GDPR, Email Marketing and Seeking Consent

Written by Simon Jeffs, director at List Genie and member of the DMA Email Council

It is unlikely to have gone unnoticed, but in recent months brands and service providers across the board seem to have awoken to the reality of GDPR and what it may mean for maintaining communication continuity with their customers. A wave of panic has set in exemplified by the rash of email communications being deployed pleading with the individual to ensure that communications, particularly emails, can still be sent with all the unmissable content you could possibly imagine from your favourite holiday, telecoms, utility, fishing equipment retailer, (delete as appropriate) etc....

There is a noticeable tangle between obligations to comply with GDPR and the longstanding expectations of PECR compliance. In simple terms the receipt of an email asking for permission to keep sending, or worse, start sending emails to ensure (insert brand name) can maintain their relationship with you in the post-apocalyptic data world brought on by GDPR should set alarm bells ringing. The brands that are embarking on re-permissioning campaigns in such a context are undertaking a risky activity.

In the first instance, such a programme may reflect that the organisation either does not have or is not certain of the underlying communication preferences of the recipient. This is worrying territory to be in. To send a marketing email, which this is, an organisation must have permission as defined by PECR, and unless details have been captured in the course of a negotiation for a sale or service, opt-in consent is required. And you are on your own in trying to define what that negotiation looks like. All the same, if you don’t have permission, don’t go sending emails; GDPR compliance will not be the relevant factor here as Honda can tell you. To be clear, the rules for sending emails have been set since 2003, it’s not new news.

What perhaps brands should be doing is advising customers how their privacy notices have been updated. GDPR is very much orientated towards data subject rights and controllers are obligated to be as transparent in their processing of our data as possible. The GDPR sets out very clearly the additional demands in terms of notifying data subjects as to how their data will be processed, and the ICO has offered very clear guidance outlining what is required.

So perhaps what we need to be seeing is more communications advising us how our data will be processed moving forward and offering us the chance to object, rather than emails pleading with us to stay subscribed or confirm our permission settings. And if such communications are going to leverage the email channel, it is vital to ensure that the recipient has given their prior consent to receive them.

If you want to keep marketing after 25^th May you do need to either upgrade consent or, providing you have permission to email it, tell your database that you are using legitimate interests and offer an opt-out. Advising about your updated privacy policy is paramount but if you want to keep marketing you need to do more, but don’t break the current law to try and comply with the new one.

For more information on Email Marketing please view the DMA Email Best Practice Guide and for more information on Consent and Legitimate Interest click here.