How to ensure your email marketing is GDPR compliant

There is a lot of information about how to send email marketing and stay within the law. Some of it is correct, some of it is wrong and some of it is simply confusing. Organisations seeking a simple answer to a simple question are frustrated. Unfortunately, neither the legislators nor the regulators have been particularly helpful with their sending out of numerous guidelines and having the law in different places. This resulted in the deluge of emails we all received in our inboxes in the days running up to the implementation of the General Data Protection Regulation (GDPR).

This frustration has had a significant impact on marketing departments within organisations as they don’t know what to do, or what risks they are taking.

In this article, we will give you the simple answer to the simple question – “How do companies send out marketing emails and stay within the law?” First, we will explain what has changed and how the confusion has arisen.

The Data Protection Act and PECR

Prior to 25 May 2018, marketing emails were governed by the Data Protection Directive (enacted by the Data Protection Act 1998 in the UK (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR). The latter deals with matters such as sending marketing by email, text, post and telephone.

Since the GDPR was introduced in 2018, sending a marketing email now constitutes the processing of personal data. To process personal data you need a ‘lawful basis’. There are two lawful bases available for marketing: ‘consent’ and ‘legitimate interests’. However, ‘legitimate interest’ does not work for marketing emails because PECR makes it clear that you need consent to send marketing emails (unless you qualify under the ‘soft opt-in’ under PECR). If you need consent (because you don’t qualify under the ‘soft opt-in’ under PECR), that consent needs to be of the quality required under the GDPR. It is the quality of consent that has changed in the GDPR compared to the quality of consent required under the DPA.

That GDPR requires that the consent to send marketing emails has to be freely given, specific, informed, unambiguous and provided by some form of clear affirmative action.

In other words, unless you can rely on the ‘soft opt-in’ under PECR, you need specific opt-in consent to receive email marketing which is given by some positive action such as ticking a box.

Still with us? We are getting close to the practical conclusion you are looking for.

How you stay within the law

This is what you should do before sending a marketing email.

First, establish what rights (if any) you have got to send marketing emails to your current marketing database. Did you get opt-in consent? Did you give individuals the right to opt-out? Was there an unsubscribe link in every email you sent them?

• If you got consent, was it of the quality required under GDPR? If not, you need to get such GDPR quality consent before sending your marketing email ie. send an email requesting such specific, opt-in consent.
• If you got consent for some and not for others and you can’t easily identify which are which, you should probably get GDPR quality consent before sending your marketing email ie. send an email requesting such specific, opt-in consent.
• If you think that you are able to rely on the ‘soft opt-in’ in respect of your existing database then you have a choice to make. Either:

(a) you decide that you want GDPR quality consent from every individual so that the quality of your marketing database moving forward is high ie. send an email requesting such specific, opt-in consent; or
(b) you decide to continue to rely on ‘soft opt-in’ for all individuals (past and future) on your marketing database ie. carry on as you always have; or
(c) you draw a line on a certain date and create two marketing databases – the past database relying on ‘soft opt-in’ and a future database relying on GDPR quality consent ie. you get GDPR quality consent from new customers moving forward.

Second, make sure that your privacy policy makes it clear to individuals how you use their personal data for marketing and how they can choose not to receive such marketing.

Finally, you also need the right processes in place to ensure that any individuals who want removing from your databases get removed.

But, watch this space

Unfortunately, there is more law on the way. The new ePrivacy Regulation was meant to come into force at the same time as the GDPR and replace PECR. We’re now in 2022 and this still hasn’t happened, which is why we have the current confusion.

Because of the uncertainty of what is going to happen to the ‘soft opt-in’ under the ePrivacy Regulation, we are advising all our clients of The Privacy Compliance Hub not to rely simply on ‘soft opt-in’ under (b) above and, instead make a choice between options (a) and (c).

Consequences of getting it wrong

There are rather extreme possible consequences of not staying within the law when sending your marketing emails. See our article on penalties under the GDPR here. We think that the regulator is likely to take an industry approach to enforcement. If it thinks that a particular industry is acting badly then it will target that industry.

We have also found that our ‘B2C’ clients have most to worry about from getting this wrong. Individuals are trolling for companies who are not sending marketing emails correctly. They are making claims in court, threatening to report the company to the regulator and, sometimes, following through on that threat unless they can settle the matter for a suitable sum. This is the sort of aggravation that companies really can do without!

Quick-fire round

Email vs text messaging: do the same GDPR regulations apply?

In short, yes. SMS marketing is regulated by the GDPR in the same way as emails.

Can you email an individual at a business?

Yes, providing you have a lawful basis for doing so, such as consent or legitimate interest. We go into more detail about that in this post.

Can I email potential customers?

As above, you may be able to prove that your potential customer has a legitimate interest in hearing about your product or service and that it would not have an unacceptable privacy impact on those recipients. Read more about that here.

Are email addresses considered personal data under the GDPR?

In short, if the person is identified, or is identifiable from their email address, then yes. If the email address is admin@company.com, then no. If the email address is dave.prentice@company.com, then yes. If the email address is dave@company.com, then maybe, if Dave Prentice is identifiable from that email address.

Can I email existing customers?

It depends what you want to email them about. If it is a service email about the product or service they have got from you then fine. If it is a marketing email then you need to follow the rules set out in this article.

Can I share email addresses?

Yes, but only if you have what is known as a ‘legal basis’ to do so. If a customer has signed up for certain services and performing those services requires an email address to be shared, such as with a courier company for example, then such sharing is ‘necessary for the performance of the contract’ you have with the customer and that is a valid legal basis. Other legal bases include consent and legitimate interests.

What if I send an email to the wrong person?

Sending an email containing personal information to the wrong person constitutes a data breach under the GDPR.

Can I track emails?

Tracking pixels are governed by PECR and technically you need consent for them. As ever, transparency is key.

How long can I retain emails for? 

There is no minimum or maximum time stipulated for email retention in the GDPR but it must not be kept for longer than necessary to achieve the purpose for which the personal data was collected or processed.