When GDPR came into force (in 2018) it introduced a new set of rules around what constitutes consent as the lawful basis for processing. Specifically, when seeking consent you must ensure that an individual takes a positive action to confirm consent based on a clear understanding about what they’re consenting to – this essentially rules out pre-ticked boxes, ambiguous wording or tricking someone into giving consent for processing of their data.
Whilst consent can be considered as the lawful basis for any type of data (it just depends the nature of the processing as to whether it’s the appropriate lawful basis or not), most people think about it within the confines of direct marketing – the idea we need consent to send marketing material and the absolute right someone has to withdraw that consent. So, in this article I’m going to look at direct marketing and where GDPR consent fits in. But first, PECR…
Privacy & Electronic Communications Regulations (PECR)
When it comes to direct marketing (email, phone, SMS text, messaging, etc.) another set of rules set out when you can and can’t direct market to someone. These rules, the Privacy & Electronic Communications Regulations 2003 (or PECR) implement an EU directive into UK law and sit alongside our data protection legislation. So, GDPR and PECR sit alongside each other and complement each other when it comes to processing direct marketing data – when GDPR came in, it replaced the UK’s data protection legislation (the Data Protection Act 1998) but it did not replace the PECR rules; so, anyone who says they thought GDPR would stop “spam” (or unsolicited marketing) didn’t account for the fact that it’s actually PECR that sets out what you can and can’t do with direct marketing.
In essence, when PECR says you need “consent” to market, it means “data protection” consent, i.e. now, if PECR says you need consent, you now need GDPR level of consent. And, it’s these PECR rules you need to pay attention to, if you’re thinking about your direct marketing activity, particularly if you’re thinking of email, SMS, messaging or phone marketing.
For the purposes of this article, we’re just going to refer to email marketing, but the same rules apply to SMS text messages and direct messaging (e.g. through messaging apps or social media). There are also some additional rules for telephone marketing which we I’m not covering here, but are covered in the infographic at the bottom of this article.
So, when thinking about marketing compliance, you need to both consider the PECR rules (in terms of how you can and can’t market) plus you need to consider the GDPR rules as well, but not just in terms of consent messaging – don’t forget data protection applies to your marketing data just like any other personal data, so you need to think about lawful basis, subject access, the right to be informed, data breaches and security, etc.
The PECR email marketing rules
PECR sets out a number of different rules which depend on you whether you’re emailing consumers, businesses or customers:
- You need consent to market to consumers. If you haven’t been provided with that consent then you cannot send marketing messages to them; you can’t ask them to give you that consent, as that would constitute marketing and therefore would be unlawful. This essentially means you need to rely on “inbound” marketing techniques – e.g. get consumers to sign up to your marketing via your website, your social media, etc.
- You need consent to market to sole traders (and some types of (small) partnerships). Sole traders, despite being businesses, are treated the same as consumers, so differently from incorporated businesses
- You don’t need consent to market to businesses (unless they’re sole traders). If you’re marketing to business contacts within a limited, plc, LLP, etc. type business then you don’t need consent to do so, but note, a lot of people don’t realise this is the case, so if you do “scrape” email addresses off LinkedIn or websites and send unsolicited messages, expect some kick back about the fact you’re not supposed to be doing this
- You don’t need consent to market to generic business addresses. If you’re sending marketing messages to generic email addresses at a business (e.g. info@ hello@ sales@ accounts@ etc.) then you don’t need to seek consent before doing so, but regardless of who replies, the “business” has the right to opt-out of future marketing
- You don’t strictly need GDPR-level consent to market to your customers. Strictly speaking, provided you give your customers the option to opt-out of your marketing during the sales journey, you can market to them. This is referred to as “soft opt-in” which is still valid and means that you don’t actually need GDPR-level consent, you can use pre-ticked boxes, but again, you should note, that a lot of people expect to see opting-in for marketing, so may question if you’re using a pre-ticked box (even though you’re allowed to)
Honour all opt-outs
However, regardless of whether you’re dealing with consenting consumers, your customers or unsolicited marketing businesses, everyone has the absolute right to opt-out of marketing. So, even if you are contacting people within a business without consent, that individual has the right to ask you to stop and you must and there is nothing you can do about it: you can’t think, but it’s for their own interest if I keep marketing to them or that you don’t need consent. Everyone, even a business as a whole can opt-out of marketing and you have to honour that.
So, when it comes to marketing consent, it’s not as black and white as you may think. Unfortunately, this is a key area that lots of organisations don’t fully understand, so it’s important that you get it right and therefore understand what you can and can’t do, and most importantly, if you have a marketing team, make sure they understand what they can and can’t do. And don’t forget that GDPR applies to your marketing data, just as any other personal data.
For reference of the rules, we have produced a quick guide infographic which is free to download from this site.
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR