Email marketing

Email marketing and privacy law

Guide

If you want to use email to carry out direct marketing, you need to comply with the rules in the Privacy and Electronic Communications Regulations (PECR). These rules include specific things you must say in your marketing messages - eg disclosing your identity and providing a valid email address to all recipients - as well as legal responsibilities you have as a marketer.

What is electronic mail and direct marketing?

Under the regulations, electronic mail is any electronic message that consists of text, voice, sound or images - ie email, text, picture, video, voicemail and answer phone messages. Direct marketing is defined as a message that is trying to sell goods or services, or is promoting the values or beliefs of a particular organisation.

You need to consider email marketing list opt-ins and opt-outs. You can only carry out marketing by email if the individual you are sending the message to has given you their consent and you follow electronic mail rules contained in PECR and data protection principles under the GDPR.

Sending email marketing to other businesses

Opt-in requirements don't apply to marketing sent to companies or limited-liability partnerships, where you are not targeting a named individual. However, it's not good business sense to continue to send marketing to businesses that don't want you to. You still need to give your identity and provide a valid opt-out address or unsubscribe option in your communications.

Complaints and breaches of privacy regulations

The Information Commissioner's Office (ICO) is responsible for dealing with any complaints and breaches of the regulations. If you breach these rules when you carry out electronic marketing, the ICO will contact you to resolve the problem. 

If you infringe any of the basic data protection principles you may be subject to administrative fines of up to €20,000,000 or 4% of your business' total worldwide annual turnover.

The Data Protection Act

If you send direct marketing messages electronically to individuals whose personal details come from a bought database, you must also comply with the Data Protection Act 2018. In addition, there are also certain rules about buying email databases you need to consider.

The UK General Data Protection Regulation (UK GDPR) came into force in the UK on 25 May 2018. Alongside the Data Protection Act 2018, the GDPR introduced new rules on processing and safeguarding personal data.