Organisations which send individuals direct marketing by email must comply with both the GDPR and the Privacy and Electronic Communications Regulations 2003 (‘PECR’). Under PECR, the general rule is that marketing emails cannot be sent without an individual’s consent. That consent must conform to the strict GDPR standard of valid consent. Consequently, as PECR requires that consumers must consent to receiving marketing emails, this means that the only lawful basis available under the GDPR for sending them is consent. However, there is currently an important exception to the general rule in PECR; the so-called ‘soft opt-in’.
The ‘soft opt-in’ exception
Marketing emails may be sent out lawfully to individuals who have not given specific consent where the ‘soft opt-in’ applies. It allows an organisation to market by email to a:
- previous customer (or someone who has negotiated to buy a product or service);
- about similar products/services;
- provided they were offered an opt-out when they originally provided their details and are given an easy way to do so in all subsequent communications.
All three elements above must be present for marketing emails to benefit from the ‘soft opt-in’. As PECR does not require consent, organisations are not bound to use consent as their lawful basis for sending these marketing emails and may instead select the most appropriate GDPR lawful basis.
But, there is a but
PECR is due to be replaced by a new EU law, the ePrivacy Regulation (‘ePR’). It is not yet known what changes, if any, will be made to the “soft opt-in” exception. Furthermore, now that the UK has left the EU and the transition period is due to end on 31 December 2020, we don’t know whether the ePR or something similar will be incorporated into UK law. Organisations using The Privacy Compliance Hub will know what action they need to take when the law changes.
Sending marketing emails to businesses
PECR does not apply to marketing emails sent in a B2B context. Emails sent to unnamed recipients eg. firstname.lastname@example.org are not governed by the GDPR either as there is no personal information involved. However, the GDPR does apply to emails sent to named recipients eg. email@example.com. Therefore, although consent is not required to send emails to named corporate recipients under PECR, a lawful basis for doing so must still be identified under the GDPR. Most often this is legitimate interests although, rather confusingly in this context, it is open to organisations to use the consent basis if that is the most appropriate one in the circumstances.
The right to object to marketing emails
Individuals have an absolute right under the GDPR to object to direct marketing. If somebody tells you they no longer wish to receive your marketing emails, they must be taken off your marketing list as soon as possible and added to a marketing suppression list.
A culture of continuous privacy compliance
In our view, the very best way to ensure that your marketing department does not fall foul of the GDPR is through a cultural shift in your organisation. At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous privacy compliance by making everyone in an organisation understand privacy, care about privacy and to do their bit to protect personal information. Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to comply with the GDPR and other privacy rules. It contains everything that you need.