisations can and cannot do with my personal information. As a marketer too, it is important that the availability and use of a consumer’s personal information be governed by clear guidelines, and ends in a mutually beneficial result – at the bare bones of it; providing a customer with timely, relevant communications based on the data they have provided, at the same time as (hopefully) making a profit for the organisation I am working for.

The real worry is that the current draft of the European Union Data Protection Regulation, does the opposite by introducing more complexity and ambiguity than already exists, and potentially creates further issues which would not have surfaced if the status quo were maintained.

The verbatim definition of consent within the Regulation is as follows:

“…’the data subject’s consent’ means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed…”
[ Article 4 (8)]

Furthermore, the “Conditions for Consent” are laid out as follows:
1. “The controller shall bear the burden of proof for the data subject’s consent to the processing of their personal data for specified purposes.

2. If the data subject’s consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.”

[ Article 7]

In the above, I have highlighted the key elements here – the Regulation is essentially saying that organisations need to obtain a clear and explicit statement/action by which a data subject provides consent. From an email permission-marketing best practice perspective, this is fine – however the Regulation does not address whether or not this would need to be retrospective for existing databases, and whether or not organisations would be able to contact customers with whom they have had previous interactions (as is currently permissible under the existing Privacy and Electronic Communications Directive – and, the majority of the time, expected by consumers).

This is completely disregarding whether or not those consumers actually want to be contacted, and if the “burden of proof” detailed above is an enforceable requirement (in a worse-case scenario) – then the Regulation is effectively saying organisations must delete said data if they cannot prove consent has been given explicitly! Then there’s the possibility of dispute over the meaning of “informed & explicit”… well, you can see where this is heading to – more ambiguity and less clarity.

Furthermore, there is an argument out there that this Regulation does not take into consideration the low risk use of Business-To-Business (B2B) data for marketing purposes – where, more often than not, a organisation would hold and process information on another organisation or group of members of staff, with perhaps multiple key decision makers – not an individual.

In summary, the intention is good but the detail is lacking – I strongly urge the legislators in Brussels to revise and alter the Regulation so that it can sit with the existing Privacy and Electronic Communications Directive They also need to focus on what the effect of the changes in the draft Regulation will be for both consumers and organisations.
To find out more about the consequences of this legislation passing unaltered, and the potential impact on your own business, take a look at This site also provides information on how to take immediate action, by lobbying your regional MEPs.

LinkedIn: No greater email marketing #fail than over-writing your customers preferences

I just got this  email from LinkedIn  Subject Line “A change to your DMA: Direct Marketing Association (UK) Limited digests” – the 3rd such email I have had this week about a group I belong to.
In it they tell me that they are going to ignore my mailing preferences and unsubscribe me from the group digests of which I get 1 a week a frequency selected by ME! I have now been forced to go and re-subscribe to the weekly digests of groups that I want to hear from 3 times this week. Do LinkedIn really think that is a good use of my time?

Just in case anyone was wondering, while I am not really a FB kind of person I definitely am an UBER LinkedIn user.

- I am a paid subscriber and highly active – I post, place jobs, recommend stay in touch connect etc.
- I have several thousand connections
- I check my page multiple times a day and use it as my primary vehicle for maintaining my business network. I have my preferences set exactly the way I want them for some groups – no email, others weekly and some daily
- I get 10 or more emails a day from linked in and open about 1 in 3 on my desktop and 80% of them on my mobile
- I click on at least one a day and some days 3 or more
- I save all my emails I currently have 2900 in my Linked in folder of which less than half 1427 are “unread”
- I regularly search for old messages or invites and click on them

So how on earth can a bunch of engineers and/or too clever by half marketers come to the conclusion that they know what I want better than me?
The irony is by stopping the DMA group weekly digest, they are going to reduce the chances of me ever visiting again! I wonder how the DMA and other group managers feel about that.

