Towards LGPD and Beyond – You’ve Gotta Have a Plan!

As the GDPR deadline of May 25th, 2018 approached, one of the biggest mistakes many European senders made was to leave everything to the last moment. By that stage, many email subscribers were completely overwhelmed by inbox overload, and their simplest response was “ignore everything!” As a result, lists were decimated – research from Yieldify showed one-third of marketers lost over 30 percent of their email lists, with Travel (37 percent), IT/Telecoms (32 percent) and Finance (28 percent) being the most impacted. We also saw individual programs that lost over 90 percent of their lists!

In the first two posts of this series we considered the legal bases for email marketing, and the importance of having robust deliverability to ensure your subscribers receive their LGPD emails. In this post, we’ll talk about strategies for making sure those messages get a response!

1. Start Early

The Royal Society for the Protection of Birds (RSPB) introduced its new sign-up form a full year before the GDPR deadline. Note how their approach is explicit, granular, and requires positive action to opt-in.

By the time GDPR became law, a large part of RSPB’s list was already organically compliant, meaning far less last-minute re-permissioning. They also saw much higher engagement levels from new subscribers, with open rates increasing by 1.15X and click rates by 1.9X!

2. Spread the Load

We’ve already explained the importance of avoiding sudden changes in volume. Mailbox Providers (MBPs) don’t like this behavior, because it indicates potential spam activity, or even that a program may have been compromised. In the UK one sender who tried to mail their entire base 1 day before the May 25th deadline saw over 80 percent of their emails sent to junk folders as a result.

Tesco understood this importance and took a more pragmatic approach, mailing approximately three percent of its database each day across a four-week period. In this way, volume impact was blended into Tesco’s daily activity. It also meant more conservative connection and throughput settings could be applied, which is good practice when mailing to less engaged audiences.

3. Don’t Rely on Just One Shot!

Successful re-engagement/win-back programs take a multi-email approach. If you only fire a single shot, you’re more likely to miss, as our previous research shows! Waitrose recognized this, and they ran a structured program of communications over the weeks leading up to GDPR, maximizing their opportunity to secure re-permission.

The first two emails focused on creating awareness of the new legislation, then explaining the benefits of remaining a member of the program (offers and discounts, recipe ideas, events, and tastings, etc.)

As the May 25th deadline grew closer, Waitrose increased the urgency of the language that used to persuade subscribers to continue with their program membership:

4. Maximize Your Marketing Real Estate

You don’t want to send LGPD messages to your email audience every day (although some UK and European senders did just this, generating serious program fatigue in the process!). But there are other ways of reinforcing the message while remaining reasonably subtle!

Clarks made use of the emails’ pre-header text, which read “We’ve updated our privacy policy and need to confirm you want to keep hearing from us.” This was a smart approach because most email clients now show 70-80 characters of pre-header text, meaning a good chance of the message being seen even without opening the emails.

Selfridges took a more visual approach, and for a 30-day period included the grey “Don’t lose touch” box in the top third of every marketing email they sent. As a result, they achieved exceptional subscriber retention rates, although engagement rates suffered because less promotional content was immediately visible to openers during this time.

5. Think Multichannel

Remember email doesn’t operate in a vacuum! It is part of a complex multi-channel ecosystem and your retention efforts should recognize this. Make sure you provide LGPD reminders when your customers login to their accounts. Also make them part of your postal, social and push messaging strategies if you use these channels.

If your marketing program operates above the line, also consider broader approaches to your LGPD messaging. We saw this memorable example from Manchester United football club, with re-permissioning messages shown on the digital advertising boards at Old Trafford stadium!

Another important element is Point of Sale (POS). Direct Marketing Association (DMA) research shows around 40 percent of new program sign-ups now take place in-store (almost 60 percent in the 18-34 segment). The Yieldify research also showed the single most effective tactic for post-GDPR list rebuilding was encouraging account registration and opt-in at checkout.

Senders with a physical presence should therefore think carefully about how they provide in-store LGPD education, providing advertising in the POS area, and equipping checkout staff with scripts and training to assist with these conversations.

Also, be aware LGPD will probably have impact on the way e-receipts are issued. In the UK, guidance was clear that: 1) e-receipts can not contain any marketing content (the consent to receive the e-receipt is not consent to receive marketing); and 2) customers must be provided with an opt-out from receiving email marketing at POS (meaning POS staff must be trained to ensure this happens. Read my DMA blog for more on this topic.

In summary, key points from this post are: start your LGPD preparations as soon as possible; spread out your broadcast schedule; don’t rely on a “one shot only” approach; and cover as many of your multi-channel bases as possible to communicate your LGPD messaging to your customers.

In the next—and final—installment of this series, we’ll provide guidance around effective use of language and creative to maximize the impact of your emails during the inbox overload period we are expecting as next August approaches.


