Organisations which send individuals direct marketing by email must comply with both the GDPR and the Privacy and Electronic Communications Regulations 2003 (‘PECR’). Under PECR, the general rule is that marketing emails cannot be sent without an individual’s consent. That consent must conform to the strict GDPR standard of valid consent. Consequently, as PECR requires that consumers must consent to receiving marketing emails, this means that the only lawful basis available under the GDPR for sending them is consent. However, there is currently an important exception to the general rule in PECR; the so-called ‘soft opt-in’.
The ‘soft opt-in’ exception
Marketing emails may be sent out lawfully to individuals who have not given specific consent where the ‘soft opt-in’ applies. It allows an organisation to market by email to a:
- previous customer (or someone who has negotiated to buy a product or service);
- about similar products/services;
- provided they were offered an opt-out when they originally provided their details and are given an easy way to do so in all subsequent communications.
All three elements above must be present for marketing emails to benefit from the ‘soft opt-in’. As PECR does not require consent, organisations are not bound to use consent as their lawful basis for sending these marketing emails and may instead select the most appropriate GDPR lawful basis.
But, there is a but
PECR is due to be replaced by a new EU law, the ePrivacy Regulation (‘ePR’). It is not yet known what changes, if any, will be made to the “soft opt-in” exception. Furthermore, now that the UK has left the EU and the transition period is due to end on 31 December 2020, we don’t know whether the ePR or something similar will be incorporated into UK law. Organisations using The Privacy Compliance Hub will know what action they need to take when the law changes.
Sending marketing emails to businesses
PECR does not apply to marketing emails sent in a B2B context. Emails sent to unnamed recipients eg. firstname.lastname@example.org are not governed by the GDPR either as there is no personal information involved. However, the GDPR does apply to emails sent to named recipients eg. email@example.com. Therefore, although consent is not required to send emails to named corporate recipients under PECR, a lawful basis for doing so must still be identified under the GDPR. Most often this is legitimate interests although, rather confusingly in this context, it is open to organisations to use the consent basis if that is the most appropriate one in the circumstances.