Instead, send them a politely worded one-time announcement with an invitation to subscribe. Clearly mention that if they don't, this is the last mail they'll get from you, and keep that promise by deleting their address. You'll still get some pushback, but I think most people would find that acceptable.
I'd do what you suggest, but send the newsletter from an separate domain once subscriptions have been confirmed.
And naturally, unless they click a link in the first email, gmail should consider anything subsequent to be spam anyway. They have no idea whether consent happened somewhere else or not.
The unsubscribe links must work without even opening the email, according to gmail rules.
We've trained users to not use "unsubscribe" because some spammers once used that to verify addresses, or they may simply click "Spam" because they forgot who you are and think you got their address illegitimately. Gmail also doesn't make unsubscribe as visible as "Spam", making flagging the easier option. So now Gmail will see some percentage of users manually flagging you as a spammer, tainting your sender. This is why I'd switch the newsletter to a new domain or at least a new sender address. That does mean preparing that new sender, give it a bit of time to mature and send a few emails to Gmail accounts you control and ensure that they are not flagged as spam.
Probably also test with a list of Gmail account you control and check if you're tagged as spam and fix that, before doing the big push.
Big Red Flag for the spam button: newsletter comes from a different domain than it links to.
Don't switch your newsletter to a new domain. Use your domain, or don't send it.
newsletter@yourdomain.com is totally fine.
If your email reminds me (upfront!) how and when and why I specifically gave you (and not some other third party) my email address, and promises that you are advertising this newsletter one time, and it is opt-in, and you keep your promise, I am highly unlikely to mark it spam.
Now, this presupposes that it was really me who gave you my email address. I have a fairly generic email address because I got on gmail early. There are many variants of it, but sometimes people forget to add the trailing numbers or letters, so I get misdirected email all the time.
If the misdirected email is personal, I usually respond letting them know of the issue.
If the misdirected email shows a clear understanding that I might not have been the one who really signed up then I give them a pass.
If the misdirected email blithely assumes that I am the one who signed up, then I blithely assume that its senders are too fucking stupid to use the internet and it goes straight into the spam bucket. (And this is usually an easy call because they use the name of the person with the similar email address, which is not my name. My email address is firstinitiallastname@gmail.com and there are many different first names that start with the same initial.)
Any failure on any of those other points starts to increase the likelihood of it being marked spam, and...
> The unsubscribe links must work without even opening the email, according to gmail rules.
So here's where I'm a hard-ass and maybe even worse than google's rules.
If I see the RFC8058 unsubscribe link, it is too late. I only notice that link after I've decided to mark your email as "spam" and google asks if I'm sure, or if I merely want to unsubscribe.
Why did I decide to mark your email as spam? One possible reason is that I read through it, decided that the sender legitimately had my email address and was acting honorably, and then clicked the unsubscribe link embedded in the email.
When I do that, one of two things happens. Either I get some form of "thank you, you've been unsubscribed" or nothing happens because the sender assumes that I am OK with them executing javascript on my computer.
This is a privilege I jealously guard and only reluctantly offer to as few websites as possible.
Even if I previously gave you my email address, that did not come with an open invitation to use my computing resources for your own purposes.
It is an unwinnable situation.
With all respect, why would I care what an impossibly hardass tech person would do if I sent them an email in an unwinnable situation? The vast majority of our users are not this technical, let alone a hardass HN denizen who advertises the fact that the mere compliance with Google’s rules will piss them off due to a misunderstanding of how unsubcribe works.
Here is what we might both agree on: email sucks. You shouldn’t be reachable by anyone who just has your address, and it is not your job to be vigilant. Then all these problems go away.
Are you deliberately being obtuse, or is it natural? I don't need to use gmail's web interface if I don't want to, but as it happens, I do let google's javascript execute on my computer.
> The mandatory unsubscribe LINK uses HTTP, not even HTML.
Two links are required. One in the header, and one in the email. As I wrote, if I read to the end of the email to make a decision, then I will click on the link in the email. Which often goes to a webpage with javascript on it.
> It is an unwinnable situation.
Did I write that I mark everything as spam? No? Why not, I wonder? Did it ever occur to you that if I am describing when I mark things as spam, that there are things that I don't mark as spam? No? Do you even read what you yourself write? No? You should try it sometime.
