What is the current law for email marketing?
It’s complicated. You need to consider both current data protection law and electronic privacy regulations.
The ODPC’s direct marketing guide describes the different rules that apply under the current law.
If you send marketing emails, I recommend you read it.
How do you send marketing emails in compliance with the current law?
From what I’ve read on the ODPC’s site, the rules are different depending on who the recipient is.
The table below is a screenshot from the ODPC’s guide.
To comply with the current Irish law, you need to identify if the name on your marketing list is an individual consumer or a business contact.
For consumers, you then need to identify if they are an existing customer of yours or not.
Depending on your answer, the requirements are different.
- For some, you need them to opt-in before you send them any marketing email. (“you can only market an individual where you have their explicit consent to do so“).
- For others, you need to let them opt out of marketing emails when you first collect their details. (“you can market [to them] provided you have previously given them the option not to receive such marketing and they have not availed of this option“)
- For all, you need to give them the ability to opt out easily (e.g. though an unsubscribe link within each email message).
[We won’t even discuss what you should do if you share your list of email addresses with another organisation.]
Complying with the current law is impossible if you don’t know how each email address has been added to your marketing list:
- Where it came from?
- What type of person it is connected to (consumer? business? customer?)
- What did the individual consent to?
You also need to have effective controls in place to prevent lists being copied / reused and to ensure opt-outs are actioned quickly.
Understanding and complying with the current laws is difficult.
GDPR is not going to help matters.
How does this look under GDPR?
I’m not a legal eagle. When it comes to these complex matters, I always try to find pointers from someone who is.
On this topic, the best guidance that I’ve found is from the blog pages of Fieldfisher, a leading law firm.
You can read the post at http://privacylawblog.fieldfisher.com/2017/re-consenting-to-marketing-under-gdpr.
I’ve tried to summarise the key points in this blog post. However, this is just my interpretation of an article published by someone else. It is certainly not legally-binding advice. It is critical that you decide for yourself what you need to do to comply.
Email marketing where your lawful basis is ‘consent’
You may decide that the lawful basis for your email marketing activities is ‘consent’.
If so, the consent you got from people on your marketing list is unlikely to be compliant with GDPR.
GDPR sets out very strict requirements for consent to be regarded as valid.
For example, if you state consent is your lawful basis, everyone on your marketing list must have opted in to the list by performing an affirmative action (e.g. ticking a box; clicking a button).
You probably don’t meet all of these consent requirements of GDPR right now. You therefore need to think about how you can get GDPR-compliant consent from people on your marketing lists. Or you may decide to avoid the risk of getting this wrong, wipe out the list and start again from scratch.
Like a lot of things with GDPR, it’s a matter of comparing the costs & risks of getting this wrong with the benefits you get from your processing activity.
Email marketing based on ‘legitimate interest’
One thing that most people miss is that your lawful basis for email marketing does not necessarily have to be consent.
Your lawful basis could be ‘legitimate interest’.
Recital 47 of GDPR acknowledges this: ‘The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’
If this is the lawful basis for your email marketing activities, you may avoid the stricter consent requirements laid down by GDPR.
Wait! There’s also electronic privacy law
Deciding that your lawful basis for email marketing is legitimate interest is only half the story.
Alongside the elephant that is GDPR, there’s another beast to be wary of: Electronic privacy laws.
Much of the guidance provided by the ODPC (that I mentioned earlier) is describing current electronic privacy laws.
If you decide the lawful basis for your email marketing activity is legitimate interest, the requirements described by the ODPC for people to opt-in or opt-out of your marketing lists will still apply after GDPR comes into effect.
To add to the fun, these current privacy laws will be refreshed when a new e-privacy regulation comes into effect (probably later in 2018).
It’s unclear whether this new regulation will change the opt-in / opt-out rules defined in the current law.
So, what does this mean for you?
You may recall that I said I find this one of the more complex areas of data protection to understand. Hopefully, now you can understand why I said this!
If I was involved in email marketing activities, I would do the following:
1 – Comply with the current law.
“How you do anything is how you do everything”
Doing this wrong exposes you to the risk of a DPC investigation as well as the reputational damage caused by annoyed recipients.
More importantly, doing this wrong tells people that you don’t know what you are doing or that you don’t care.
2 – Get ready for a potential change in the rules.
Think about the benefits that you gain from sending marketing emails versus the risks of getting this wrong when the laws are refreshed.
Many firms are deciding the risks outweigh the benefits. They are deleting their existing email lists and starting again.
Others believe the benefits are worth the risks.
For firms that rely on consent as the lawful basis for their marketing activities, I see many of them are now asking people to refresh or confirm their consent so they can continue to receive marketing emails.
This is good to see but be wary:
(a) Only send these requests to email addresses that you know you are allowed to send marketing emails to.
This email asking for confirmation of consent is a marketing email in itself.
If you need consent to send a marketing email and you don’t have it, you will get into trouble if you send such an email to this person. Honda in the UK learned this the hard way.
(b) Do this sooner rather than later.
People are going to get a lot of these emails as we approach the May deadline. They will soon grow tired of responding and just ignore your request.
As a result, you will have to take them off your list.
(c) Give people a reason why they should give their consent.
Emails that just talk about how great you are do not give value.
Make sure your emails are valuable and valued by them.