If you use email marketing, you need to understand who you are – and are not – allowed to send emails to. You must comply with regulations on sending unsolicited 'spam' emails. This article is designed to make it quick and easy to understand
What anti-spam law does
Anti-spam law restricts the sending of unsolicited marketing emails (‘spam’) to individual subscribers. Unsolicited emails can still be sent to corporate subscribers if they are relevant to their work.
Anti-spam law is enforced by the Information Commissioner and breaches can lead to a fine of up to £500,000. There is also civil liability to anyone who suffers damage as a result of the breach. The rules are in the Privacy and Electronic Communications (EC Directive) Regulations.
'Solicited' and 'unsolicited' are not defined, but solicited emails are probably emails that recipients specifically ask you to send them. A recipient can solicit an email from you via a third party such as a reseller or another company within the same group as yours. An unsolicited email is any other email.
A 'marketing' email is not defined by the law either but must include any email promoting your goods and services. For not-for-profit bodies like charities it includes promotion of your ideals.
eDesk - the #1 ecommerce helpdesk - brings customer queries from all your channels together - making it easy to react quicker, reduce support costs and scale your ecommerce business as it grows.
Individual subscribers v corporate subscribers
The restrictions on spamming individual subscribers apply not just to consumers, but also to sole traders and partners in business partnerships in England & Wales (Scottish partnerships are different) because they are still individuals, even though they are in business and even if you email them in their business capacity.
A 'corporate subscriber' will usually be a limited company or Limited Liability Partnership (or a Scottish partnership) but can also include schools, hospitals, government departments or agencies and other public bodies.
The rules for corporate subscribers
You can 'cold email' an unsolicited, direct marketing email to a corporate subscriber, but be careful. The fact that an email address ends in .co.uk does not mean it belongs to a limited company. Anyone can register a .co.uk domain name (the only UK domain names that tell you for certain that you are dealing with a UK limited company are the .ltd.uk and .plc.uk domains, but these are rare).
This view is bolstered by the legal argument that the law defines a 'subscriber' as "a person who is a party to a contract with a provider of public electronic communications services for the supply of such services". Since it is ABC Widgets that is the party to the contract with the telecoms provider providing the work email address, not the employee, the argument is that the email is being sent to the company - the 'corporate subscriber' - and no restrictions apply. It doesn’t matter that the email can only be accessed by the individual employee.
Nevertheless, as a matter of good business practice, you may wish to provide a clear mechanism for corporate subscribers to opt-out of email marketing and/or maintain a 'do not mail' list of any corporate subscribers that object.
But what if you are emailing 'Pauline Manager', an employee at a limited company, at a work address such as [email protected]? The email will be opened by Pauline, who is an individual. Under the General Data Protection Regulation (GDPR), the right to object to the use of personal data for marketing purposes is absolute. If Pauline objects, you must stop using her personal data for marketing.
The rules for individual subscribers
Individuals who specifically consent ('opt-in') to receiving emails
You can send direct marketing emails to individual subscribers if they have 'previously notified the sender' of their specific consent (ie they have opted in) to receiving such emails from you.
Specific consent requires some positive action by the subscriber. If an individual omits to deselect a pre-ticked opt-in box (eg an order or enquiry form), that is not a specific consent. In any case, pre-ticked opt-in boxes are prohibited under the GDPR. If they the individual specifically ticks the opt-in box or you make it clear that by entering their email address in a field they are opting in, these are positive acts for this purpose.
The opt-in must be 'clear and distinct' so individuals can see that they are opting in and see what they are opting into when they tick a box or provide their email address.
The family opt-in
When emailing a family address (eg [email protected]), you must have reasonable grounds for believing you have the consent of a person who is speaking on behalf of the family. Given the inclusion of the word 'subscriber' in the definition of an 'individual subscriber', this probably means you need the consent of the family member(s) who is a party to the contract with the telecoms provider providing the family email facility.
Opt-in is temporary
If an individual subscriber does opt-in, his or her consent is only given 'for the time being'. You are entitled, however, to assume the individual’s consent remains valid until there is a good reason for you to consider otherwise, taking into account the context in which that consent was given.
Third party advertising consent
If you are going to let third parties advertise in your emails, you should obtain the consent of any individual subscribers on your emailing list before you do so. Without it, your emails might be construed as unsolicited direct marketing emails from your advertisers to your subscribers.
What your opt-in request should say
Applying the above rules, the opt-in request of a limited company within a group might ask for an individual's consent to receiving emails:
- from you about the products and services that you want to market to them
- from other companies in your group about the products and services they offer
- from you, or other companies in your group, about other brands you each offer
- from you, or other companies in your group, about other activities such as seminars, competitions, promotions, etc
- from you that include third-party advertisements
- from named third parties offering specified products and services (to allow you to pass details to those third parties)
Opt-in and bought-in lists
Opt-in has to be previously notified to 'the sender' of direct marketing emails. If this means consent must be given to you directly, then addresses on any list compiled by a third party (such as a list broker or another company within the same group as yours) after December 2003 (when the anti-spam law came into force), cannot be an 'opted in' list for your purposes.
Guidance from the Information Commissioner, however, envisages that a consent can be collected from an individual by a third party on your behalf. The third party must make it clear to the individual that it is proposing to pass his or her details to businesses offering the sort of products and services you offer.
