Toofr and GDPR

How we are keeping email processing compliant with GDPR

Updated on November 4, 2019


Wow! Like the changing of the tides, we are witnessing a global transformation in data privacy. On the one hand, the United States under the Trump Administration is moving towards relaxed privacy rules (Facebook flogging aside) while the EU and Asia tighten its regulations on data via the much-anticipated General Data Protection Legislation (GDPR).

So what does this all mean for Toofr? Well, unfortunately, a lot.

I should be clear -- Toofr by no means is anti-privacy. We hold private information sacred too, but we differ on what should be considered "private." An email address that you commonly find on websites, on business cards, or projected on a slide in front of thousands of people at a conference is not private. Just like how a business address or phone number you can see from the street or read in the Yellow Pages is not private. Toofr believes these are useful bits of public data that small businesses can use to grow.

In essence, our stance is if it's good for small business then we ought to protect it, enable it, find ways to improve it. The benefits of a growing economy are greater than the costs of some loss of privacy.

However, Toofr is but a very small business, and the European Union doesn't care a single iota what I have to say on this issue. The GDPR legislation becomes law on May 25, 2018, and we have to comply. Here's what we're going to do.

GDPR compliance

Let's break this beast down to brass tacks.

  • If you are a US business only prospecting into US businesses, then you're fine. It's business as usual and you should still remain compliant with the CAN-SPAM Act.
  • If you are prospecting into the EU then you need to do a few things differently. We'll share that below.

Cold emailing in the EU

So you want to send cold emails after May 25 to residents of the European Union? You can still do it, but you have to follow some new rules. Here they are.

Obtain consent first

Your first email now needs to be a non-commercial request for consent. Clearly explain who you are and ask your cold prospect to fill out a form. Here's a good article describing what these might look like. You will also have to store these forms in a secure area to prove that consent was obtained.

Rights to withdraw consent

Consent is not a one-way street. You must make it easy for the consenting individual to change their mind and withdraw. All data they provided to you must be permanently destroyed.

Agree to Toofr's DPA

Toofr now has a Data Processing Agreement (DPA) describing our capabilities as a data processor under Article 28 of the GDPR. As a customer of Toofr, you are most likely considered a data controller under the terms of the GDPR. Note that by using Toofr, you are agreeing to the terms of our DPA.

Data security

Toofr is also committed to ensuring the security of the millions of emails we process each month. Our servers and databases leverage the combined security of Salesforce (via its Heroku hosting platform) and Amazon Web Services (which supports Heroku). In essence, our data is as safe as Salesforce's data since we use the same web infrastructure.

Furthermore, Toofr will soon release an opt-out service, allowing any individual to blacklist themselves from all future customer requests that may come through Toofr. If a customer has opted out, then we will delete it from all lists and tables and never return that email address in the future.

More Find Emails Articles >>