PECR – Email marketing in the UK

December 6th, 2022 Posted in Data Protection

The ICO states “Direct marketing is an important and useful tool that helps organisations engage with people to grow their business or to publicise and gain support for their causes. However, if done badly direct marketing can also be intrusive, cause a nuisance and have a negative impact on people.”

In this article, we will explore the requirements that organisations need to consider when conducting email marketing. We will look at the nuances between the DPA 2018 and Privacy & Electronic Communications Regulations (PECR), email marketing in a business-to-business (B2B) and a business-to-consumer (B2C) context, and finally some good practice hints and tips. No one wants to fall foul of the rules!

If you want to take a deeper dive into the PECR, read our Guide to PECR.

Who has to comply with PECR and the DPA 2018?

Email marketing rules are not limited to only commercial organisations. Direct marketing not only covers the promotion of products and services but also communications that promote aims and ideals or influence a change in behaviours or beliefs – the latter is a very important point to remember as often organisations believe directing marketing is strictly when you are promoting goods and services; this is not the case in the eyes of the law.  So, if you are a “not-for-profit organisation” for example a charity or and political party, you will need to comply. Let’s take a look……

The nuances between The DPA 2018 and PECR

The DPA 2018 defines direct marketing as “the communication, by whatever means, of advertising or marketing material which is directed to particular individuals.  So, this includes marketing communications you send, addressed to an individual by post.

PECR defines electronic mail as “a private message stored for a specifically intended recipient to collect.” And, the definition of electronic mail marketing as “any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service”. This will include direct messages to recipients on social media platforms such as LinkedIn and Facebook.

The key word here is “recipient” because you don’t need to know the name of the person you are sending the message to; this is because PECR rules are not limited to electronic mail that involves personal data.  PECR marketing rules protect “subscribers”.  Subscribers are defined as the customer named on the bill for an internet connection subscription or telephone line.

There is no mistaking that both DPA 2018 and PECR complement each other in protecting the privacy of individuals but ultimately, they both set stringent rules on the way organisations can carry out email marketing campaigns.

To send email marketing PECR requires the DPA standard of Consent

  • Specific and informed;
  • Freely given;
  • Unambiguous indication;
  • By a clear affirmative action

You should also keep a record of the consent so that you can demonstrate that it is valid.  I like to ensure consent records are appropriate by this formula –  W3H.

  • Who consented
  • When they consented
  • What they were told at the time
  • How they consented

The DPA provides an exception to prior consent for email marketing referred to as “the soft opt In”. PECR does not use this phrase, however, PECR Regulation 22 does indicate that electronic mail marketing can be sent to an individual if:

  • They are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent.

We will look at the soft opt-in later in this article.

B2B and B2C – What difference does it make?

There are some slight differences in the definitions and the actions you can take depending on whether you are email marketing to businesses or consumers.  Businesses are defined as companies and corporate bodies, whereas consumers include sole traders and partnerships.

When emailing consumers, there is more rigour around the initial contact. For example;

  • The consumer must have given you specific consent to send marketing emails.
  • You can use the “soft opt-in” exception.
  • You must not disguise or conceal your identity.
  • You must give a valid contact address for the consumer to opt out.
  • If processing personal data you must comply with UK GDPR principles.

When sending email marketing to Businesses, which the ICO defines as companies and corporate bodies then you:

  • Can email corporate bodies without consent for example, to a generic email address.
  • It is good practice to comply with opt-out requirements.
  • Can email individual employees without consent, for example, to Individuals should be provided with an opt-out such as an unsubscribe link.
  • You must not disguise or conceal your organisation’s identity.
  • You must give a valid contact address for opt-outs.
  • If processing personal data, you must comply with UK GDPR Principles.

The ICO has produced this handy at a glance guide and includes information on the different types of marketing you may wish to undertake, from live calls to postal marketing campaigns.

