Newsletter mailings and e-mail marketing are a fixed part of the online marketing universe. Processing is only allowed under GDPR if either the data subject has consented, or there is another legal basis. This could be, for example, preserving the legitimate interest of the controller (your business) to send e-mail marketing. Recital 47 of the GDPR expressly states that the law also applies to the processing of personal data for direct marketing as a legitimate interest.
In addition, such an interest could be seen, for example, if there is a relevant and proportionate relationship between the data subject and the controller. This could be the case if the data subject is a customer of the controller or is in the latter’s service.
Therefore e-mail marketing is allowed without consent, at least for existing customers. If the company has a justified interest in ‘cold’ calling through e-mail marketing, the marketing e-mails may be sent to potential customers without consent.
To receive no further information by newsletter or e-mail, the customer receiving them need only object to processing (unsubscribe) for marketing purposes. According to Art. 21(2), (3) GDPR the data subject always has the right to object to the processing of personal data for direct marketing purposes.
If the data subject objects, the controller only has to stop the processing for marketing purposes, but can still process the data for other purposes, e.g. for the performance of a contract.
There is another set of regulations that you need to comply with, these are called the Privacy and Electronic Communication Regulations 2003 or PECR for short. This works alongside the GDPR and is concerned with direct marketing in the form of calls, emails, faxes (who uses those anymore?) and cookies. Under PECR you have more freedom to contact businesses as opposed to consumers. You would need to use consent for consumers but can use legitimate interest for businesses.
Under GDPR, legitimate interest can be used for some types of direct marketing, the ICO have compiled the list below to help you understand when it is appropriate and when it is not:
|Marketing method||Is legitimate interests likely to be appropriate?|
|‘Live’ phone calls to TPS/CPTS registered numbers||✘|
|‘Live’ phone calls to those who have objected to your calls||✘|
|‘Live’ phone calls where there is no TPS/CTPS registration or objection||✓|
|Automated phone calls||✘|
|Emails/text messages to individuals – obtained using ‘soft opt-in’||✓|
|Emails/text messages to individuals – without ‘soft opt-in’||✘|
|Emails/text messages to business contacts||✓|
As long as you have screened telephone numbers against TPS/CTPS* and you keep your own records of people that have said ‘do not call’, then you can make calls to people under legitimate interest.
*Do you currently do this? If not you can use list cleaners in the UK which can be found at https://corporate.tpsonline.org.uk/index.php/tps/cleaners
Emails will require consent unless you have what is called ‘soft opt in’ which you get from pre-existing customers who have bought products or services directly from you.
You will therefore need to process the email addresses under consent. A good marketing list will be up-to-date, accurate, and reliably record specific consent for marketing. The ICO have also published some guidelines to help you maintain a good marketing list:
- You must be able to demonstrate that you have obtained valid consent, which means that you must keep records of who consented, when, how, and what you told people.
- Whether an organisation is collecting personal data for its own use, or to sell marketing leads on to others, it must always act fairly and lawfully.
- If collecting contact details directly from individuals, an organisation should provide a privacy notice explaining clearly that it intends to use those details for marketing purposes.
- If they intend to sell or disclose the details to other organisations, the privacy notice should make this very clear, and get the person’s specific consent for this.
- Organisations cannot send mass texts, emails or automated calls in order to generate leads, as they won’t have the necessary consent. And organisations cannot generate new leads by cold-calling numbers registered with the TPS.
- You must name any third party controllers who will be relying on the consent – precisely defined categories of third parties will not be acceptable under the GPDR.
- You must be able to demonstrate that the individual has consented to you processing their data for that particular purpose. This means that you must keep evidence of consent – who, when, how, and what you told people.
- Organisations must act fairly and lawfully when selling a marketing list. If an organisation obtained details from individuals with the intention of selling them on, it must have made it clear that their details would be passed on to third parties for marketing purposes and obtained their consent for this.
- It is good practice to specifically name (or at least give a clear description of) the third parties to whom details may be sold). A buyer will only be able to send marketing texts or emails, or make automated calls, to people on the list if they gave specific consent.