> With all respect, why would I care what an impossibly hardass tech person would do if I sent them an email in an unwinnable situation?
With all respect, if you wrongly believe the rules I gave are unwinnable, you shouldn't care. I won't be receiving further missives from you, and nature will take its course in determining whether I was an outlier or the canary in the coalmine.
>So here's where I'm a hard-ass and maybe even worse than google's rules. If I see the RFC8058 unsubscribe link, it is too late. I only notice that link after I've decided to mark your email as "spam" and google asks if I'm sure, or if I merely want to unsubscribe.
The way I read it, this is an unwinnable situation. We must supply this link, in order to comply with Google's rules. If you see this link, it's too late. You're making it as spam. Because I may run javascript on your computer.
Having re-read it, it sounds instead like: you're likely mark it as spam before you get to this link (even though the web interface surfaces the unsubscribe button right in the list of emails -- but you don't use that interface).
Well, I guess there is a narrow path to "victory": mention that it may have been someone else who signed up, then if you see the unsubscribe link, you click it, then I'm supposed to say "thank you" and not serve any javascript. Anything else, and you click SPAM. Or maybe you already did.
That's an obtuse reading.
I am looking at the email. The email has a different link, mandated by the can-spam act in it.
Gmail has a bunch of icons at the top. There is not one for "unsubscribe".
So, I read your email, decide it is legitimate but I am not interested. I click on the link (not RFC8058) in the body of the email message itself to unsubscribe.
If that link takes me to a page that does nothing because it wants to execute javascript on my computer, then we are done.
Look, I'm not a terrible writer and this isn't that difficult.
> Well, I guess there is a narrow path to "victory": mention that it may have been someone else who signed up, then if you see the unsubscribe link, you click it, then I'm supposed to say "thank you" and not serve any javascript.
Oh, well, you did understand. Sort of. Except I view this as a common-sensical extremely wide path. If it's the first time that you're emailing me, you damn well better realize that it might have been a fake signup, and how the fuck am I supposed to know your intentions if you attempt to serve javascript? What part of removing me from your database requires you to execute shit on my computer?
And by the way, about this part of that statement:
> if you see the unsubscribe link
If you're playing "hide the link" then you've already shown that your intentions aren't honorable.
> Anything else, and you click SPAM.
I don't actually click spam all that often. Only on, you know, spam.
Look, you're the one who mentioned that you might have collected some of these email addresses 10 years ago. I'm just giving you a heads-up. Not only may they have forgotten about signing up, but the addresses themselves might have been recycled by now.
> Or maybe you already did.
Nope. I've been upfront and transparent. I thought you were being that way, too, given your first comment. I even upvoted it because I thought all the downvoting was a bit excessive.
But the intransigence and mischaracterization here is stunning.
Look, there are two possibilities here. (1) is that I'm not that extreme, in which case you're probably fucked. (2) is that, yes, I'm an outlier, and if you satisfy my needs, then you probably won't have enough emails marked spam to trigger google's filters.
Now, if you truly feel that my conditions offer only a narrow path to victory, then you're probably not really someone I should be offering this advice to in any case, because our interests are not congruent. My only solace is that maybe you won't take the advice and you'll receive a banning for your efforts.
NO. DO NOT DO THAT !
That is terrible advice and it is against the law.
Opt-in has to be done without inducement and of a person's own volition.
Sending a mail to someone saying "pretty please sign up" is not valid opt-in. It is spamming a bunch of people hoping they will opt-in. It does not matter if you got their mail another way (e.g. if they purchased a product, you can't then spam them trying to get them to opt-in for your mailing list).
One of the fundamental reasons the opt-in law exists is to stop people doing the shit you suggest and ensure that lists are correctly built in a clean manner.
But it's been 10 years. Can we send them a newsletter now with an unsubscribe link? Does GDPR have an expiration date on that stuff? Yes it was affirmatively opt-in.
Be aware that under various regulations, you're potentially already at risk of accusation in terms of unwarranted data retention. If you haven't got a good reason to have kept those email addresses, something like the GDPR might not interpret that favourably. While the GDPR doesn't specify actual time limits, they are expected to be proportionate. Financial records are generally 7 years unless otherwise legally required, so for a decade, you would be saying that these email addresses are more critical/valid than that. That may be the case, I don't know your business, but be careful if you don't want some very awkward questions asked. Just the hassle of having to deal with complaints you might get (and various regulators would take notice of 1 million instances) is likely to be more than it's worth for most.
