The legal landscape
The GDPR (as you will be well aware) regulates handling of personal data and sets out the rights individuals have with regard to their personal data within the application of the territorial scope. Email addresses from which an individual can be directly or indirectly identified, including from a corporate email address, are personal data, so handling such email addresses is always subject to GDPR compliance including in relation to data subject rights, lawful basis analysis, transparency requirements and data transfer rules (to name a few).
The GDPR does not, however, set out the conditions which apply to sending unsolicited direct marketing emails. There are two pieces of legislation which work together to dictate direct marketing rules in the UK (it's not always all about GDPR!).
The e-Privacy Directive 2002/58/EC (e-Privacy Directive) is the legislation which regulates the processing of personal data and the protection of privacy in electronic communications, and specifically sets out the rules for sending unsolicited direct marketing messages. As a Directive, it has to be implemented through local Member State laws, which has resulted in different approaches to marketing across Europe). In the UK, the e-Privacy Directive is implemented by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) (as amended from time to time).
The e-Privacy Directive will be replaced by a new ePrivacy Regulation, but this has not yet been finalised. Read more about the latest on this. For now, PECR still applies (as do equivalent local Member State laws) alongside the GDPR; so businesses must satisfy the requirements of both and specifically review any email marketing communicaitons against these. It is PECR that sets out the conditions required for email marketing so the first step is to consider PECR more closely.
Requirement for consent
The default position established by the e-Privacy Directive, as applied by PECR in the UK, is that prior consent must be given to the sender (or the 'instigator' where that party is different to the sender) before the direct marketing email can be sent.
e-Privacy Directive - Article 13The use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent.
PECR - Regulation 22 (2)….a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.
However, neither the e-Privacy Directive, nor PECR define consent. Instead, the e-Privacy Directive sets out that consent by a user or a subscriber "corresponds to the data subject's consent in Directive 95/46/EC "; in other words, it is necessary to look to the general data protection legislation on handling personal data for a definition of consent.
The GDPR replaced the data protection Directive 95/46/EC and brought with it a new definition of consent. It instantly upgraded what was meant by consent under PECR, even though PECR itself (and the underlying e-Privacy Directive) did not change.
Directive 95/46/EC - consent definition"any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed."
GDPR - consent definition"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
The latter part of the updated definition is the game changer to the definition that should not be underestimated . The requirement that consent be achieved "by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her" leaves no room for a weaker interpretation – silence is not enough. The requirement for "clear affirmative action" also reinforces the GDPR's wider obligations for consent to be demonstrated by the controller. The current ICO guidance (version 20180306, 2.3 which has not been specifically reviewed against the GDPR) sets out that a record of evidence for consent should include "who, when, how, and what you told people", building on the GDPR principles. So the updated definition has changed not only what is needed from the data subject to constitute consent, but also the way data controllers need to present and record consents.
As mentioned above, other GDPR obligations will also be relevant in the course of obtaining consent for marketing (transparency requirements, data transfer rules, security obligations etc.) and also those specifically engaged when relying on consent as a lawful basis for processing. Without going into a detailed analysis on consent requirements, this includes:
- Communicating to the data subject that they can withdraw consent at any time;
- Being able to demonstrate consent;
- Identifying the controller to which the consent is to be given;
- Offering a genuine choice (and therefore not be generally bundled up or conditional on anything else); and
- Presenting information clearly, plainly, and where possible, in a way specific to each processing activity and purpose.
For some European countries, a GDPR standard of consent (or very close to it) was already being applied long before GDPR came into force so they did not feel the GDPR upgrade of consent in the same way. For example, in Germany the courts' preferred method and the market practice for some time, has been to use a double opt-in as a way of verifying the consent of a data subject and demonstrating it was validly collected. An example of double opt-in is where an unchecked box is ticked next to clear and specific consent wording, and then a verification email is sent to the email address submitted requiring recipients to verify consent by clicking on a link. The double opt-in allows consent to be verified with an electronic trail of evidence and, as such, is the 'gold standard'. As a result, in the post GDPR world, double opt-in may become more widely used, even though it is not required under the GDPR.
