GDPR for marketing – The DPO’s guide 2021

With the COVID-19 pandemic creating increased distance between businesses and their customers, direct marketing is being relied upon more than ever to cultivate profitable B2B and B2C relationships.

The term ‘direct marketing’ covers any type of advertising or marketing that is directed towards individuals. This includes all emails, texts, phone calls, post, and direct messages on social media that advertise an organisation’s services and goods or generally promote its aims and ideals. It does not, however, cover service messages sent “for administrative or customer service purposes only” (for more information on the definition of a marketing message, read our blog here).

The broad definition of direct marketing means that most organisations are likely to be undertaking some form of it, even if only occasionally.

How does GDPR affect marketing?

Although direct marketing is being used in ever-more new and interesting ways, there are clear rules set by UK data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data. that put limitations on how it can be used in order to ensure that individuals’ privacy and data protection rights are respected.

Like with any processA series of actions or steps taken in order to achieve a particular end. that involves personal dataInformation which relates to an identified or identifiable natural person., direct marketing must comply with the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. and Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998), and implemented the GDPR into UK legislation.. This means that, among other things, you must have a valid lawful basis in order to process the personal data; you must ensure you are protecting the personal data appropriately; you must not hold on to the data for any longer than is necessary; and you must respect individuals’ rights by informing them of the processing and enabling them to submit rights requests.

On the topic of individuals’ rights, it is important to remember that data subjects have an absolute right to object to the processing of their personal data for the purposes of direct marketing. This means that if you receive a request from an individual asking you to stop processing their data for the purposes of direct marketing, you must comply and there is no getting around it.

In addition to the above, electronic B2C direct marketing (marketing by phone, fax, email, text and social media messages), must also comply with the Privacy and Electronic Communications RegulationsPECR is the UK implementation of the ePrivacy Directive (Directive 2002/58/EC) providing certain rules on marketing, cookies, communication services security and customer privacy (in relation to traffic/location data, billing, line identification and caller directories). (PECR) which, as it says on the tin, regulates electronic communications.  More on this later.

Marketers must be aware of these pieces of legislation so that they do not find themselves on the wrong side of the UK Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).).

GDPR email marketing

According to research conducted in 2021 by the Data and Marketing Association (DMA), email is the most popular channel used by organisations to market to their consumers, and for good reason. A corresponding study into consumers’ views showed that over 70% of consumers say that email is the best channel organisations can use for contacting them. The value of email marketing to businesses is therefore huge, with marketers estimating that for every £1 spent on email marketing, they get around £38 return on investment!

When thinking about data protection laws and their applicability to email marketing, it is important to distinguish B2B marketing from B2C marketing. This is because the rules around B2C marketing are far more stringent, the key word being: consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed..

For B2C email marketing, PECR states that you must gain consent from data subjects to market to them, meaning that your lawful basis relied upon under the UK GDPR must be consent. In contrast, if you are sending B2B marketing messages, consent is not essential. Instead, you can rely on legitimate interestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle. as your lawful basis. B2B recipients still have the right to object though, so it is important to provide them with a way of doing so; an unsubscribe or opt-out button in the footer of the email is the easiest way to achieve this.

Whilst the general rule that for B2C email marketing you must have consent still stands, there is a little-known exception to this called the soft opt-in. This exception allows you to market similar products and services to existing customers without the need for consent, provided you have given them the opportunity to opt outA positive action to choose not to be part of an activity or to stop being involved in it.. For more information on this, please read our previous blog post.

GDPR marketing consent

The PECR defines valid consent in the same way that the UK GDPR does in Article 7. To this end, consent must be:

• Freely given: consent to marketing must not be a pre-condition of signing up to a service or getting a product
• Clear: it must be clear exactly what the individual is consenting to
• Specific: consent for marketing must be unbundled for other terms and conditions, and from other consents (e.g. consent to receive marketing emails about upcoming events cannot be bundled together with consent to have your photos taken at the events, or agreeing to other T&Cs)
• Consist of an affirmative action: the Information Commissioner’s Office (ICO) has made it clear that a pre-ticked tick box, or an opt-out as opposed to opt-in mechanism will not count as valid consent for B2C marketing
• Be able to be withdrawn at any time: this links to the absolute right to object to direct marketing, and can be achieved by adding an unsubscribe link to all marketing communications

If the consent you gain to market to individuals does not fulfil the above criteria, it will not be valid and you run the risk of getting into hot water with the ICO.

It is also important to note that consent is not valid forever. It is therefore important to regularly review your marketing database and remove contacts who are not engaging with your emails.

GDPR email marketing consent examples

To help us demonstrate our points above, here are some examples of acceptable and unacceptable ways to gain consent:

1 – Acceptable

This is clear, requires an affirmative action in the form of ticking the box, is not bundled with other consents and is not a pre-condition of service.

2 – Unacceptable

The marketing consent asked for by this tick box is bundled together with consent to other T&Cs.

3 – Unacceptable

The ICO explicitly states that pre-ticked boxes do not provide valid consent.

4 – Unacceptable

For valid consent, there must be a clear affirmative action. Providing individuals with an opt-out option does not suffice (although if relying on soft opt-in, this would be acceptable).

GDPR marketing checklist

The questions below will help you to assess whether you are complying with the rules around direct marketing under the UK GDPR, DPA and PECR:

• Do you know whether you are sending messages B2B or B2C?
• If B2B and relying on legitimate interests, have you conducted a Legitimate Interests AssessmentAn assessment that used to demonstrate whether not processing is necessary in the legitimate interests and does not prejudice the data subject’s interests, rights and freedoms. (LIA)?
• If B2C, have you gained valid, opt-in consent?
• Do you keep a record of the consent provided by individuals?
• Do your marketing messages include an easy way for recipients to opt out or withdraw their consent?
• If relying on soft opt-in, are you confident that the recipients are existing active prospects or customers, the products/services being marketed are relevant, and that they have been given the chance to opt out?

GDPR marketing training

The DPO Centre provides bespoke marketing compliance training, both in person and virtually, that is tailored to your organisation’s industry and specific areas of need. If you would like to know more about our training services, visit our training page or contact us below.

NB: Data & Marketing Association, ‘Marketing and Email Tracker’ (2021). Data & Marketing Association, ‘Consumer Email Tracker’ (2021).