There is a lot of information about how to send email marketing and stay within the law. Some of it is correct, some of it is wrong and some of it is simply confusing. Organisations seeking a simple answer to a simple question are frustrated. Unfortunately, neither the legislators nor the regulators have been particularly helpful with their sending out of numerous guidelines and having the law in different places. This resulted in the deluge of emails we all received in our inboxes in the days running up to the implementation of the General Data Protection Regulation (GDPR).
This frustration has had a significant impact on marketing departments within organisations as they don’t know what to do, or what risks they are taking.
In this article, we will give you the simple answer to the simple question – “How do companies send out marketing emails and stay within the law?” First, we will explain what has changed and how the confusion has arisen.
The Data Protection Act and PECR
Prior to 25 May 2018, marketing emails were governed by the Data Protection Directive (enacted by the Data Protection Act 1998 in the UK (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR). The latter deals with matters such as sending marketing by email, text, post and telephone.
Since the GDPR was introduced in 2018, sending a marketing email now constitutes the processing of personal data. To process personal data you need a ‘lawful basis’. There are two lawful bases available for marketing: ‘consent’ and ‘legitimate interests’. However, ‘legitimate interest’ does not work for marketing emails because PECR makes it clear that you need consent to send marketing emails (unless you qualify under the ‘soft opt-in’ under PECR). If you need consent (because you don’t qualify under the ‘soft opt-in’ under PECR), that consent needs to be of the quality required under the GDPR. It is the quality of consent that has changed in the GDPR compared to the quality of consent required under the DPA.
That GDPR requires that the consent to send marketing emails has to be freely given, specific, informed, unambiguous and provided by some form of clear affirmative action.
In other words, unless you can rely on the ‘soft opt-in’ under PECR, you need specific opt-in consent to receive email marketing which is given by some positive action such as ticking a box.
Still with us? We are getting close to the practical conclusion you are looking for.