GDPR: Do you need to email everyone to get permission to contact them?

Image of a person and email

Based on numerous conversations we have had with businesses as they work through their GDPR compliance, there appears to be some confusion with GDPR and email.  Particularly whether they can continue to communicate with their clients or whether they now have to get explicit consent to do so. These communications may take the form of emails or text messages or newsletters. Hopefully this will help…

Communicating with Existing Clients

If you need to contact a customer to remind them of a meeting (whether this is by letter, phone, email or text) you can continue to do so under GDPR and you do not need specific consent to do so. These are valid and reasonable communications in order for you to provide your service to the client. Likewise, if you want to send the client an invoice or receipt by email or post, you do not need explicit consent to do so. Similarly, if you need to write to the client regarding the business you are undertaking for them, then again, you do not need their consent to do so.

GPDR and Email Marketing to Existing Clients

The ICO has produced some specific guidance on communicating with existing “customers”, confirming that in most cases you do NOT have to contact your existing clients before May 25th to obtain their explicit permission to continue communicating with them. This is what the ICO says:

“131. Although organisations can generally only send marketing texts or emails with specific consent, there is an exception to this rule for existing customers, known as the ‘soft opt-in’. This means organisations can send marketing texts or emails if:
they have obtained the contact details in the course of a sale (or negotiations for a sale) of a product or service to that person; they are only marketing their own similar products or services; and they gave the person a simple opportunity to refuse or opt out of the marketing, both when first collecting the details and in every message after that.”

Source: https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf

Although this is not mentioned specifically in the GDPR Regulation text the ICO has confirmed that soft opt-in is permitted under GDPR. This means you may continue to email or text existing clients to tell them about new goods and services as this would be deemed to be soft opt-in.

Note that you must provide a simple method for your client to opt-out of receiving further marketing communications. This means having a clear option to unsubscribe from marketing emails (which is easy to do if you use a program such as SendInBlue) and in text messages giving the option for the client to reply using a term such as “STOP” to remove them from the marketing database.

Marketing to Potential Clients

The existing Data Protection Act (DPA 1998) and the Privacy and Electronic Communications Regulations (PECR 2003) make it clear what you can, and cannot do, in respect of direct marketing of your goods and services. It is intended that the PECR will be incorporated into GDPR at some point in the future and a guide to PECR can be found here:

https://ico.org.uk/for-organisations/guide-to-pecr/

If you are sending unsolicited direct marketing by electronic means (live or automated telephone calls, faxes, emails or text messages) then you must comply with PECR. The overriding requirement to comply with PECR is one of consent. You cannot market your goods or services unless you have explicit, clear, specific and freely given consent.

GDPR also stipulates that consent must be an affirmative action – i.e. the person must choose to opt-in to receive marketing information not simply be given an option to opt-out. This does not necessarily mean that you always have to provide a tick-box for people to select if they want to receive information.

The ICO’s document on direct marketing guidance makes mention of implied consent. So, if for example, you are providing a page on your website for people to sign-up for your clinic newsletter and it is clearly shown for this purpose then you do not need a specific tick box for consent. If, however, you have just a general “contact us” form, and you want to add the person’s details to your marketing database then you must include a tick box for them to provide specific consent so their personal data can be used for this purpose. In all cases you must also give the person access to a privacy notice that details how their data will be processed, the lawful basis, retention period and the rights the person has under GDPR.

As with marketing to existing clients, you must always provide a simple method for the person to opt-out of further communications.

If you have an existing list of prospects, or potential clients, you need to contact them before May 25th to ask for their consent for you to be able to continue marketing to them.

I hope this helps to clear up some of the confusion about GDPR. If you want any advice or assistance we can help. And don’t forget we offer a GDPR toolkit that will guide you through GDPR step by step.

Glen Mansbridge
May 2018