Towards LGPD and Beyond – Getting Delivered

In the first post in this series about learnings from GDPR as Brazilian email marketers prepare for LGPD, we focused on acquiring new customers and prospects. Now we’ll look at approaches for existing subscribers. In Europe, senders generally took one of three routes:

  • Re-permission: Compared with previous data privacy legislation, GDPR imposed a higher duty of care. For senders using Consent as their legal basis, this meant refreshed permission would be needed for all existing address owners.
  • Privacy Notification: For senders who relied on Legitimate Interest as their legal basis, they needed to inform subscribers of the changes made to their privacy policies to achieve GDPR compliance.
  • “Blended” Approach: Some senders took a “blended” approach, using Legitimate interest for previous purchasers, with refreshed Consent being sought for the remainder of their lists.

All approaches meant good deliverability was critical. Many senders needed to email every member of their lists – at exactly the same time every other email program was doing the same thing! Any high traffic period like Black Friday/Cyber Monday sees deliverability taking a hit—even the biggest mailbox providers have finite bandwidth and processing capacity, and inbox placement is negatively impacted as a result:

GDPR was no different—as I reported in a DMA blog post last year, average spam filtering rates went up 25 percent as May 25th approached, and some individual senders saw over 90 percent of their email traffic ended up in the junk folder!

This was critical—re-permissioning campaigns failed because subscribers couldn’t respond to emails that never delivered. There was also a big implication for the privacy policy updates because of the right to be informed. There is a strong argument that if these emails fail to deliver this right has not been observed.

There would also have been a big impact on subscriber trust, with many consumers believing the senders had unilaterally changed their privacy policies without even bothering to inform the data subjects!

What steps can Brazilian senders take to avoid these pitfalls?

1. Don’t Attempt to Raise the Dead . . .

Our Frequency Matters report identified that 9 percent of a typical email list is formed of “Dead” addresses—created then abandoned. This is hardly surprising—email lists typically churn at between 25 percent to 30 percent per year, meaning average time on list is somewhere between 3 and 4 years—even for best-in-class programs.

There is little point in attempting to send LGPD email communications to these addresses—they will never respond, and they could cause significant deliverability problems. A good starting point is to carry out a bulk validation exercise using a solution like BriteVerify. In this way, the dead addresses can be identified and suppressed, before the business-critical LGPD broadcasts happen.

2.. . . Then Draw a Line in the Sand

In Europe, many senders attempted to contact every address on their database, regardless of how old they were. One of my colleagues received this re-permissioning email despite having last been to summer camp in 2002!

This was ill-advised—our Lifecycle Benchmark 2019 report showed only 31 percent of new subscribers continue to interact with an email program beyond 12 months. Data decays over time, and older addresses are more likely to either not work (point one above), or—if they do work—to complain. There is also a real possibility that some have been re-purposed as spam traps. These factors combine to have a major negative impact on deliverability, which also means good addresses get junked too!

A key principle of the new laws is “minimization”—including that personal data should only be held for as long as it is needed. Also remember the mailbox providers have far more aggressive opinions on recency—30 days in the case of Gmail! We recommend all senders should define a sensible recency threshold, and then delete older records unless there is a legal requirement to continue holding them. 

3. Know What the Mailbox Providers are Expecting from You

All major mailbox providers publish helpful bulk sender guidelines, and many of the most important recommendations are common to all of them:

  • Use active opt-in for new subscriptions
  • Provide one-click unsubscribe functionality (List-Unsubscribe)
  • Remove invalid and inactive recipients
  • Sign up to all available feedback loops
  • Authenticate using SPF, DKIM and DMARC
  • Publish meaningful reverse DNS records
  • Be consistent in use of from addresses, IP addresses, and sending domains

Detailed guidance can be found at the mailbox providers’ postmaster sites: Gmail (here); Outlook (here); and Verizon (here), as well as our excellent Marketers’ Field Guide (here). It’s all common-sense advice, and the mailbox providers are clear that having them implemented will help improve email deliverability.

4. Audit Your Reputation

It’s essential to know how mailbox providers see you as a sender. Many calculate their own versions of reputation scores, and poor scores will see senders getting blocked or junked, meaning an immediate negative impact on LGPD messaging.

One of the best-known reputation checkers is Sender Score ( where email programs can plug in an IP address or sending domain to get their current reputation score. Senders want to be in the top tier (91-100) – our recent 2019 Sender Score Benchmark report showed senders in this tier achieve average delivered rates of 91 percent, while those in the next tier down achieve 71 percent – a 20 percent variance.

Reputation is determined by factors such as: complaints; unknown users; spam traps; authentication; black-listings; and subscriber engagement. Senders who are currently scoring outside of the top tier should address these causes before they start their LGPD campaigns.

5. Get Certified

The above points explain the deliverability challenges posed during high volume periods. Fortunately, there is a solution—members of the Return Path Certification program (the red line) typically see less impact. This is because they carry a higher level of trust, and therefore benefit from better placement and faster throughput.

