In this instalment of our GDPR FAQS mini blog series, we will begin to look at questions that frequently arise in respect of marketing under GDPR.
In this blog, we answer the following FAQ: Can my organisation continue to send marketing communications to our clients and customers?
Our Frequently Given Response:
The rules around marketing communications are relatively complex, but we will try to cover the basic principles in the following few blogs. In these blogs, we focus on electronic direct marketing as opposed to postal marketing.
There are two pieces of legislation that must be considered by any organisation that wishes to conduct electronic direct marketing i.e. marketing by email, text, fax or phone: (i) GDPR; and (ii) the Privacy and Electronic Communication Regulations 2003 (“PECR”).
It is simplest to consider the provisions of PECR first. Under PECR, organisations are entitled to continue to send marketing communications without opt in consent to:
- Existing clients and customers who have purchased products or services similar to those being marketed by the organisation;
- Individuals with whom the organisation has entered into negotiations; and
- Corporate subscribers – effectively anybody with a business email address such as firstname.lastname@example.org as opposed to email@example.com or firstname.lastname@example.org.
It’s worth bearing in mind that marketing sent to generic / non personal email addresses, such as email@example.com or firstname.lastname@example.org will not be captured by GDPR because there is no personal data within the email address.
If at least one of the three hurdles set out in PECR is passed, the organisation should then consider whether it is able to rely on legitimate interests under GDPR. A legitimate interest assessment (“LIA”) should always be conducted, but it is likely to be easier to pass a LIA where marketing is permitted under PECR.
Even if you determine that you are able to continue to send marketing without consent under PECR and the LIA you have conducted under GDPR, each marketing communication you send must include a clear opt out / unsubscribe option and any unsubscribe requests must be promptly adhered to.
The above is a very brief overview of the key principles that apply to marketing communications sent to existing clients and customers. If you wish to conduct a marketing campaign, you should always seek legal advice to ensure the campaign doesn’t fall foul of GDPR or PECR, including nuances of the legislation that are not referred to in this blog.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.