Email marketing when your consent is not up to GDPR standards


So if you collected details from existing customers and had an opt out option, this marketing can continue under GDPR.

Author: Nona Bowkis
Reading time: 4 minutes

This article is 4 years old.

Read our disclaimer keyboard_arrow_down

This website content is intended as a general guide to law as it applies to the motor trade. Lawgistics has taken every effort to ensure that the contents are as accurate and up to date as at the date of first publication.

The laws and opinions expressed within this website may be varied as the law develops. As such we cannot accept liability for or the consequence of, any change of law, or official guidelines since publication or any misuse of the information provided.

The opinions in this website are based upon the experience of the authors and it must be recognised that only the courts and recognised tribunals can interpret the law with authority.

Examples given within the website are based on the experience of the authors and centre upon issues that commonly give rise to disputes. Each situation in practice will be different and may comprise several points commented upon.

If you have any doubt about the correct legal position you should seek further legal advice from Lawgistics or a suitably qualified solicitor. We cannot accept liability for your failure to take professional advice where it should reasonably be sought by a prudent person.

All characters are fictitious and should not be taken as referring to any person living or dead.

Use of this website shall be considered acceptance of the terms of the disclaimer presented above.

We are advising our members on the standard they must achieve if they wish to rely on consent as their lawful basis for utilising personal data for direct marketing purposes.

Direct marketing being defined in the current Data Protection Act as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”. 

As a reminder Article 6 of the GDPR sets out 6 lawful bases for processing personal data:

1.    Consent

2.    Necessary for a contract with the individual

3.    Necessary for compliance of a legal obligation

4.    Necessary to protect interest of the data subject or another natural person

5.    Necessary for a public interest task or official duty

6.    Necessary for legitimate interests of the controller or a third party.

While consent may seem the obvious basis for marketing activity, your pre-existing marketing databases may not meet the GDPR standard and so unless you want to do a Wetherspoons and scrap your entire marketing database, you will need to see if another base can apply. This is where ‘legitimate interests’ can come to your aid.

We suspect ‘legitimate interest’ will be well used. The ICO will no doubt be making sure it is not overused. So what will work?

Recital 47 of the GDPR specifically states that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.  This is good news and could mean we can send out marketing under the lawful basis of legitimate interest. However, we need to balance this against the requirements of the Privacy and Electronic Communications Regulations (PECR) which deals with electronic

PECR Regulation 22 requires that a company needs consent to send a marketing email unless;

a)    the recipient is an existing customer or potential customer who has previously made an enquiry for a product or service

b)    the direct marketing is in respect to similar products and services only; and

c)    the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his    contact details for the purposes of such direct marketing, at the time that the details were initially collected, and at the time of each subsequent communication.

So companies will need to meet the GDPR criteria for consent to marketing unless it meets the above PECR criteria which is known as the ‘soft opt-in’ rule. The ‘soft op in’ means you can send marketing to your existing customers about similar products as long as you offered them the opportunity to opt-out when you first collected their details and you offer them to same opt-out opportunity in every subsequent marketing communication.

So if you collected details from existing customers and had an opt out option, this marketing can continue under GDPR (using legitimate interest as the basis). But, you must comply with Article 21 of GDPR which gives customers the ‘right to object’ at any point.

So, if you are a service and repair garage and you email existing customers prior to the anniversary of their car service to give them details of prices, then as long as you gave them the opportunity to opt-out when you took their details and state clearly in the email that they can opt-out at any time, you will be fine to continue emailing them every year. The same will apply if you send those customers details of similar services such as winter checks or MOT deals. Your GDPR lawful basis for processing is then legitimate interests (not consent as there is no opt-in, only an opt-out).

However, if you haven’t been following the law in regard to email marketing already, then you are likely to need to start again and get consent when the customer first makes contact. 

Nona Bowkis

Legal Advisor

Read more by this author

Getting in touch

You can contact us via the form or you can call us on 01480 455500.