Email marketing and privacy law
How to comply with legal obligations when sending electronic mail, including observing the Privacy and Electronic Communications regulations and opt-ins
If you want to use email to carry out direct marketing, you need to comply with the rules in the Privacy and Electronic Communications Regulations (PECR). These rules include specific things you must say in your marketing messages - eg disclosing your identity and providing a valid email address to all recipients - as well as legal responsibilities you have as a marketer.
What is electronic mail and direct marketing?
Under the regulations, electronic mail is any electronic message that consists of text, voice, sound or images - ie email, text, picture, video, voicemail and answer phone messages. Direct marketing is defined as a message that is trying to sell goods or services, or is promoting the values or beliefs of a particular organisation.
You need to consider email marketing list opt-ins and opt-outs. You can only carry out marketing by email if the individual you are sending the message to has given you their consent and you follow electronic mail rules contained in PECR and data protection principles under the GDPR.
Sending email marketing to other businesses
Opt-in requirements don't apply to marketing sent to companies or limited-liability partnerships, where you are not targeting a named individual. However, it's not good business sense to continue to send marketing to businesses that don't want you to. You still need to give your identity and provide a valid opt-out address or unsubscribe option in your communications.
Complaints and breaches of privacy regulations
The Information Commissioner's Office (ICO) is responsible for dealing with any complaints and breaches of the regulations. If you breach these rules when you carry out electronic marketing, the ICO will contact you in an attempt to resolve the problem.
If you infringe any of the basic data protection principles you may be subject to administrative fines of up to €20,000,000 or 4 per cent of your businesses' total worldwide annual turnover.
The Data Protection Act
If you send direct marketing messages electronically to individuals whose personal details come from a bought database, you must also comply with the Data Protection Act 2018. In addition, there are also certain rules about buying email databases you need to consider.
The General Data Protection Regulation (GDPR) came into force in the UK from 25 May 2018. Alongside the Data Protection Act 2018, the GDPR introduced new rules on processing and safeguarding personal data.