If you’re confused about the UK’s rules on B2C email marketing, in the time it takes to have a cup of tea, we’re going to set them out really clearly.
And stick with us, because at the end we’re going to put up a fantastic summary table straight from the UK ICO.
Following on from our post clarifying that email marketing rules are in PECR not GDPR, this blog and its accompanying video looks at the B2C Email Marketing Rules. This is all part of Privacy Kitchen – FREE video help with GDPR and all things Privacy. If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.
Right, let’s get to it.
Now, we saw in another video that the rules on email marketing are in PECR – the UK’s Privacy and Electronic Communications Regulations – why everyone calls it PECR – not GDPR. And PECR’s a UK law, so it will be with us post Brexit.
Yes, GDPR always applies when you process personal data. It defines consent, and it sets out the legitimate interest test, for example.
But the rule’s in PECR, which takes precedence.
In summary, you cannot send B2C marketing emails (namely to consumers, sole practitioners and unincorporated partnerships) without consent, subject to the soft opt-in exception.
The detailed rule is in PECR’s Regulation 22 which says you cannot send ‘unsolicited emails’ for the purpose of ‘direct marketing’ to an ‘individual subscriber’ without their prior consent, unless the ‘soft opt-in’ exemption applies. Here’s Regulation 22 in full:
So, ‘unsolicited emails‘ is easy: it’s emails the recipient didn’t ask for.
An example from the UK ICO – we love examples!
For the purpose of ‘direct marketing‘ is pretty clear too. Helpfully, it means the rules don’t apply to other purposes. So, for example contacting a customer solely to:
These are all examples from regulators.
The UK ICO’s draft guidance calls these ‘service messages‘ and gives two further examples:
But if you add any marketing aspects to those emails, even tacking on a single sentence, you’ve transformed that service or other message into a marketing email and you need to check if PECR’s rule applies.
And another one.
Now, bear in mind that ‘for direct marketing purposes’ is almost anything promoting your aims or ideals so it’s pretty broad.
Okay, ‘individual subscriber’. This is the part that we think causes the most issues.
‘Individuals‘ has an immediately clear meaning. We’re not talking about legal entities like a limited company, PLC and LLP. Here also, though, for these laws it includes sole traders and unincorporated partnerships. Think of it that there’s no legal entity in the way when you’re doing the marketing, so the marketing’s basically directed at one of those individuals.
Now, ‘subscriber‘s trickier because it’s not a subscriber to your services – it’s the person party to a contract for public electronic communication services for the supply of those services. Basically, the person who’s the customer of the comms service over which they’re getting the email.
So let’s look at two examples here.
Now, granted, not all business.com emails are definitely legal entities, but it’s a strong indication. Maybe you’ve got a policy of only selling or marketing to legal entities – you don’t add them to your database if you’re not sure.
And, just to note, emails such as email@example.com are not personal data because info@ – there’s no personal data there, so PECR and GDPR do not apply.
Again, yes, businesses may well use Hotmail or Gmail so, in practice, it’s safer to just assume that everyone with a Hotmail or Gmail is an individual subscriber until you find out otherwise.
Prior consent is where GDPR comes in as PECR expressly states that consent is as defined in GDPR – and GDPR defines that as:
In other words:
Right, the last part of the rule is the soft opt-in exemption, and this is pretty well known. It means you don’t need consent to send B2C marketing emails if you satisfy a five part test.
You can’t get the email from anyone else. You have to have collected it yourself.
You need to have obtained the email in the course of the sale or negotiations for the sale of a product or service. Now, sale is clear – the person’s a customer. But what about negotiations for sale as that can mean leads too?
The UK ICO notes, it’s not enough simply to send any query. The individual should have actively expressed an interest in buying your products or services by some form of express communication.
Helpfully, the UK ICO gives three examples, we all love examples, of what might qualify:
And the UK ICO gives two that probably don’t:
You can only use that email to market your own similar goods or services, not someone else’s. And the ‘you’ part is interpreted strictly, by legal entity, so other group companies, for example, can’t rely on your soft opt in.
As to ‘a similar good or service’, the UK ICO has given some great examples again and suggests this depends on the reasonable expectations of the data subject, which in turn depends on the context, including the type of business and category of product. And they give two examples.
And, lastly, you need to have given the recipient an easy, free way to refuse, both at the time you collected the email and in each marketing email you send. The last bit’s easy – you can allow for unsubscribe. But it’s the first part that needs careful drafting, when you collect that email.
So, you can see that, under UK’s PECR, you only need consent for B2C marketing emails.
You do not need consent for B2B marketing emails, to those at legal entities. This is an explosive topic and Europe’s basically split on this point. We’ll deal with B2B marketing email in a separate blog and video.
Now we’re still waiting on this European e-Privacy Regulation to give greater consistency across Europe, and we really need it. We’d welcome the full clarity here.
The rules are quite different across Europe, but at least for now, the situation in the UK and the UK ICO is very clear.
And here is that guide from the UK ICO, it’s their ‘At a Glance Guide’ from 2019 with all the rules on there. Again, the link is in the notes below.
So, there you go! The UK’s B2C email marketing rules – very straightforward.
Please do visit us at keepabl.com. Please like if you enjoyed the video, look at our other videos, including on B2B email marketing and why the rules are in PECR in the first place.
Do get involved – please use #privacykitchen to tell us the questions and topics you want covered.
So stay well in the meantime, and I look forward to seeing you in the Privacy Kitchen soon!
Identity & Security Identity is core to Security, which is fundamental to GDPR compliance. Watch as a fantastic MSP takes our panel through Identity & Access Management, or IAM, from…