The Soft Opt-in rule

Earlier, we mentioned the soft opt-In exception. It only applies to commercial marketing of products and services, so if you are a not-for-profit organisation, you cannot use it for campaigning to your existing supporters. To use the soft opt-in exemption;

  • You obtained the contact details directly from the individual.
  • In the course of a sale or negotiation of a sale of product or service.  The individual does not actually need to have bought anything, negotiations for a sale that took place, is enough.
  • Your direct marketing is for similar products or services only.
  • Opportunity to refuse or opt-out given when you collected the details.
  • Opportunity to refuse or opt-out is given in every communication.

Steps to take to get email marketing right

It’s important to remember the data protection principle of accountability. As a Data Controller, you are responsible for and must be able to demonstrate compliance.  With this in mind, ensure you keep accurate and up-to-date records including:

  • Record of GDPR-compliant consent. Remember the formula W3
  • Record whether the customer is an individual including sole traders or a company. Don’t forget different rules apply.  If you are not sure then err on the side of caution and assume they are an individual.
  • Maintaining a suppression list, this involves retaining just enough information to ensure preferences are respected in the future and individuals are not inadvertently put back on a marketing mailing list and sent marketing material even though they have opted out. You can still send service/important information-related emails without consent and without the need for an unsubscribe option.
  • Remember to check the requirements depending on whether you are a commercial organisation or a not-for-profit organisation.
  • Engage with data protection professionals. They can help you navigate your way through the rules.

Recent ICO enforcement action

Because of the intrusive nature of unsolicited marketing, The ICO is hot on enforcement action for noncompliance. Some of the latest fines include

Easylife Limited (catalogue retailer), was fined a total of £1.48M for numerous failings including using 145,400 customers’ personal information to predict medical conditions and then targeting them with health-related products. The fines were high due to the nature and gravity of Easylife’s infringement; the assumptions made about a possible medical condition (Special Category data), the lack of transparency and consent and the use of automated profiling significantly affected the individual. In a separate investigation, the ICO also imposed a fine for making 1,345,732 unwanted marketing calls to people registered with the Telephone Preference Service.

Halfords Limited has been fined £30,000 for sending 498,179 unsolicited marketing emails to people without consent.

Following complaints in relation to a direct marketing email about a “Fix Your Bike” government voucher scheme, which was sent on 28 July 2020, Halfords came to the ICOs. Under the government scheme individuals could use a voucher worth up to £50 towards the cost of repairing a bicycle at any approved retailer or mechanic in England. Halfords’ email relating to the scheme encouraged people to book a free bike assessment and to redeem the voucher at their chosen Halfords store and therefore amounted to marketing its services which would generate income for the company.

Halfords email contained a disclaimer stating, “This is a service message and does not affect your marketing opt-in status” but later informed the ICO they were relying on legitimate interest legal basis as it was in the interests of the customer to be notified of the government scheme as they may be eligible.

The ICO ruled that Halfords intentionally targeted individuals for which it knew it did not hold consent, on the mistaken basis that the email was a ‘service’ message, rather than direct marketing.

The ICO also ruled that Halfords could not rely on the soft opt-in exemption for customers that received the email, because it was sent as a “service” email, and did not meet the soft opt-in requirement of enabling the recipient the opportunity to refuse or opt-out given in every communication.

Next steps

As a specialist data protection consultancy, Evalian is well-placed to assist you with navigating the law governing direct marketing, email marketing and electronic communications. If you would like an informal conversation on how we can assist,  please get in touch. We can steer you in the right direction or, if you need help, we can assist at every level to ensure that you are covered. We also have an extensive Guide to GDPR Accountability that you can download for free.

Evalian DPO/GDPR Services - Find Out More

Evalian is committed to protecting and respecting your privacy. By proceeding with your inquiry, you agree to the terms of our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Leah Smith

Written by Leah Smith

Leah has worked in the Government sector in Information Assurance, Information Security and Data Protection for over 21 years and was DPO for Ordnance Survey and its group of companies before joining Evalian®. Leah’s qualifications include Practitioner Certificate in Data Protection PC.dp (GDPR), ISEB Certified Information Management Principles (CISMP) and ISO27001 Lead Implementer.