*This post may contain Affiliate Links which means we may earn from qualifying purchases you make via our website. Check out our Affiliate policy and what this means here.
Under GDPR, any business must have a lawful basis for processing PII for marketing purposes. There are six lawful bases for processing PII, with legitimate interests and consent being most used for marketing emails (The ICO directly discuss all 6 here).
The Legal Needs To Meet For GDPR Compliant Marketing Emails
Legitimate interest is often a go-to option for processing PII because it’s the most flexible basis and covers instances where you would use data in ways people you collected it from would expect.
But to send marketing emails, you must also ensure your direct marketing activities comply with e-privacy laws and other related industry standards, which require much more than having a legitimate interest.
Marketing emails are part of direct marketing activities and are governed by GDPR, but also by the Privacy and Electronic Communications Regulations (PECR).
PECR determines the privacy rights people have in relation to electronic communications, and requires that businesses get consent from individuals before they proceed with direct marketing activities.
Therefore, consent would be a better basis for processing information under the GDPR.
Test Yourself To Find Out If You’re Compliant
There are a lot of other legalities to look at, but we’ve tried to make it easy by giving you some questions. These are all the things you need to check to figure out if your marketing activities and emails are compliant or not!
So, ask yourself:
- Are we using opt-IN boxes?
- Are we making sure we’re avoiding automatic opt-in (pre-ticked boxes)?
- Do we have the type of communication we will be using specified in the opt-in?
- Is the consent separate from terms of service for other products?
- Do we have separate opt-ins for different types of processing and purposes (e.g., processing yourself only, or sharing with third parties too)?
- Are we passing details to third parties and informing individuals about it?
- Are we giving them a choice to opt-out from passing their details to third parties?
- Did the recipient consent to receiving promotional materials via email?
- Was the consent knowingly and freely given via a clear and positive action (like ticking a box)?
- Do we have a record of what people consented to, when, and how we got the consent?
- Did we obtain consent directly? (Third party consent that doesn’t identify you is not valid.)
- Are we screening names and email addresses against specific email preferences?
- Do individuals have a clear and easily accessible opt-out option?
- Are we making sure individuals who opt-out are not penalised (restricted access)?
- Are we screening names and email addresses against opt-out lists?
To put it simply: people need to directly asking for promotional emails from you before you can proceed. They must opt-in willingly and have the power to opt-out whenever they feel like it in a simple and straightforward manner. Otherwise, not complying with GDPR could be a source of cyber security issues for your business.
Want more help making sure you’re doing your utmost to be GDPR compliant? Check out our full checklist in the store