Under the GDPR, any third parties relying on that consent must be named. Simply defining a category of third party recipient will not be enough. Referring to "selected third parties" or words to that effect is, therefore, not an acceptable approach under the GDPR, particularly given its increased emphasis on transparency.
There are circumstances in which you can treat an individual subscriber as having consented to receiving emails from you, even though they haven't specifically done so. This is called 'soft' opt-in. You can send direct marketing emails to individual subscribers under the soft opt-in rules if:
1. Their email address was obtained by you in 'the course of the sale or negotiations for the sale of a product or service' .The Department for Business, Energy & Industrial Strategy (BEIS) interpretation is that this condition is satisfied if the individual is already a customer, or has entered into negotiations with you with a view to a sale, or has registered an interest in a product and allowed their email address to be recorded for future marketing use.
An example of a negotiation might be a price enquiry or someone checking availability of a product or service. But beware the difference between an email address obtained as the result of an enquiry from your website that asks "where’s the nearest store to Tetbury?" (no interest in a product) and one obtained because an individual asks "is there a store near Tetbury where I can buy a new toner cartridge for my printer?" (interest in a product). It is possible that entry into a competition designed to create awareness/interest in particular goods and services could constitute 'negotiations with a view to a sale'.
2. The direct marketing is in respect of your 'similar products and services only'. The BEIS interpretation is that the products or services must be ‘similar’ to those the individual was buying or negotiating to buy when their email address was originally captured. This probably extends to any goods and services that the recipient would reasonably expect you to provide. For example, if you are a hotelier, guests would reasonably expect you to offer conference, party and catering facilities as well as rooms, and these could be promoted using direct marketing emails.
3. The recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his or her contact details for the purposes of such direct marketing, at the time that the details were initially collected.
4. The individuals are given the opportunity to opt out in every subsequent email to them.
Individuals whose email addresses you buy in from a list broker cannot have opted in to receive emails from you under the soft opt-in rules if they have never dealt with you, but only the list broker. Nor can an individual who gives his or her email address to your company be treated as having opted in to receiving direct marketing emails from other companies in the same group as you, unless he or she has specifically consented to this.
It's also likely that, if you have opt-in from a subscriber to receiving emails from one brand or business name, and you want to promote another brand or business name you own, you can only do so if the recipient would associate the two as being under common ownership.
Rules applying to all emails
All direct marketing emails, whether to corporate subscribers or individuals, and whether unsolicited or solicited, must:
- make the identity of the sender clear (the sender must not be 'disguised or concealed')
- provide a valid address to which ‘unsubscribe’ messages may be sent.
Existing emailing lists?
By concession, the Information Commissioner has said the law will not apply to 'legacy lists'. This means email addresses:
- you had at 31 October 2003
- that you have used within the last 12 months
- that you collected in compliance with the law at the time (at a minimum, you told the people whose addresses you collected that you would be using the addresses for marketing purposes when you collected them)
- whose owners haven't told you to stop emailing them
Subcontracting your e-marketing?
The Information Commissioner will proceed against you first if the rules are breached, as the 'instigator' of the email communication. You must also have a contract in place with the contractor to cover the 'processing' of personal data under the GDPR. Not only that, but data processors also face stricter regulation.
The anti-spam rules do not affect your obligations in relation to personal data under EU Regulation 2016/679 General Data Protection Regulation. Under the GDPR, individuals (as opposed to businesses) can prevent you from processing 'personal data' (which includes using it to send unsolicited marketing emails) without consent.
Personal data is defined as any information relating to an identifiable person who can be directly or indirectly identified from that information. This is a wider definition than that under the previous Data Protection Act 1998 and includes less obvious identifiers such as IP addresses and even pseudonymised data if that data can be attributed to a person.
Consent is an important aspect of the GDPR. Not only must consent be freely given, specific, informed, and involve an indication signifying agreement (as before), but that indication must also be unambiguous and involve a clear affirmative action. It must, therefore, be clearly understood by a subscriber that what they are doing (eg ticking a box or submitting a form) is also signalling their agreement to receiving direct marketing emails. Clear, easily accessible privacy notes are therefore a must.
Implied consent has never been a true work-around for obtaining express consent, but it must be treated more carefully. 'Implied' consent is not out of the question under the GDPR, but it can only be implied from what is obvious and necessary.
The provision of a service must not be made conditional upon consent unless it is truly necessary for that service. You cannot, for example, require someone to consent to marketing emails in order to sign-up to your service if those marketing emails do not genuinely form a part of that service.
When relying on consent as a basis for processing personal data under the GDPR, it is important to keep a record of that consent including when it was obtained, how, and what the individual was told at the time.
Consent must also be easy to withdraw. Individuals should be told of the right to withdraw consent when giving it and must be given easy ways of doing so. The GDPR also gives individuals the right to object to the use of their personal data for direct marketing.
Holding personal data for any purposes is tightly regulated by the GDPR, but this does not prohibit you from keeping individuals' personal data for the purposes of ensuring that they are not contacted for marketing purposes (ie an opt-out or suppression list), provided that the personal data retained is just enough to serve that purpose.
Always take legal advice.