Clearing the muddy waters around email marketing

As 25th May hurtles ever closer, clients are asking us for advice on the muddy waters surrounding using their email database for marketing.  Do they need to get ‘opt-in’ consent, or ‘re-consent’ for all those historic email addresses that they hold currently?  What do they need to do with website sign up forms and bought-in lists? As ever, this is a case of ‘it depends’... but we’ll try to simplify things as much as possible, in this guidance note.


The background

Whilst the majority of generic email addresses (e.g. are not considered to be personal data under GDPR, those that identify an individual (e.g. are.  These individuals are ‘data subjects’ and the use of these email addresses for direct marketing by your organisation (the ‘controller’) is considered ‘processing’.

Perhaps the most common misconception about GDPR and marketing is that you can only continue doing it if you obtain fresh consents from the people you want to email.  This isn’t the case – consent is only one of available legal bases in the GDPR. So it just may be that all those emails clogging up your inbox pleading with you to opt-in so that “we can stay in touch” are totally unnecessary. In this article, we will attempt to navigate you through this complicated area and bust a few myths.

In order for processing for marketing purposes to be lawful, it has to meet one of the conditions set out in Article 6 of the GDPR (generally referred to ‘legal bases’).  The following two legal bases are potentially available for direct marketing purposes:

  • 6(1)(a) – the data subject has given consent to the processing of his or her personal data for one of more specific purposes.
  • 6(1)(f) – the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

So you need to decide whether your organisation is going to rely on the legal basis of ‘consent’ or ‘legitimate interests’ to continue using your email database for direct marketing.  Note that the official guidance on consent says you can’t rely on consent and/or another legal basis for a particular processing purpose.


Can we use consent as our legal basis for email marketing? 

You’ve probably heard that ‘consent’ as defined in the GDPR is harder to obtain than under the previous law.  The GDPR says that consent has to be a freely given, specific, informed and unambiguous indication of the data subject’s wishes by way of a statement or clear affirmative action.  You have to be able to demonstrate that this level of consent was obtained.  It’s not enough that people ‘agreed’ to general terms and conditions or a privacy policy, or if the ‘consent’ was based on an opt-out rather than an opt-in, if the consent option was pre-ticked, or if their consent was implied by some form of inaction or continued use of services.  Individuals can withdraw their consent at any time and you have to tell them this when ask for their consent, and it has to be as easy to withdraw consent as to give it.

So you can only rely on consent as your legal basis for email marketing where you can demonstrate that the recipients of your emails gave the GDPR-standard of consent described above.  It’s probably reasonable to assume that most existing email databases contain few, if any, individual contacts who gave this kind of consent to receiving email marketing.


Watch out!  

This has led many organisations to believe they need to ‘refresh’, ‘re-paper’ or get new consents, a belief encouraged by official guidance on consent from both the ICO and the Article 29 Working Party.  The obvious/easiest way to do this is to send emails to everyone in the database asking them to provide their consent (particularly as the email address may be the only contact detail you have for them).  This is why we’re all receiving numerous emails from organisations saying ‘Do you still want to hear from us?’ and the like.

However, the ICO fined Honda and Flybe for sending emails asking people to confirm their marketing preferences (see ICO entry on this:  The ICO viewed these as marketing emails, and because Flybe sent them to people who had previously opted out, and Honda sent them to people who hadn’t consented to receive marketing emails, this was a breach of Reg 22 of the Privacy and Electronic Communications Regulations 2003 (see more on this later).  As quoted on the above ICO page, “Businesses must understand they can’t break one law to get ready for another”.

These leave organisations without an obvious/easy way to seek consent, and we’re not aware of any authoritative statement on this issue by the ICO.

So, unless you are very confident that you can rely on consents previously given and don’t need to seek GDPR-standard consent, you’re probably better off seeing if you can rely on the legitimate interests legal basis to continue marketing to contacts in your email database.


Let’s talk about legitimate interests a bit more.

Recital 47 of the GDPR says that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. Recital 47 also states that when considering whether the rights/freedoms of individuals override the controller’s legitimate interests, organisations will need to take into account “the reasonable expectations of the data subject based on their relationship with the controller”.

To determine whether you can rely on the legitimate interests legal basis for your email marketing you need to conduct a three-stage test:

  1. Identify the legitimate interest – what is the purpose of the processing?
  2. Carry out a “necessity” test – is the processing “necessary” for the legitimate interest identified above?  (Note “necessary” might not go as far as “indispensable” but does go further than “useful” or “desirable”.)
  3. Carry out a “balancing” test - do the individual’s rights/freedoms override/outweigh the legitimate interests of the controller?

Here’s an example of the three-stage test being applied to email marketing by ‘BigCo’:

  1. What’s the legitimate interest?  BigCo wants to use the email addresses to send emails to contacts to raise the profile of the organisation, to drive sales and to maintain a relationship with customers.
  2. Why is it necessary for BigCo to do this?  This is targeted so that the content is entirely relevant to the receiver, and received by the correct person.  Email addresses are necessary to allow this to happen.  Emails also have less environmental impact than post and that’s important to both BigCo and its customers.
  3. The balancing test.  BigCo considers it within the ‘reasonable expectations’ of the individuals that they’ll be in touch via email.  In the majority of cases there is a pre-existing relationship.  Also, they are given a clear opportunity to opt-out of email marketing at the time and BigCo checks, before each mailing, to remove those that have.  The emails are tailored to contain information that is of interest to the individual.  The emails are relatively non-intrusive and have a lower environmental impact than sending them via post.

So far so good… but a word of warning… If BigCo couldn’t satisfy the legitimate interest ground, then they would need to stop processing emails for marketing (except where it has GDPR-standard consent in respect of any of particular contacts).  If BigCo has only used these emails for marketing purposes, and can’t satisfy the legitimate interest legal basis (or any other legal basis), then logic (and the GDPR!) would suggest that it should remove the details from its database (since (a) you can only process personal data if you have a legal basis and (b) you shouldn’t keep personal data any longer than necessary for the purpose for which it is processed).

In reviewing the test it’s probably reasonable to draw the conclusion that, under GDPR, BigCo can carry out marketing activities as described above relying on the ‘legitimate interests’ legal basis.


But that’s not the end of it, where emails are concerned. If you use emails for your direct marketing, in the UK you also need to comply with the Privacy and Electronic Communications Regulations 2003 (PECR), which implements the EU e-Privacy Directive 2002/58 EC. We'll be discussing this in more detail in the next article.