Businesses that send emails as part of their marketing strategy must ensure they comply not only with the GDPR but also with the Privacy and Electronic Communications Regulations 2003 (PECR). Both pieces of legislation are focused on protecting the privacy of individuals, so there’s a degree of duplication. Complying with one set of rules will put you a long way along the road of meeting the standards set by the other. However there are differences that you need to be aware of. PECR for example applies to more than just personal data.
Marketing departments often manage a lot of data but there are severe consequences if it all goes wrong. Luckily, our expert data protection solicitors are well placed to provide specialist knowledge, training and resources to quickly deal with any data privacy considerations as you go about your daily tasks.
We'll look at:
- What does consent mean under GDPR?
- What is valid consent?
- How to get customers to ‘opt-in’ to marketing emails?
- What is a soft opt-in?
- What is a double opt-in?
- What is an opt-out?
- How do the consent rules apply to email marketing?
- What are the benefits of getting consent right?
- What are the consequences of getting consent wrong?
- Getting your email subscription forms compliant
- How to record and manage consent under GDPR and PECR
- Sending marketing material to individuals sourced from publicly available contact information
What does consent mean under GDPR?
In order to process personal data in compliance with GDPR you must have what’s known as a ‘lawful basis’ for doing so. Getting the consent of an individual to process his or her data is one lawful basis that’s commonly relied upon in marketing. GDPR enhanced the previous definition of consent – it must now be:
- Freely given;
- Specific; and
For consent to be valid it must also contain an unambiguous indication signifying agreement. This will usually involve a clear, affirmative action by the data subject. As we mentioned in the introduction, electronic communications like email are also governed by the PECR and this incorporates the strict GDPR definition of consent. If your email marketing consents were obtained prior to GDPR you should check to see if they were obtained in accordance with GDPR’s higher bar for valid consent. It’s important to note that in many cases your pre-GDPR consent will still be adequate. But if in doubt you should seek professional legal advice about whether you need to seek fresh consent from those individuals whose data you are processing or whether it might be preferable to choose another lawful basis on which to process the data.
What is valid consent?
The GDPR (and the PECR) define consent as follows:
'any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.'
It’s worth looking at the various elements of the definition in turn.
- 'freely given' – unless the individual has genuine choice about whether or not to consent to the use of his or her personal data the consent can’t be said to have been given freely. The service you offer can’t be conditional on consent nor should individuals be penalised for refusing consent. Withdrawal of consent should be possible at any time.
- 'specific and informed' – As the data controller you need to make the individual aware of who you are and the way you wish to process the personal data. GDPR makes clear that people must understand fully what they are consenting to so there’s an obligation to display the request for consent prominently and explain it in plain English.
- 'unambiguous indication…by statement or clear affirmative action' – you must have no doubt that they are consenting to your electronic mail marketing messages. Your consent forms, when signed, must provide a clear signal that the individual has consented to the use of personal information. This might involve ticking a box online or the individual making a statement to the effect that he or she has given consent. It’s no longer possible to include pre-ticked consent boxes on a website to obtain consent. If there is any doubt or uncertainty over the way consent has been framed the consent is likely to be invalid.
How to get customers to ‘opt-in’ to marketing emails?
It should be clear from what constitutes valid consent under GDPR/PECR that in soliciting consent for marketing purposes it’s no longer enough to rely on the type of prepopulated consent box that was common previously. The data subject must take an active step or ‘opt-in’ to consent to the use of his or her data. The ICO recommends that individuals must complete an opt-in box or similar to show consent.
What is a soft opt-in?
The ICO states soft opt in can be broken down into five requirements:-
- That you obtained the contact details;
- In the course of a sale or negotiation of a sale of a productor service;
- You are marketing your similar products or services;
- You provided an opportunity to refuse or opt out when you collected the details; and
- You give an opportunity to refuse or opt out in event subsequent communication.
So, it’s possible to send messages to existing customers who have purchased something from you or used your services without seeking fresh consent. The assumption is that if someone has provided you with their personal details without proactively opting out of receiving future marketing communication they are unlikely to object further marketing communication. But you must provide an opt-out option in all subsequent messages and you can’t use the soft opt-in rule to approach new clients or customers.
What is a double opt-in?
A double opt-in procedure is a belt and braces approach to obtaining valid consent under GDPR. Many marketers consider it best practice but it’s not strictly necessary and often found cumbersome, putting people off completing opt in. However, some marketers find that it’s much more likely that individuals who go to the bother of completing a double opt-in will be receptive to your marketing efforts. With a double-opt in an individual who provides their personal details online and ticks a consent box will then receive a follow-up email asking them to verify their details by clicking on a link.
