Many get the Privacy rules on email marketing wrong. For a start, they’re not in GDPR as commonly thought, they were set out in the EU e-Privacy Directive, which means in the UK they’re in what we call PECR.
Stick around and we’ll break down this aspect of this vastly misunderstood and highly emotional area.
This is the first in our series on e-Privacy. You can watch this blog’s accompanying video: Email Marketing Rules are in PECR not GDPR in Privacy Kitchen – FREE video help with GDPR and all things Privacy. If you’re new to Privacy Kitchen, please do check it out and click subscribe and notify to hear about awesome Privacy Kitchen videos.
So, is that right? e-Privacy rules are not in GDPR? Yes, yes, it is, and we’ll show you right now.
Those rules on email marketing, including whether you need consent or not, are in the EU e-Privacy Directive, a law that effectively takes priority over GDPR when it applies. As a Directive, it’s been implemented differently in every Member State.
That’s why they brought in GDPR – to replace the Data Protection Directive. And there’s a lot of negotiation going on to replace this e-Privacy Directive with a Regulation, that’s got bogged down for years now in negotiations, in the final stages, and lots of lobbying – it’s so contentious, and it’s so broad.
So we’re still dealing with the 2002 EU e-Privacy Directive, as amended in 2009. That’s been implemented in the UK by the Privacy and Electronic Communications Regulations, which is why everyone calls it PECR for short.
By the way, if you’re thinking Brexit will save you here, PECR is a UK law not an EU law so PECR’s not going to be affected by Brexit. And if you’re in an EEA Member State, the rules will be in your national law implementing that e-Privacy Directive.
Now, importantly, email, for these reasons, isn’t just email – it’s also WhatsApp, Facebook, LinkedIn messages… There are separate rules on phone calls, there are separate rules on faxes – if you still have one – and also PECR includes all the cookie rules, but it’s not just cookies, but that’s why it’s called the Cookie Law sometimes. But all of that’s for a different video.
Right now we’re talking about email marketing rules.
Now, for sure, GDPR applies whenever you process personal data – you need to comply with the seven principles, you need to have one of the six legal bases of processing, such as consent or necessary for legitimate interest, which are the two that are most relevant on email.
But the rules on email: whether you need consent, etcetera are all in the e-Privacy Directive.
Still don’t believe it? Okay, here’s Article 13 of the e-Privacy Directive.
Now, you can see that the use of electronic mail for direct marketing is allowed only in respect of subscribers or users who have given their prior consent.
That ‘or users’ was added by the 2009 Directive and we’ll come back to the impact of this later.
So what about PECR that implements this?
Here’s Regulation 22 of UK’s PECR, implementing that Article, and it covers using electronic mail for direct marketing purposes, specifically sending unsolicited communications by means of electronic mail to individual subscribers.
Note again, the word there: ‘individual‘. The big difference in e-Privacy rules throughout Europe comes from those words ‘subscriber’, ‘user’ and ‘individual’ and essentially means Europe’s split in how it treats B2B email marketing, where you’re emailing a legal entity, and B2C email marketing, where it’s a consumer, sole trader or unincorporated partnership.
Now we’ll look at the rules themselves in another video. But there you have it – proof that the rules on email marketing are in the EU e-Privacy Directive, implemented by the UK’s PECR. They’re not in GDPR.
Yes, if you need consent, you go to GDPR to look at it. And yes, GDPR always applies in terms of security, processors, etcetera. But the rules are in the e-Privacy Directive and, if you’re in the UK, that’s PECR.
So why all the confusion about email marketing and GDPR? Here are three quick reasons.
And as we say, don’t hold your breath on that European Regulation on e-Privacy, which is a real shame because we could do it – we could do with that harmonisation on all of these rules.
So there you go: email marketing rules (in the UK) are in PECR. If you’re in an EEA Member State, look to the national law implementing the e-Privacy Directive(s) in your Member State.
Nice and quick!
Do get involved – use #privacykitchen to tell us the questions and topics you want covered.
Stay well in the meantime, and see you soon in Privacy Kitchen!
If someone says to you: ‘OK, we’ll get you GDPR compliant, we need to start you off with 27001‘ or they say ‘ISO 27001 is the standard for, or the…