With all the talk recently about GDPR, emails have come into the spotlight and we’ve all had emails asking us to re-subscribe to a marketing list I’m sure!
The irony is that emails are governed by PECR, and that’s been around since 2003. Now *that thing* has caught everyone’s attention, people are focusing on emails! Now, the rules are tightening when it comes to PECR due to GDPR because of consent, but it’s also highlighted two things.
A lot of email marketing was breaking PECR rules anyway. Some people are re-consenting their list when there’s no need to. The problem with re-consenting emails is that typically only a third are opened, and only a fraction of those will take action, and with so many emails flying around asking us to re-consent, people just won’t bother.
If you send 1000 emails, let’s say 400 are opened, and 40 actually click on the re-consent link! Ouch, you’ve lost 96% of your list!
The following has been taken from the ICO guides available on their website, with some re-ordering and a bit of padding to make it a bit easier to understand.
GDPR covers the use of individuals’ personal data, whereas PECR covers the rules around how you can undertake certain types of marketing – specifically, electronic marketing messages. This includes emails, texts, picture messages, video messages, voicemails, direct messages via social media (including messenger systems like chatbots) or any similar message that is stored electronically.
Recital 47 of the GDPR says direct marketing is a legitimate use of personal information, which is true. It is important to remember, however, other rules also apply, for example, the Privacy and Electronic Communication Regulations 2003 (PECR). PECR restricts the circumstances in which you can market people and other organisations by electronic means. So when sending electronic marketing messages remember – you have to comply with both the data protection law (GDPR) and PECR.
Under PECR, where you are contacting a corporate subscriber (a company, Scottish partnership, limited liability partnership or government body) you do not need to have the consent of the individual to contact them. It is therefore important that you know you are contacting a corporate subscriber. If you are not sure, the ICO would recommend you treat the person as an individual subscriber. It is good practice – and good business sense – to keep a ‘do not email or text’ list of any businesses that object or opt out, and screen any new marketing lists against that. Generic company email addresses aren’t covered by GDPR (info@ mail@) but personal email addresses are (firstname.surname@organisation.com).
You must not send electronic marketing to individuals without specific consent. Sole traders and Partnerships are counted as individuals too, which is where some issues crop in – how do you know if the person subscribed to your list works for a limited company or is a sole trader. There is a limited exception for your own previous customers, often called the ‘soft opt-in’.
In short, you must not send electronic marketing to individuals, unless:
They have specifically consented to electronic mail from you, or they are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent. This is called the ‘soft opt-in’.
You must not disguise or conceal your identity, and you must provide a valid contact address so they can opt out or unsubscribe. It’s best to always provide a simple click to unsubscribe.
The term ‘soft opt-in’ is sometimes used to describe the rule about existing customers. The idea is that if an individual bought something from you recently, gave you their details, and did not opt out of marketing messages, they are probably happy to receive marketing from you about similar products or services even if they haven’t specifically consented. However, you must have given them a clear chance to opt out – both when you first collected their details, and in every message you send. The soft opt-in rule does not apply to prospective customers or new contacts (eg from bought-in lists). It also does not apply to non-commercial promotions (eg charity fundraising or political campaigning).
You can send electronic marketing to an individual if they have specifically consented to receive electronic marketing from you – for example, by ticking an opt-in box.The rules around consent are changing under GDPR. This means that pre-ticked boxes, or tick to opt out, that may have been used previously, are unlikely to comply with the requirements of the GDPR. People must now opt-in to your electronic marketing activities, rather than opting out. Legitimate interests is also not an alternative to consent for email marketing.
Any clearer? Hopefully! It is a complex area and you need to be especially careful if you email individuals.
In a very broad summary – and you do need to look at this in your specific circumstance:
If you’re emailing companies or people that work at companies (separate legal entities) then:
Under PECR you’re OK but should have a simple unsubscribe
Under GDPR you’re probably going to be using Contractual legal basis for storing their email address
Anyone else:
Under PECR you’re ok but should have a simple unsubscribe
Under GDPR you’re probably going to be using Legitimate Interest for storing their email address
If you’re emailing individuals or sole traders then:
If they’re customers:
Under PECR you need to offer a simple unsubscribe and prove you gave them the option to opt out at the beginning
Under GDPR you’re probably going to be using Contractual legal basis for storing their email address
Anyone else:
Under PECR you need to prove opt-in consent and provide a simple unsubscribe
Under GDPR you’re probably going to be using Legitimate Interest or Consent for storing their email address
If you’re still confused, then you won’t be alone – you can contact us info@copperbaycreative.co.uk