I can’t understand why having gone to the trouble of asking me to set my preferences LinkedIn should choose to expressly ignore the stated preference from a highly engaged – dare I say knowledgeable – paying subscriber. Surely that is as bad as spamming after all what is so different about these 2 scenarios?

1) I use LI preference centre choose to receive 1 email a week – after 3 months LI decide to unsubscribe me for not visiting the group.
2) I use LI preference centre and choose to receive 1 email a week – after 3 months LI decide to send me daily digests or 3rd party emails from partners they think I should hear from

LinkedIn are insulting their members’ intelligence one would think that someone like me would know how to both unsubscribe or hit the spam button. So if I haven’t done either of those things, it’s probably because…I DON’T WANT TO!

EU Data Protection Regulation – The Right to be Forgotten

Continuing with our series of posts reviewing the potential effects of the proposed EU Data Protection Regulation, one of the areas it addresses is an individual’s “right to be forgotten” by a business.  The specific wording is as follows:

“The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data”

This has clearly been written with Social Media in mind, for example, ensuring that Facebook users are able to completely delete their profiles if they so wish.  However, the effect on email marketers and direct marketers in general could be disastrous.  If somebody unsubscribes, or asks to no longer receive an advertiser’s communications, then clearly that individual’s details need to be held by the organisation in order to suppress them from future comms.  Forgetting them completely, i.e. erasing all their data could have the polar opposite effect from that which the consumer is expecting!  A individuals details need to be held in order for the organisation to “remember to forget”.  Also, industry suppression files, which are there to benefit consumers, could be put at risk by the Regulation.

The problems do not end there.  There would also be an issue with information that has already been passed on to third parties, e.g. via list brokers or through partnerships.  Also, consumers risk being mis-led.  For example, some data in financial services has to be kept for a specific period of time in order to meet with legal and FSA regulations.

In summary, not only does this section of the Regulation risk failing to achieve what it sets out to do, it could also damage consumer trust and increase the complexity and volume of data processing which needlessly increases the financial burden on companies.

A further chance for your input on the proposed EU Data Protection Regulation

For some marketers the very mention of future legislative framework changes and the mind immediately begins to wander. Add to that the words ‘Data’ and ‘Protection’ and it could instil fear, uncertainty and possibly a fair amount of doubt. The fact that the EU is involved is likely to add further concern. Such themes or topics as data portability, the right to be forgotten and how personal data is defined impact directly on many of us in marketing and these proposals are just too big to be ignored.

The DMA has put itself at the very forefront of the debate and led a cross industry working group bringing together many other industry bodies including; IAB, IMRG, Federation of Small Businesses, COADEC and other bodies. This initiative has been led by the team at the DMA along with lobbying efforts on multiple fronts headed by the Director of Public Affairs, Caroline Roberts. All DMA members have been both asked for input into the information that went to the Ministry of Justice at the start of this year which was submitted in September, the DMA’s Chair Scott Logie chaired a meeting with government late in October.

This is possibly the single biggest issue facing all DMA members, irrespective of channels used to communicate to customers, which is why at the Email Marketing Council level there have been discussions on the impact and we plan to use this blog to collect some of our thinking on the various elements of the proposed legislation.

This is where you, the readers of this blog as email marketing constituents come in – as elected representatives we want your input. As with any elected group, we have our thoughts and ideas which we’ve debated and discussed at council level. The proposed legislation presents some very evident challenges for email marketers. What we, as a council agreed to do is post a series on the key themes over the coming months which debate some of the key points – each written by one of our council members. Specifically debating a subsection of the proposed regulation along the lines of; here is what the EU’s proposal says and here is what it could mean for email marketers.

I am proud to serve a very active council and such a vibrant interest group as email marketing. The council has been active on a number of fronts and this blog is itself very well-read. The discussion and debate from within the email industry (which is you!) is what makes this an exciting and dynamic industry to be part of. I’d therefore urge and encourage all stakeholders to provide feedback on the forthcoming blog posts – I’d love to hear your thoughts and feelings on these themes. You are of course also welcome to contact either me directly or any member of the DMA team.

