Email marketing post GDPR – what you need to know

So, the dust has settled and just like when nothing happened after the ‘millennium bug’ (for those of you who don’t remember, the so-called ‘millennium bug’ was the bug that would crash all computers on new years’ eve 1999 when the date rolled over to 2000) not much has changed after the GDPR deadline back on the 25th of May this year.

However, there are some things that have happened, and in the main it’s good news for the marketing world. It has made companies look at the data they have been using for marketing, that’s all marketing not just email, and it’s made them clean up their act. And for the marketing data providers, it’s made them get their respective houses in order too.

There was a lot of confusion leading up to the GDPR deadline, and in our experience, there still is a lot of confusion. We were all bombarded with ‘We’ll miss you…. please opt in’ emails sent out by many companies. And many of those companies needn’t have bothered.

Now before I say any more, this is our interpretation of the rules for B2B email marketing. And I use the term ‘interpretation’ because that’s what it is. It just isn’t black and white and whatever the ICO (Information Commissioners Office) says, there is still some confusion.

Consent: Opt-in vs Legitimate interest

You must have a lawful basis to process personal data – this is not new and should already be in your privacy policy under the DPA (Data Protection Act). However, GDPR does require you to be more accountable for this, and transparent about what your lawful basis is.

One of the most common questions is:

Do I need to get all my email contacts to opt-in to receive emails from me?

Answer: No! The lawful basis for contacting the people on your databases is under ‘legitimate interest’. (Here’s the ICO’s notes on legitimate interest)

This must be included in your Privacy Policy, which should by now have been updated so it’s GDPR compliant, and explains how you collect, use and store data, including the security measures you take to ensure its kept safe.

We have to respect that we cannot simply use this basis to send out anything to anyone, we still need to balance your interests against the individual’s interests, so that its reasonable use of their data, doesn’t cause them unwarranted harm, or their interests are likely to override yours (although they don’t need to align).

Direct quote from ICO regarding legitimate interest:

“You can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object – but only if you don’t need consent under PECR.”

NB: If you choose to go down the route of gaining consent and want to use the lawful basis of ‘opt-in’, then here’s some ICO pointers.

However, there are exceptions where you can’t use ‘legitimate interest’ specifically for ‘cold contacts/bought data’.

Who can, and can’t we email?

To confirm…we can NOT email:

  • Sole Traders
  • Some Partnerships
  • Individual consumers e.g. personal email addresses i.e. Gmail, Hotmail etc.

We CAN email:

  • Companies
  • Limited liability partnerships
  • Scottish partnerships
  • Some government bodies

ICO definition: 

‘Corporate subscriber’ covers subscribers that are a corporate body with separate legal status. This includes companies, limited liability partnerships, Scottish partnerships, and some government bodies.

ICO Marketing Guidance: 

  1. Corporate subscribers do not include sole traders and some partnerships who instead have the same protection as individual customers. If an organisation does not know whether a business customer is a corporate body or not, it cannot be sure which rules apply.

Past customers

This group is different, as they have previously bought a similar product/service from you – if you’ve emailed them with the option to unsubscribe previously, and they haven’t, then you can continue to use their data.

Please see the direct quote from ICO:

“Sole traders and some partnerships are treated as individuals, so you can only email or text them if they have specifically consented, or if they bought a similar product from you in the past and didn’t opt out from marketing messages when you gave them that chance. You must include an opt-out or unsubscribe option in the message.”

Current customers

As ‘individuals’ under the customer status also includes consumer emails, these are treated under the ‘soft opt-in’ legislation, along with standard business emails, and can, therefore, be emailed with similar products/services without consent. Note, this is still under the lawful basis of legitimate interest.

Please see the direct quote from ICO:

The term ‘soft opt-in’ is sometimes used to describe the rule about existing customers. The idea is that if an individual bought something from you recently, gave you their details, and did not opt out of marketing messages, they are probably happy to receive marketing from you about similar products or services even if they haven’t specifically consented. However, you must have given them a clear chance to opt out – both when you first collected their details, and in every message you send.

The soft opt-in rule means you may be able to email or text your own customers, but it does not apply to prospective customers or new contacts (e.g. from bought-in lists). It also does not apply to non-commercial promotions (e.g. charity fundraising or political campaigning).

PECR (Privacy and Electronic Communications Regulations)

Something we haven’t mentioned yet is the PECR (Privacy and Electronic Communications Regulations), which sits alongside the existing DPA and the new GDPR.

Please note that the PECR is due to be updated, whether that’s in 6 months, 1 year or 2 years’ time, but this could have a significant impact on how we contact business individuals. As it stands at the moment the regulations in this do not affect the ‘legitimate interest’ basis that marketeers can use.

Right to object

In summary, individuals have the right to; restrict, suppress, object to processing of, and request access to and data that you hold.

Whether any of these requests are made verbally or in writing, you have up to one month to respond to a request.

Your contact details must be clear on your website, so individuals know how they can perform these requests, and emails must (as they always have) include an unsubscribe link. Remember this is about making it easier for individuals to request removal if they wish to no longer receive any communications from you.

Is that everything?

No, not quite, but we’ve shared the most important parts you should be considering.

One final point to remember…

Email marketing is a great marketing channel, and with GDPR behind us we are seeing less junk and fewer emails, and that means that well targeted, well written emails are more likely to be looked at and actioned, and that leads to business.

GDPR may have changed how we manage data, but the rules about effective marketing haven’t. Like any marketing channel, you need to give the potential customer what they want and not what you want to tell them. It’s about them and not about you!

You might like to look at some of our other blogs to give you some tips about creating great content for your emails.

And if you’d like to know more then just get in touch with us here at Essentiamail.