The suggestion downthread to send a very clear "we still have your address, would you like to opt in to this newsletter, otherwise we'll remove it" is not a bad one, but even then, some people will object to you still having it at all.
Yes, there is a clearly valid business purpose under GDPR for retaining the email addresses of users who want to learn how to use your app better and opted in. If you plan to send a newsletter out.
Other than those voluntarily entered emails (which aren’t even linked to the user), we haven’t retained literally any information about our users, despite having millions of users download and use the app over a decade. Which is far beyond pretty much any social app I know. But almost no one actually cares.
I really wasn't trying to chastize, honestly it was intended as a friendly dollop of advice as someone who's dealt with this kind of thing. But since you have replied, I would say:
> Yes, there is a clearly valid business purpose under GDPR for retaining the email addresses of users who want to learn how to use your app better and opted in.
Relevance is likely to be seen as contextual. Someone wishing to do something a full decade ago is not likely to be seen as sufficient evidence to justify contacting them now in case they still wish to. That's a big chunk of the point about time-limiting data retention - the data gets less relevant and more problematic over time. I get that you're not trying to colour outside the lines here, but from the perspective of your users, and anyone looking at their potential complaints from a regulatory perspective, the window in which they reasonably consented to contact has closed (and probably some time ago).
The regulations are there, ostensibly, to protect consumers. They will be interpreted in that light. I can almost guarantee that if you sent an email to your downloader base 10 years after they last heard from you, being ignored will be the best case, and the worst will be reports to local regulators.
I would be glad to respect it if there was.
As it is, laws do allow for things they didn’t explicitly prohibit, and especially good-faith things like welcoming people to try the free app again, which they themselves downloaded and asked to be exucated about, since it’s improved, and showing them how and why to use the improvements.
I would personally see 10 years as "a long time" in this kind of context (although that may be contextual depending on what your product does, obviously). If you can honestly claim/show good faith, that is usually acknowledged, but my point was rather how it would be seen out of the blue from an organisation that has been silent for 10 years (my personal first thought would be "why the hell have they still got my information?", but I am well aware that I'm not the average).
Genuinely, I don't mean to imply bad faith on your part, only to suggest the reactions it may receive, and how careful you should be with your messaging.
[0]: https://commission.europa.eu/law/law-topic/data-protection/r...
I'm sorry but what sort of BS excuse is that ?
The whole point is that YOU are supposed to know: a) What data you have b) What you need it for
It is simply not possible for data protection law to spell out an exact cut-off time because there are so many permutations.
For example, if its for tax reasons then you need to keep it for the duration dictated by tax laws.
But if its email addresses you randomly harvested a decade ago, I think every man and his dog would agree that a decade is too long. Even more so if there is a material difference in permitted use of the harvested address.
P.S. There is no such thing as "good-faith things" in GDPR legislation. Please don't make shit up.
- non-legally speaking, consent for anything is never illimited in time. So whatever the law says, you're probably doing a dick move, I'm sure you can conceive that most people you're going to email would rather not get this email and you're planning to do it anyway. So if you act against these people's interest, don't be surprised if they react negatively (reporting the email as spam, complaining, reporting you to authorities)
- legally speaking... IANAL, but I don't think that you're correct that you have a legal basis to have kept this data, and even less to use it for marketing purposes. I don't think that you'd win the argument that the consent is still "informed" after many years of not hearing from you. If a reasonable person would no longer expect to hear from this company, then I don't think you still have consent under GDPR (could be wrong, IANAL)
Wait too long — respect people’s attention and time so much that you don’t send them anything unless it is ready and benefits them - and apparently it’s spam when you finally do contact them. Meanwhile, if you were just drip feeding them slop once a month, then you’re fine.
I happen to agree with the article author, the email ecosystem is totally broken, that’s far more of a problem than small teams who have well-meaning intentions and respect for their users’ time. You’re blaming the victim, rather than the email system that’s open to SPAM and dominated by gmail.
I think at this point it’s pretty reasonable to assume the worst of email marketers, and I don’t care if you think otherwise :)
What percentage of those million remember the existence of your app?
Unless you're sure both of those are VERY high, you would be an absolute imbecile to spam them.