How to ensure your email marketing is GDPR compliant

By Nigel Jones

Co Founder of The Privacy Compliance Hub

June 2018

There is a lot of information about how to send email marketing and stay within the law. Some of it is correct, some of it is wrong and some of it is simply confusing. Organisations seeking a simple answer to a simple question are frustrated. Unfortunately, neither the legislators nor the regulators have been particularly helpful with their sending out of numerous guidelines and having the law in different places. This resulted in the deluge of emails we all received in our inboxes in the days running up to the implementation of the General Data Protection Regulation (GDPR).

This frustration has had a significant impact on marketing departments within organisations as they don’t know what to do, or what risks they are taking.

In this article, we will give you the simple answer to the simple question – “How do companies send out marketing emails and stay within the law?” First, we will explain what has changed and how the confusion has arisen.

Before 25 May 2018 – the Data Protection Act and PECR

Prior to 25 May 2018, marketing emails were governed by the Data Protection Directive (enacted by the Data Protection Act 1998 in the UK (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR). The latter deals with matters such as sending marketing by email, text, post and telephone.

That is a lot of law to read when all you want to do is send a marketing email!

PECR states that you must have consent to send marketing by email and what constituted valid consent was set out in the DPA. To confuse matters, PECR says that you don’t need consent if certain circumstances contained in PECR are satisfied, allowing you to send email marketing using what is called a ‘soft opt-in’.

Put simply, ‘soft opt-in’ means that even though an organisation has not got true ‘opt-in’ consent from an individual to send email marketing, it could still do so if:

  • the individual was a previous customer;
  • the email relates to similar products/services;
  • the individual was given the opportunity to ‘opt-out’ at the time the organisation collected the individual’s personal information; and
  • the individual is given the opportunity to ‘unsubscribe’ each time he or she is subsequently sent a marketing email.

The DPA has now been replaced by the GDPR, but PECR is still around.

Still with us? Got those acronyms in your head? Well done. Let’s keep going.

After 25 May 2018 – the GDPR and PECR

Sending a marketing email constitutes the processing of personal data. To process personal data you need a ‘lawful basis’. There are two lawful bases available for marketing: ‘consent’ and ‘legitimate interests’. However, ‘legitimate interest’ does not work for marketing emails because PECR makes it clear that you need consent to send marketing emails (unless you qualify under the ‘soft opt-in’ under PECR). If you need consent (because you don’t qualify under the ‘soft opt-in’ under PECR), that consent needs to be of the quality required under the GDPR. It is the quality of consent that has changed in the GDPR compared to the quality of consent required under the DPA.

That GDPR requires that the consent to send marketing emails has to be freely given, specific, informed, unambiguous and provided by some form of clear affirmative action.

In other words, unless you can rely on the ‘soft opt-in’ under PECR, you need specific opt-in consent to receive email marketing which is given by some positive action such as ticking a box.

Still with us? We are getting close to the practical conclusion you are looking for.

How you stay within the law

This is what you should do before sending a marketing email.

First, establish what rights (if any) you have got to send marketing emails to your current marketing database. Did you get opt-in consent? Did you give individuals the right to opt-out? Was there an unsubscribe link in every email you sent them?

  • If you got consent, was it of the quality required under GDPR? If not, you need to get such GDPR quality consent before sending your marketing email ie. send an email requesting such specific, opt-in consent.
  • If you got consent for some and not for others and you can’t easily identify which are which, you should probably get GDPR quality consent before sending your marketing email ie. send an email requesting such specific, opt-in consent.
  • If you think that you are able to rely on the ‘soft opt-in’ in respect of your existing database then you have a choice to make. Either:

(a) you decide that you want GDPR quality consent from every individual so that the quality of your marketing database moving forward is high ie. send an email requesting such specific, opt-in consent; or
(b) you decide to continue to rely on ‘soft opt-in’ for all individuals (past and future) on your marketing database ie. carry on as you always have; or
(c) you draw a line on a certain date and create two marketing databases – the past database relying on ‘soft opt-in’ and a future database relying on GDPR quality consent ie. you get GDPR quality consent from new customers moving forward.

Second, make sure that your privacy policy makes it clear to individuals how you use their personal data for marketing and how they can choose not to receive such marketing.

Finally, you also need the right processes in place to ensure that any individuals who want removing from your databases get removed.

Answer our GDPR compliance checklist questions and we will email you an objective, personalised report within minutes. It gives you a score out of 10 for your data privacy compliance with a further option for our free, more detailed data audit for GDPR, containing our practical suggestions.

Get your free GDPR compliance audit

But, watch this space

Unfortunately, there is more law on the way. The new ePrivacy Regulation was meant to come into force at the same time as the GDPR and replace PECR. This still hasn’t happened and that is why we have the current confusion.

Because of the uncertainty of what is going to happen to the ‘soft opt-in’ under the ePrivacy Regulation, we are advising all our clients of The Privacy Compliance Hub not to rely simply on ‘soft opt-in’ under (b) above and, instead make a choice between options (a) and (c).

Consequences of getting it wrong

There are rather extreme possible consequences of not staying within the law when sending your marketing emails. See our article on penalties under the GDPR here. We think that the regulator is likely to take an industry approach to enforcement. If it thinks that a particular industry is acting badly then it will target that industry.

We have also found that our ‘B2C’ clients have most to worry about from getting this wrong. Individuals are trolling for companies who are not sending marketing emails correctly. They are making claims in court, threatening to report the company to the regulator and, sometimes, following through on that threat unless they can settle the matter for a suitable sum. This is the sort of aggravation that companies really can do without!

The Privacy Compliance Hub

The Privacy Compliance Hub contains all organisations need to comply with the GDPR without resorting to expensive lawyers or consultants. Feel free to request a demo by filling in the form below, or simply get in touch for a chat.

More to watch and read