Understanding the rules on email marketing - part 2
As 25th May hurtles ever closer, clients are asking us for advice on the muddy waters surrounding using their email database for marketing. Do they need to get ‘opt-in’ consent, or ‘re-consent’ for all those historic email addresses that they hold currently? What do they need to do with website sign up forms and bought-in lists? In our first article we tackled the muddy waters of GDPR and legitimate interest. But that’s not the end of it, where emails are concerned.
If you use emails for your direct marketing, in the UK you also need to comply with the Privacy and Electronic Communications Regulations 2003 (PECR), which implements the EU e-Privacy Directive 2002/58 EC. This deals with people’s privacy rights in relation to electronic communication networks and include rules about confidentiality of communications, cookies and use of electronic communications networks to send unsolicited direct marketing.
The rules on email marketing are in regulation 22 (see http://www.legislation.gov.uk/uksi/2003/2426/regulation/22/made ). In short, you must not send unsolicited email marketing to an ‘individual subscriber’s email address for the purposes of direct marketing, unless:
- they have specifically consented to receiving electronic mail from you; or
- they are an existing customer who bought (or negotiated to buy) a product or service from you in the past, the emails are about your similar products or services and you gave them a simple way out of refusing these emails both when you first collected their details and in every message you have sent since.
So to comply with Reg 22 when sending unsolicited emails, you need the recipient’s consent unless the circumstances in point 2, often termed a ‘soft opt-in’, apply.
For the purposes of Reg 22, the distinction between ‘individual subscribers’ and ‘corporate subscribers’ is important: An ‘individual subscriber’ is an individual who has a contract with a public electronic communications service for the provision of those services. A ‘corporate subscriber’ is a legal person such as a company, limited liability partnership, Scottish partnership and some government bodies that has such a contract. ‘Corporate subscriber’ can also cover an individual working for a corporate subscriber, but note that a sole trader or a partner in a traditional partnership will be an ‘individual subscriber’.
So, what does this mean for BigCo and their email marketing?
The ICO has recently indicated that legitimate interests is likely to be the appropriate legal basis for direct marketing by email in the following circumstances:
- for solicited email marketing, i.e. where the individual has proactively requested the email marketing (Reg 22 of PECR only applies to unsolicited emails)
- for emails to corporate subscribers, regardless of whether they are existing customers or have consented (Reg 22 of PECR only applies to individual subscribers)
- for emails to individual subscribers whose emails were obtained using the ‘soft opt-in’ (see point 2 above)
However, you still need to carry out the ‘three part test’ outlined above in respect of marketing in these circumstances to determine whether your interests in direct marketing are outweighed by the rights, interests or freedoms of the recipients of the emails. The ICO’s guidance gives more detail about the ICO’s thinking and reasoning about why legitimate interests may be appropriate in such circumstances – see sections on B2B contacts and marketing: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-legitimate-interests/.
Relying on legitimate interests for direct marketing in practice:
If you are planning to use legitimate interests as your legal basis for sending email marketing to existing contacts in your database, there are a number of practical things you need to do to comply with the requirements of the GDPR and PECR:
- Only send emails to people who fall within the circumstances listed above.
- Provide the email recipients with your privacy notice, which must identify email addresses as a category of personal data that you process, describe the purposes you process it for (marketing), state the legal basis for that processing (legitimate interests) and state what your legitimate interests are (e.g. raising the profile of your organisation, driving sales and maintaining a relationship with customers). The privacy notice should also tell individuals that they have a right to object to marketing at any time, and explain how they can exercise this right.
- Tell individuals about their right to opt-out of receiving direct marketing, and give them a simple means of opting-out, in every email you send to them and, for future contacts, at the time their email address is collected.
- Make your identity plain and clear in every email and provide a valid contact address that individuals can use to request to opt out or unsubscribe (this might in practice overlap with providing a means of opting-out; however, it’s worth including additional contact details so that individuals can easily get in touch with you with any questions or complaints).
- Ensure that opt-out requests are received and recorded in the right places and ensure that no further marketing emails are sent to individuals who have opted out. (Complaints are most likely to arise when people who have opted-out continue to receive emails.)
Future change in the law alert:
PECR and the e-Privacy Directive are due to be replaced by a new EU-wide e-Privacy Regulation. This is currently in the drafting stages, and although originally intended to come into force at the same time as the GDPR, it’s not currently known when it will be finalised. The new provisions might impact on whether legitimate interests can be relied on in some of the above circumstances. For example, the distinction between individual and corporate subscribers might be removed, meaning that you could only send unsolicited emails to corporate subscribers if the soft opt-in applies or they have consented, as is currently the case with individual subscribers under PECR. However, with regards to the soft opt-in, it has been suggested that the limitation on only providing information about ‘similar’ products and services could be removed – which would allow organisations to advertise their whole range to people who had bought or negotiated to buy any of their products or services. Of course, depending on the timing of this law and of Brexit, and on the Government’s approach to such EU laws after Brexit, it’s not certain whether or how the new e-Privacy Regulation will apply in the UK.
Clear as mud?
Hopefully this note has provided some clarity on how organisations can continue sending email marketing to contacts in their email databases whilst staying on the right side of the GDPR and PECR. Keep an eye out for further guidance from the ICO and other regulators on this subject, and on our website for further updates.