How to send marketing emails under the GDPR

Do you remember where you were during the great avalanche of May 2018? Piles of emails swamped inboxes across a vast area covering the UK and the EU. In the run up to the GDPR, these emails requested consent to send further emails to their recipients after 25 May 2018. Some were necessary, but a large proportion of them were not. The avalanche was borne of confusion about the GDPR and fear of fines. Even now confusion remains. Read on to find out when you need consent to send marketing emails and when you don’t.

By Claire Heaphy

Privacy Compliance Hub Information Officer

February 2020

Organisations which send individuals direct marketing by email must comply with both the GDPR and the Privacy and Electronic Communications Regulations 2003 (‘PECR’). Under PECR, the general rule is that marketing emails cannot be sent without an individual’s consent. That consent must conform to the strict GDPR standard of valid consent.  Consequently, as PECR requires that consumers must consent to receiving marketing emails, this means that the only lawful basis available under the GDPR for sending them is consent.  However, there is currently an important exception to the general rule in PECR; the so-called ‘soft opt-in’.

The ‘soft opt-in’ exception

Marketing emails may be sent out lawfully to individuals who have not given specific consent where the ‘soft opt-in’ applies.  It allows an organisation to market by email to a:

  • previous customer (or someone who has negotiated to buy a product or service);
  • about similar products/services; 
  • provided they were offered an opt-out when they originally provided their details and are given an easy way to do so in all subsequent communications.

All three elements above must be present for marketing emails to benefit from the ‘soft opt-in’.  As PECR does not require consent, organisations are not bound to use consent as their lawful basis for sending these marketing emails and may instead select the most appropriate GDPR lawful basis.

But, there is a but

PECR is due to be replaced by a new EU law, the ePrivacy Regulation (‘ePR’). It is not yet known what changes, if any, will be made to the “soft opt-in” exception.  Furthermore, now that the UK has left the EU and the transition period is due to end on 31 December 2020, we don’t know whether the ePR or something similar will be incorporated into UK law.  Organisations using The Privacy Compliance Hub will know what action they need to take when the law changes.

Sending marketing emails to businesses

PECR does not apply to marketing emails sent in a B2B context.  Emails sent to unnamed recipients eg. are not governed by the GDPR either as there is no personal information involved.  However, the GDPR does apply to emails sent to named recipients eg.  Therefore, although consent is not required to send emails to named corporate recipients under PECR, a lawful basis for doing so must still be identified under the GDPR.  Most often this is legitimate interests although, rather confusingly in this context, it is open to organisations to use the consent basis if that is the most appropriate one in the circumstances.

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now

The right to object to marketing emails

Individuals have an absolute right under the GDPR to object to direct marketing.  If somebody tells you they no longer wish to receive your marketing emails, they must be taken off your marketing list as soon as possible and added to a marketing suppression list.

A culture of continuous privacy compliance

In our view, the very best way to ensure that your marketing department does not fall foul of the GDPR is through a cultural shift in your organisation.  At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous privacy compliance by making everyone in an organisation understand privacy, care about privacy and to do their bit to protect personal information.  Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to comply with the GDPR and other privacy rules. It contains everything that you need.

More to watch and read