Richard Gibson, Chair Email Marketing Council and Director Client Services, Return Path.

Become a “permission purist” for maximum deliverability

The delivery rate you see in your email service provider’s UI only tells half the story. You may be sending with a 99% delivered rate but what that means is that your email messages were handed off to a receiver without a bounce response – what that receiver, usually an Internet service provider (ISP) actually does with the email when they receive it is perhaps the most important aspect which most marketers tend to take for granted.

When I talk about the topic of deliverability, I am always keen to stress that true deliverability is about making sure you as a marketer follow best practices as a sender in order to maximise the chance of your email marketing campaign reaching a subscriber’s inbox. If you’re not doing this, you are very unlikely to be achieving the end goals of whatever you set out to do – be it boosting your click rate, conversion rate or even just a simple brand awareness campaign whIch doesn’t even have a call to action. Bottom line is, if you aren’t getting to the inbox, your results are not going to be optimal – your beautifully crafted email creative could be languishing in the junk folder or, worse still, could have been deleted silently by the ISP.

Personally I am a purist for permission, in the Seth Godin sense of the word. If you want to send truly effective email marketing campaigns (not just deliverability, but overall ROI), and maximise your chances of reaching the inbox, then make sure you have permission to do so from the person you are sending to. Not only is this sensible commercially, but also legally – by ensuring your recipients have actually consented, or opted-in to receive communications from your company or brand, you are highly likely to be in compliance with most Anti-SPAM legislation that exists around the globe.

The consideration from a deliverability perspective is that permission best practices usually go hand in hand with data management best practice- making sure your list is clean of bad data which may hard bounce, making sure the data you have has an associated date stamp (be it acquisition source date, or last click/open), and making sure all those people who have unsubscribed, or opted out, of receiving your communications have been removed before send.

This in turn means that the metrics which receivers will judge you on should be relatively good, or at the very least, better than the worst offenders (spammers) – I.e. they won’t see you having loads of bounces, generating lots of complaints or unsubscribes and people will actually open and click within your emails.

If you are not sure what happens to the email once it has reached an ISP, then there are some key things to look at which may give you some insight. They will also help better protect yourself as a sender:

  • Monitor key metrics such as open & click rates – particularly by domain. If you are seeing noticeably lower rates at a particular domain that can be a good indicator that you are having some issues reaching inboxes at that ISP.
  • Also look at complaint rates and unsubscribe rates – make sure you are signed up to feedback loops and are able to process those complaints (your ESP should be able to handle this for you). If complaints are high this is potentially because subscribers are seeing your message as junk, or perhaps not expecting to receive it. If unsubscribe rates are particularly high then something is potentially very wrong as your subscribers have asked to receive these emails.
  • Track and Monitor your Sender Score – this will give you good insight into how receivers (ISPs) are viewing you as a sender. They will look at similar metrics – this can be done for free at
  • Regularly check your Inbox Placement – this will give you an indication of how ISPs are classifying the messages you are sending, either sending them direct to Inbox, placing them into the JUNK folder, or perhaps deleting them without a second look – this can be done by seeding your list with your own accounts at key ISPs, or by using a third-party such as Return Path’s Mailbox Monitor or IBM Unica’s Email Optimization tool
  • Sign up for SNDS – this is operated by Hotmail, but if you have a good proportion of Hotmail addresses on your list then this will provide useful insight into whether you are hitting any spam traps

Note that many of these depend on you being able to send from your own dedicated IP address – by doing this you typically need to maintain a good level of volume in order for receivers to have a consistent view of you as a sender, but even if you don’t have masses of volume at least you are in complete control of what is sent from your IP address. This way you are not held accountable to senders who may be using the same shared IP range as you, but who may have completely different business models or data management practices, which may not be as good as yours…

By constantly monitoring these aspects of your campaigns, you can tweak and adapt your email marketing programmes when issues arise, and are much better placed to maximise your chances of those emails reaching the inbox, in turn helping you to achieve your marketing goals.