GDPR and my email marketing database - what now?

Written by Finn Taylor on 18th May 2018

(Last updated 5th July 2023)

GDPR is all about helping individuals regain control of their personal data as a response to digital marketeers slurping up as much data about people as they can, selling it or passing it onto third parties and targeting individuals with marketing & advertising content on websites, by email and other DM activities.

GDPR brings in rules about how data is gathered, stored, processed, used and gives individuals control over this, which in principle we can all agree with.

As a digital marketer, this is however a nightmare. Obviously if your business was based on doing all kinds of creepy data acquisition, using dark patterns to profile individuals, then everything is going to change. But what happens if I have simply been growing my database of contacts to market to over the years…do I really have to delete my database and start again?

So what does GDPR actually say?

Simply put GDPR says that:

  • individuals need to be informed about all data you are gathering, and what you intend to do with it.
  • individuals need to consent to this usage in a proactive way - implied consent or pre-checked boxes do not count.

So, if historically you had a form on your website (data capture), which had an option for individuals to check saying they agree to receive marketing materials, then you have their consent (as long as you recorded this so you can prove it). [check this]

If, however, you gathered details without users actively choosing to receive marketing materials from you, then you do not. Examples of this could be:

  • Someone purchased a product from your online store, creating an account. You have their email details and have chosen to send them regular emails promoting other products.
  • Someone filled in a form on your website asking for details, and you had some text on the page saying you are going to send them marketing materials. The visitor fills in the form and clicks submit. You added their email address to your database and started sending them emails.
  • Again, someone filled in a form on your website asking for details from you. The form had a pre-checked box saying you will send them marketing materials, which they could uncheck, but they left it checked. Again you added them to your database.

In all these examples you did not get a proactive consent to use their details for marketing. Whilst you could argue that the text or pre-checked form field followed by them clicking on the submit button was permission, GDPR states differently and requires a double opt-in.

In practice this could be:

  • a form with an unchecked marketing option (which they can select), combined with the submit function, creating the double opt in - they took two proactive steps.
  • the other option which some are taking is to follow up with an opt-in email getting them to confirm they are happy to receive marketing materials. You could potentially follow the first option if unsuccessful with the second!!

This is probably a nightmare for many of you as your rate of signup is going to fall dramatically, however this is the idea. Someone must want you to send them marketing materials, rather than you just wanting to send it to them.

In short you need to change how you gather your data.

"But wait…. someone just sent me a message…Can I not email them back unless they have consented?”

Of course you can. They got in touch, so you can certainly engage with them. You can not however presume because they spoke to you that you now have permission to market to them for the rest of their lives. If you want to do this they must actively consent to this.

In this respect GDPR is really quite clear and the rules are easy to understand.

Now here is the interesting bit….

In practice, if we followed these rules, then this would create major issues as there are many cases where you are not junk mailing individuals and they would be quite happy for you to get in touch with them.

Examples of this could be an individual has:

  • subscribed to a service that is going to run out, and you need to tell them about their options to renew.
  • purchased a product 4 years ago, and a newer model is available which they might want to upgrade to.
  • got in touch for some advice and you started a dialogue. They were not ready but said they would be later, so you are going to get in touch again.

Here there are genuine non-spammy reasons for getting in touch with someone, and GDPR does provide a framework for this under 'Legitimate Interests’.

Legitimate Interests

Reading up on Legitimate interest under GDPR, the wording is more about the gathering & processing of individual’s data, however reading further on Legitimate Interests we do find some guidance that can actually help us still communicate in a legal and legitimate manner with contacts.

The ICO website clarifies that there are reasons and mechanisms for you to market without requiring consent….Phew

The reality is this is where things becomes a bit grey and murky…what is a Legitimate interest?

Is this a 'Get out of Jail’ card?.

What counts as legitimate reasons

Considering legitimate reasons from a GDPR perspective we find the following

The ICO goes further to expand on this, providing more detail and structure as well as a checklist

Here the ICO also helps clarify that legitimate interests can be your own commercial interests, which does feel ripe for abuse!

And other points also highlight more specifically that Direct marketing as a potential direct interest.

This is not however 'carte blanche', as you do have to balance your interests vs those of the individual. Is this causing them harm or adversely affecting them and is there an alternative way in which you could achieve your goal.

PECR - what is this about?

Whilst GDPR’s statement about Legitimate interest looks really promising, implying that you may not need to delete your marketing databases, we do also need to consider PECR and what its stance on Legitimate Interest is as well. Just because I can use their data for this purpose under GDPR does not mean that PECR does not have its own set of rules.

Woh there -  what the hell is PECR….is this something new to worry about?

  • GDPR is in place to protect personal data
  • PECR is in place to protect a person’s private life (The Privacy and Electronic Communications Regulations)

PECR update is currently underway (last update was 2016) and will aim to assist with the applicability of GDPR in finer detail

Whilst PECR, like GDPR is quite clear about the difference between solicited and unsolicited communications, it also accepts legitimate usage, but caveats it with consent again.

A final nail in the coffin is where the PECR advice on email marketing is quite clear...

So if you want to send marketing materials to a past or present client, you can as long as you gave them an opt out and continue to do so in your marketing emails, but in short you do need active consent for your wider database of contacts.

By wait, does this mean I can not communicate with people in my contacts list - this is crazy…what am I going to do?

Remember PECR is about Marketing

You can certainly continue to email individuals for general communications, and Legitimate use will keep you safe, as it is easy to justify.

Whilst PECR still demands consent, this is about marketing materials, rather than general communications.

Here we have an interesting question of what constitutes marketing materials.

  • If it is a piece of communication/dialogue between you and a contact then this is not falling into PCER’s remit
  • If this a promotional product or service brochure, then it is certainly is

The question is if you send newsletters with more informative information, articles etc, then is this counted as marketing.

You obviously have an intention to create a relationship with readers, but you are also trying to be genuinely helpful. Here you are not overtly trying to sell your product or service, but rather providing useful information, insight and opinion, hoping this will rub off in a positive way.

If in doubt, you could:

  • take Wetherpsoons approach and delete everything and start again, or
  • start an email campaign inviting individuals to consent to be in your marketing database before May the 25 (whilst you are still allowed to email them), or
  • explore legitimate use and how you can use this to allow you to continue communicating with contacts
  • take a cavalier approach presuming no one will complain and continue emailing everyone (but look out for some potential legal issues)

Ultimately you need to review both the nature of communications with clients, and how you built your database. It is also worth remembering that a large non-engaged audience does not help your marketing, and a smaller database which is actually engaged is going to be more worthwhile.

Further reading.

by Finn Taylor