In Europe, Certified senders saw a pronounced benefit in the form of higher inbox placement rates, and significantly greater subscriber retention as a result. This had a major financial implication—the DMA’s Marketer Email Tracker 2019 report calculated average subscriber lifetime value at £37.32 (almost R$200!) For a sender with a 1M address list, every 1 percent increment in subscriber retention was worth ± £300K (almost R$2M!)—a strong argument for Brazilian senders to invest in their LGPD readiness.

In this post we have examined how to build a platform for successful LGPD email broadcasts. In the next article in this series we’ll consider the importance of timing—when to start sending, how to ramp up activity, and the critical importance of not relying on a “single-shot” approach.

Timehop discloses July 4 data breach affecting 21 million

Timehop has disclosed a security breach that has compromised the personal data (names and emails) of 21 million users. Around a fifth of the affected users — or 4.7M — have also had a phone number that was attached to their account breached in the attack.

The startup, whose service plugs into users’ social media accounts to resurface posts and photos they may have forgotten about, says it discovered the attack while it was in progress, at 2:04 US Eastern Time on July 4, and was able to shut it down two hours, 19 minutes later — albeit, not before millions of people’s data had been breached.

According to its preliminary investigation of the incident, the attacker first accessed Timehop’s cloud environment in December — using compromised admin credentials, and apparently conducting reconnaissance for a few days that month, and again for another day in March and one in June, before going on to launch the attack on July 4, during a US holiday.

Timehop publicly disclosed the breach in a blog post on Saturday, several days after discovering the attack.

It says no social media content, financial data or Timehop data was affected by the breach — and its blog post emphasizes that none of the content its service routinely lifts from third party social networks in order to present back to users as digital “memories” was affected.

However the keys that allow it to read and show users their social media content were compromised — so it has all keys deactivated, meaning Timehop users will have to re-authenticate to its App to continue using the service.

“If you have noticed any content not loading, it is because Timehop deactivated these proactively,” it writes, adding: “We have no evidence that any accounts were accessed without authorization.”

It does also admit that the tokens could “theoretically” have been used for unauthorized users to access Timehop users’ own social media posts during “a short time window” — although again it emphasizes “we have no evidence that this actually happened”.

“We want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile,” it adds.

“The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service. Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don’t store copies of your social media profiles, we separate user information from social media content — and we delete our copies of your “Memories” after you’ve seen them.”

In terms of how its network was accessed, it appears that the attacker was able to compromise Timehop’s cloud computing environment by targeting an account that had not been protected by multifactor authentication.

That’s very clearly a major security failure — but one Timehop does not explicitly explain, writing only that: “We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.”

Part of its formal incident response, which it says began on July 5, was also to add multifactor authentication to “all accounts that did not already have them for all cloud-based services (not just in our Cloud Computing Provider)”. So evidently there was more than one vulnerable account for attackers to target.

Its exec team will certainly have questions to answer about why multifactor authentication was not universally enforced for all its cloud accounts.

For now, by way of explanation, it writes: “There is no such thing as perfect when it comes to cyber security but we are committed to protecting user data. As soon as the incident was recognized we began a program of security upgrades.” Which does have a distinct ‘stable door being locked after the horse has bolted’ feel to it.

It also writes that it carried out “the introduction of more pervasive encryption throughout our environment” — so, again, questions should be asked why it took an incident response to trigger a “more pervasive” security overhaul.

Also not entirely clear from Timehop’s blog post: When/if affected users were notified their information has been breached.

The company posed the blog post disclosing the security breach to its Twitter account on July 8. But prior to that its Twitter account was only noting that some “unscheduled maintenance” might be causing problems for users accessing the app…

We’ve reached out to the company with questions and will update this post with any response.

Timehop does say that at the same time as it was working to shut down the attack and tighten up its security, company executives contacted local and federal law enforcement officials — presumably to report the breach.

Breach reporting requirements are baked into Europe’s recently updated data protection framework, the GDPR, which puts the onus firmly on data controllers to disclose breaches to supervisory authorities — and to do so quickly — with the regulation setting a universal standard of within 72 hours of becoming aware of it (unless the personal data breach is unlikely to result in “a risk to the rights and freedoms of natural persons”).

Referencing GDPR, Timehop writes: “Although the GDPR regulations are vague on a breach of this type (a breach must be “likely to result in a risk to the rights and freedoms of the individuals”), we are being pro-active and notifying all EU users and have done so as quickly as possible. We have retained and have been working closely with our European-based GDPR specialists to assist us in this effort.”

The company also writes that it has engaged the services of an (unnamed) cyber threat intelligence company to look for evidence of use of the email addresses, phone numbers, and names of users being posted or used online and on the Dark Web — saying that “while none have appeared to date, it is a high likelihood that they will soon appear”.

Timehop users who are worried the network intrusion and data breach might have impact their “Streak” — aka the number Timehop displays to denote how many consecutive days they have opened the app — are being reassured by the company that “we will ensure all Streaks remain unaffected by this event”.