Are you confused about the e-Privacy rules on B2B emails in the UK? Well, in the time it takes to have a cup of tea, we’ll set them out clearly.
And stick around, because we’ll put up a table summarising those marketing rules from the UK ICO.
Following on from our post clarifying that email marketing rules are in PECR not GDPR, this blog and its accompanying video looks at the B2B Email Marketing Rules. This is all part of Privacy Kitchen – FREE video help with GDPR and all things Privacy. If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.
Okay, B2B email marketing in the UK (reflecting the position in the UK as at 6 June 2020).
We saw in another video that these are in what’s called PECR: the UK’s Privacy and Electronic Communications Regulations (which is why everyone calls it PECR) not GDPR.
And in case you’re hoping Brexit will change things, PECR’s a UK law, so it will be with us post-Brexit.
Now, it’s really:
PECR – then – GDPR
because GDPR will set out the rules on consent, the rules on legitimate interests and, obviously, how you interact with processors and all its other rights and obligations.
But the rules on email marketing are in PECR.
you do not need consent to send B2B marketing emails,
namely marketing emails to an individual work email address at a legal entity
where the legal entity’s the target of the marketing
We also saw, in our B2C video, that the detailed rule is in PECR’s Regulation 22:
you cannot send ‘unsolicited’ emails for the ‘purposes of direct marketing’
to an ‘individual subscriber’ without their prior consent,
unless the ‘soft opt-in exemption’ applies
We won’t go into ‘unsolicited emails’ and ‘for the purposes of direct marketing’, they’re covered in the B2C video – do look at that.
The part that matters here is ‘individual subscriber‘ – this is the part we think causes the most misunderstanding.
‘Individual’ has a clear, immediate meaning. We’re not talking about legal entities like a limited company, a PLC or an LLP. But – for these laws – it also includes:
Think of it that there’s no legal entity in the way, so the marketing has to be directed at one of those individuals when you market that business.
Now, ‘subscriber’ is trickier because it’s not a subscriber to your service. It means the person party to a contract with a provider of public electronic communication services for the supply of such services. So it’s the services over which they’re getting that email.
Let’s go back to that test: you cannot send unsolicited emails for the purposes of direct marketing to an individual subscriber without their prior consent, unless the soft opt-in exemption applies.
It’s those two words ‘individual‘ and ‘subscriber‘ together, that means the consent requirement under UK’s PECR does not apply to marketing emails to a non-individual subscriber.
Again, this is all under the UK’s PECR. For EEA Member States, you’ll have to look at the law that implemented the e-Privacy Directive in your country.
As always, we love examples, and we know you do, so here’s a couple!
#1 Take the email firstname.surname@companyA.com.
Now, we grant you, not all business.com emails are legal entities, but it’s a strong indication, and you’ll need to check. Perhaps you’ve got a policy of only marketing to legal entities or only taking on legal entities as customers, and you check before you do so and add them to your database.
Just a quick note: emails such as info@companyA.com or firstname.lastname@example.org, for example, are not personal data, so PECR & GDPR doesn’t apply to those email addresses.
#2 Right! Second example, with the email email@example.com.
So – you don’t need consent for B2B marketing emails. Now this can be an explosive topic, so let’s look at it in some more detail.
The UK ICO’s draft Direct Marketing Code of Conduct – still draft as at 8 June 2020 – is clear on this, saying consent isn’t necessary for ‘Emails/text messages to business contacts (corporate subscribers)’ (on page 31).
That draft Code goes on to confirm that PECR does not apply to ‘Electronic mail (eg mails/text messages) to corporate subscribers’ (on page 79) and then give examples that confirm this.
This continues the UK ICO’s guidance in this area, for example, in its direct marketing checklists – and all these links are in the notes below.
But the clearest position is in their advice to consumers on spam emails. Admittedly, this was before GDPR, but in that they say, and we quote (our emphasis):
‘The rules on email marketing are different if the marketing is being sent to a corporate email address. If you work for a corporate body, (that is a company, Scottish partnership, limited liability partnership or government body), organisations are allowed to send marketing emails to your work email address without your consent.’
That’s a quote from the UK ICO. Now, a quick search will show you lots of law firm briefing notes and legal resource entries acknowledging this.
Yes, of course, that person’s work email is personal data under GDPR, but under the email marketing rules in PECR, which take priority on when you need consent – and when you don’t – to send unsolicited marketing emails, you do not need consent when that work email is of a person at a legal entity and you’re marketing that legal entity.
You’ll probably rely on ‘necessary for legitimate interests’, so do perform a Legitimate Interest Assessment to make sure that your interests on the one side are not overridden by the rights and freedoms of the recipients on the other.
And, although it’s not a rule set out in PECR or the e-Privacy Directive, the UK ICO says you can only use legitimate interests for B2B emails sent to people to whom your emails are relevant because of their role, which makes sense.
Now, this B2B part is the big emotional issue with PECR: roughly half of Europe have followed implementation of the 2002 and 2009 E-privacy Directives like the UK, and half like Germany, which is much stricter. And really a lot of the big arguments come in to the use of the words ‘subscribers’ … ‘individuals’, particularly in that 2009 version.
This is why we really need that draft e-Privacy Regulation to replace the e-Privacy Directive, but it’s been bogged down in drafting stage, and lobbying, for years now. As you can see, it’s quite contentious, but we’d really welcome having clarity here on the same rules across Europe. It would really help everybody.
At least for now, the UK PECR and the UK ICO’s position are quite clear.
Here’s that quick guide we promised! It’s the UK ICO’s ‘At a Glance Guide‘ from 2019 and the link to this is also below.
So there you go! B2B email marketing to individuals at limited companies, PLCs and LLPs, for example, does not need consent. You’ll look to rely on legitimate interests.
Do have a look at our B2C email marketing video.
Please like if you enjoyed the video and do use #privacykitchen to tell us the questions and topics you want covered.
Stay well in the meantime, and we look forward to seeing you again in Privacy Kitchen soon!
The difference between a controller and a processor under GDPR should be an easy topic, but it can even get Privacy professionals tied up in knots. Don’t worry if it’s…