What is an opt-out?
‘Opt-out’ means a person must take a positive step to refuse or unsubscribe from marketing. In email marketing it’s usually available through a clickable link that informs an organisation that the individual wishes to unsubscribe from their marketing emails. Although not prohibited, opt-out boxes may cause confusion. The ICO has indicated that an opt-out box is essentially the same as a pre-ticked box (which aren’t allowed) because they both rely to an extent on the individual’s inactivity. As we have seen this goes against the emphasis on the positive action required for valid consent.
How do the consent rules apply to email marketing?
Consent issues around email marketing and other forms of electronic communication are dealt with in the PECR (which is applied in conjunction with GDPR). The specific regulations in PECR are an acknowledgment of the additional risk to data security posed by the internet and online communications.
If an individual requests specific marketing material from you, your message is solicited and additional consent won’t be required. However before sending any unsolicited material by email you need to obtain consent in the manner described above. The most straightforward way to get consent for email marketing is to request the individual to tick a box that clearly indicates they want to receive your marketing emails.
One thing to note is that consent needs to be obtained for each activity or method in how the individual receives marketing information. For instance, where you intend to send marketing information by text and email, it’s necessary to understand that some may wish to receive marketing by text but not via email, or vice versa, hence, it would be appropriate to ask for consent for each method of marketing.
If you are engaged in B2B marketing there is still a requirement to obtain consent to email marketing but the rules are slightly less stringent. See our guide to B2B marketing and GDPR.
What are the benefits of getting consent right?
Consent lies at the heart of the GDPR/PECR regime. The public and businesses are now more aware of the importance of safeguarding their data. A failure by any organisation to take consent seriously and ensure they comply with the regulations leaves them wide open to legal challenge by individuals and regulatory intervention and sanction by the ICO. Demonstrating that you obtain consent that’s valid will reflect positively on your business and should lead to greater customer satisfaction and enhance your commercial reputation.
What are the consequences of getting consent wrong?
By failing to take the consent issue seriously you run the risk of heavy fines and other regulatory sanctions. You’ll also damage your business in the long term among customers who simply won’t trust you to handle their data in a secure and lawful manner.
An illustration of what happens when you get email consent wrong was provided back in 2017 when the ICO fined airline Flybe and motor manufacturer Honda for sending almost 4million marketing emails without consent. The cases were decided before the advent of GDPR so the fines imposed were relatively modest (£70,000 in the case of Flybe and £13,000 in Honda’s case). Under GDPR where fines can be levied of up to 4% of a company’s annual turnover the penalties would undoubtedly have been much more severe.
Getting your email subscription forms compliant
Article 7 of GDPR is clear: your email subscription forms must be written in plain English and presented in a way that’s easily understood and accessible. If the request for consent is part of a more wide-ranging form, the consent element must be clearly identifiable by the individual. This means you can’t hide the request for consent among other policies or conditions.
In practical terms your consent forms should contain at least the following:
- Your company name
- An unambiguous statement that the communication comes from you as potential data controller
- An explanation of the purposes for which you want the data
- Details of how you intend to use the data
- A clear statement about how the individual can withdraw consent
- Opt-in boxes or similar (‘Yes, please keep me updated on news, events and offers’)
- Opt-out links (‘Please unsubscribe me’)
A failure to meet these requirements will usually render any consent obtained invalid.
How to record and manage consent under GDPR and PECR
There’s little point in obtaining valid consent without being able to provide appropriate evidence of doing so if requested. In fact there is a legal requirement to maintain a clear paper trail of how consent was obtained. You must keep records of the identity of the individual who has consented, the manner in which consent was provided, the date when consent was obtained and information on what the individual consented to.
As GDPR makes clear, obtaining consent isn’t the end of the matter. Individuals always have the ability to withdraw consent or change their minds about the extent of the consent they have given. Many companies enable customers to manage their own privacy settings online via a personal dashboard or similar.
Sending marketing material to individuals sourced from publicly available contact information
The ICO has finally put an end to this conundrum. Just because someone’s information appears on their social media account (or elsewhere), it doesn’t mean they are happy to receive direct marketing form you. You need consent or be able to satisfy the soft opt-in requirements (see above) to be able to send direct marketing by electronic mail to individuals.