Email marketing when your consent is not up to GDPR standards

We are advising our members on the standard they must achieve if they wish to rely on consent as their lawful basis for utilising personal data for direct marketing purposes. Direct marketing being defined in the current Data Protection Act as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”. 


As a reminder Article 6 of the GDPR sets out 6 lawful bases for processing personal data:

1.    Consent

2.    Necessary for a contract with the individual

3.    Necessary for compliance of a legal obligation

4.    Necessary to protect interest of the data subject or another natural person

5.    Necessary for a public interest task or official duty

6.    Necessary for legitimate interests of the controller or a third party.

While consent may seem the obvious basis for marketing activity, your pre-existing marketing databases may not meet the GDPR standard and so unless you want to do a Wetherspoons and scrap your entire marketing database, you will need to see if another base can apply. This is where ‘legitimate interests’ can come to your aid.

We suspect ‘legitimate interest’ will be well used. The ICO will no doubt be making sure it is not overused. So what will work?

Recital 47 of the GDPR specifically states that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.  This is good news and could mean we can send out marketing under the lawful basis of legitimate interest. However, we need to balance this against the requirements of the Privacy and Electronic Communications Regulations (PECR) which deals with electronic
marketing.

PECR Regulation 22 requires that a company needs consent to send a marketing email unless;

a)    the recipient is an existing customer or potential customer who has previously made an enquiry for a product or service

b)    the direct marketing is in respect to similar products and services only; and

c)    the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his    contact details for the purposes of such direct marketing, at the time that the details were initially collected, and at the time of each subsequent communication.

So companies will need to meet the GDPR criteria for consent to marketing unless it meets the above PECR criteria which is known as the ‘soft opt-in’ rule. The ‘soft op in’ means you can send marketing to your existing customers about similar products as long as you offered them the opportunity to opt-out when you first collected their details and you offer them to same opt-out opportunity in every subsequent marketing communication.

So if you collected details from existing customers and had an opt out option, this marketing can continue under GDPR (using legitimate interest as the basis). But, you must comply with Article 21 of GDPR which gives customers the ‘right to object’ at any point.

So, if you are a service and repair garage and you email existing customers prior to the anniversary of their car service to give them details of prices, then as long as you gave them the opportunity to opt-out when you took their details and state clearly in the email that they can opt-out at any time, you will be fine to continue emailing them every year. The same will apply if you send those customers details of similar services such as winter checks or MOT deals. Your GDPR lawful basis for processing is then legitimate interests (not consent as there is no opt-in, only an opt-out).

However, if you haven’t been following the law in regard to email marketing already, then you are likely to need to start again and get consent when the customer first makes contact. 

Interestingly we were asked this question by a Lawgistics member earlier this week whether their current consent box and statement is acceptable under GDPR:

“We may use your information to send you details of special offers on products and services. Please tick if you do not wish to receive such emails”

The above is not OK under GDPR because the GDPR requires a positive opt in, not an opt out and so the clause needs to read:

“From time to time we would like to send you information about our products, services and special deals. Please tick this box if you would like to receive such updates from us.”


Lawgistics members can get advice on GDPR from the legal team.

 

Authors: Nona Bowkis

Published: 06 Feb 2018

Comments

To ensure you are a real person signing up and to prevent automated signups (spamming) could we ask you to copy the letters and numbers shown below into the box.

(cAse SeNSItivE!)

There are no comments



Share this Article