Now that the General Data Protection Regulation (GDPR) has come into force, fewer businesses are using email as a method of marketing.
The introduction of the law has led to many businesses wondering whether they will no longer be able to send marketing material to current, prospective or former customers without consent. After all, most people are unlikely to consent to receive marketing messages.
Since direct marketing can be so effective and cost efficient, understanding when it can be used is useful. And knowing when it shouldn’t be used can help avoid complaints to a supervisory body.
The GDPR doesn’t always apply, and if it does, consent to receive a message might not be necessary.
The first question: does the GDPR apply?
The GDPR only applies where personal data is being processed, and where that personal data belongs to an European Union citizen or resident.
That means that you can still send any information to anyone who is not an EU resident or an EU citizen. So, for example, if your business is based in the UK, you can send prospective customers in Australia any sales message you like.
Of course it a good idea to comply with the law of the country of residence of your recipients too, not necessarily because that law is enforceable against you, but rather because recipients will be more likely to receptive to your message.
The EU hasn’t prevented rumours that the GDPR is applicable to every business in the world. There have been Net Lawman customers in Australia and South Africa who are concerned to comply with the law. There may be good reason for this. However, the law of a jurisdiction only binds people within that jurisdiction. UK law cannot be imposed on South Africans or Australians unless the governments of those countries allow it to be. When the EU has talked about fining large technology companies that are based outside the jurisdiction, it was more likely to be referring to fining the EU subsidiaries based on global revenues. Unless a foreign business has a subsidiary or an agent in the EU, it will find it difficult to enforce the rules of the GDPR against it.
Second, GDPR is about “personal” data. That means the GDPR doesn’t apply when you send a promotional message to any address where an individual isn’t identifiable. For example, that might be a letter to “The Managing Partner” at a postal address, or to a generic e-mail address such as office@business.com.
As soon as an address contains an individual’s name, it becomes personal information. However, some businesses trade under the name of the owner and therefore it is not always clear whether smith@e-mail.com is a personal business address or a general business address.
The possible ambiguity is likely to be the reason why many businesses treat the address as if GDPR did apply. It is simply easier to process all data as if it were personal information than differentiate.
There are also good marketing reasons to address the message to an individual. Personalisation can increase open rates and action rates. Messages are more likely to be delivered (whether filtered through an automated e-mail system, or a human personal assistant).
The second question: if the GDPR does apply, do you need consent of the recipient?
The GDPR requires that you process personal information on one of six grounds.
One of those is consent.
However, unlike under the Data Protection Act, where consent could be given implicitly, the GDPR requires that consent is given explicitly for each specific purpose for which you intend to use it.
However, the enforcement of GDPR doesn’t mean that you are no longer able to send marketing material. That is because you don't always need the consent of the recipient.
Consent is often used as the ground for processing because it is not ambiguous. It has either been given or not. Consent and non-consent can easily be recorded.
However, you could also process data on the ground of Legitimate Interest.
To be able to do so, there has to be an interest. The motivation of the sender, which is often to sell more, is a sufficiently reasonable interest. The recipients’ interests do not have to be considered.
Next you have to decide whether the benefit of processing the data (sending a message) is greater than the risk of potentially infringing a recipient’s privacy.
Considerations might be:
- how much personal information is used, and whether that information is sensitive
- the subject of the message – whether the recipient might be interested to receive the message
- the relationship of the sender to the recipient
- whether the recipient has received similar messages in the past, and has not objected
- whether the recipient has the opportunity to stop receiving messages
- the frequency of the messages
For business to business marketing, where the address is a business address, and the only other personal information is a name, the potential harm caused to a recipient who would not want to receive a message is most likely low.
If you are marketing to previous customers, who would be reasonably presumed to be interested in your products and services, where there is a "soft opt-in" through implied consent, and where messages are not sent so often as to be a nuisance, Legitimate Interest is likely to be a basis you can use.
The Information Commissioner’s Office (ICO) provides guidance on this here.
Removing the need for judgement
Over time you might want to move to using Consent as a basis because it doesn’t require subjective decision making. But you don't have to do this. You can continue to use Legitimate Interest.
Within your privacy policy there is no requirement to disclose specifically that you send marketing information under the basis of Legitimate Interest.
But of course, there are advantages to doing so. It improves transparency and might help you answer why you send material if any recipient does question why you haven't asked for consent.
If you do use Consent as the basis, the PECR also applies
The Privacy and Electronic Communications Regulations (PECR) sit alongside the GDPR.
They are specific to the UK, applying only to UK businesses.
Consumers, sole traders and partnerships and employees are all treated as individuals. Specific consent is needed to send a message. So if you send these types of recipient a message, the lawful basis that you use under the GDPR must be either Consent or Contract.
Any corporate body can be contacted at an address such as office@business.co.uk. That means that the lawful basis you use under the GDPR could be Consent or Legitimate Interest.
It is recommended that you use lists of businesses that have opted out of marketing messages, and screen your recipient list against those lists.
Summary
Consent is not always needed to send a marketing message to someone. However, if you do not carefully consider who is on a list of recipients and the context of each message, it is usually far less risky to market to those people who have given consent to you.