Exceptions to the default requirement to consent
The soft opt-in
There is an exception to the default position that consent is required, known as 'soft opt-in'. It applies where:
- The contact details of the recipient are obtained in the course of the sale or negotiations for the sale of a product or service to that recipient;
- The company collecting the contact details will be sending their own marketing material about similar products and services; and
- At the time contract details are collected there is a chance to object to receive marketing (ie an opt-out) and in every communication following (ie an easy to use unsubscribe link).
The soft opt-in under PECR only applies to commercial marketing to consumers. Charities and political parties, for example, will fall under the default position requiring consent. Whether the soft opt-in can be used depends on the particular circumstances and specific practical analysis will be required. It may be narrowly construed by regulators and courts alike, and it is important to note that it cannot be used across Europe as the approach is not uniform. For example, read our article on the approach of the German courts.
The soft opt-in under PECR is an exception to the requirement for consent. Consequently, whatever the definition of consent (whether pre or post GDPR), it is not relevant to the soft opt-in exception. However, this does not mean that the soft opt-in is unaffected by the GDPR. The collection of personal data through soft opt-in, for example, email addresses or other information that directly/indirectly identifies an individual, still needs to satisfy GDPR requirements, including a lawful basis analysis, transparency requirements, and acting on any opt-out request, among others.
In the UK, we (currently) do treat some business and consumer marketing differently. The rules on consent and the soft opt-in in electronic marketing don't apply to "corporate subscribers", that is, companies and other corporate bodies (such as LLPs and government bodies). It's important to note that sole traders and some partnerships are not classed as "corporate subscribers", and they will be treated as individuals (and therefore the default requirement for consent applies).
The UK approach to date has been to make a distinction between individual personal email addresses and employee corporate email addresses (ie firstname.lastname@example.org) in as much as email marketing to the latter does not require consent under PECR. However, the GDPR does still apply to such employee corporate email addresses, as they are personal data. That means, for example, that companies still need to undertake a lawful basis analysis, meet transparency requirements and give effect to the right to object to marketing for all corporate subscribers.
There may be practical issues to consider where, for example, the recipients on a 'corporate subscriber' email marketing list should not include any personal email addresses, or those of sole traders or other entities treated as consumers. It is important to be able to check and keep this under review and to evidence this. Without satisfying evidentiary requirements, it is not clear that email B2B marketing would fall outside of the default consent position.
In addition, Member States have interpreted and applied the e-Privacy Directive differently with regard to how they define and treat business and consumer marketing. In practice, many Member States, including, for example, Germany, impose the same requirements on marketing to all email addresses from which an individual can be directly or indirectly identified (including employees at corporate email addresses), through local laws and / or court decisions. This means businesses need to think carefully about whether to take a pan-European approach or to treat each Member State separately.
It remains to be seen where the e-Privacy Regulation will land on unsolicited marketing communications as it is still very much in draft stage. Ahead of there being any finalised timing or content, the ICO has issued a call for views on a direct marketing code of practice which is open until 24 December. This will specifically address the legal landscape as it stands and cover compliance requirements under both PECR and the GDPR in the UK. This new guidance, once finalised, will set out ICO's approach post GDPR, and may impact the interpretation of PECR including with regard to consent evidence, soft opt-in and B2B marketing.
For now, electronic marketing compliance remains hot on the agenda of regulators, including the ICO, and non-compliance is the source of many complaints (see our article for more). It is unlikely to move out of the spotlight soon, even once the e-Privacy Regulation comes in and, if anything, post GDPR there are likely to be increasing complaints. Ramping up evidence of PECR and GDPR compliance, will be crucial to being able to handle any queries or complaints and may also prove useful if businesses need to adapt to any future changes in the law.