On May 25th, 2018, EU lawmakers unleashed the GDPR—a new privacy law capable of delivering a financial blow to businesses across the globe, not just in Europe. The data which drives email marketing programs must be processed and stored in accordance with the GDPR. Recital 47 of the GDPR states: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Businesses may rely on its “legitimate interests” to send postal marketing about a new product to its customers. This means that companies may send postal marketing without their customers’ consent. However, direct marketing by electronic means such as by emailing complicates the issue.
Although the GDPR governs the data used for email marketing, the Privacy and Electronic Communication Regulation (“PECR”) defines the required permission to send marketing by electronic means, such as by email. Additionally, the PECR does not include “legitimate interests” as a lawful basis for electronic marketing by email. To further muddy the water, the PECR will soon be repealed in favor of the new ePrivacy Regulation (“ePR”) that is reportedly going to be delayed until 2020. As a result, sending marketing emails remains subject to the PECR.
As for now, the general rule under the PECR is that businesses may send marketing emails to individuals that have consented to receive them. But, there is an exception for existing customers—known as the “soft opt-in.” This means that consent is not required if an individual’s contact details were obtained during a sale, and the individual had the opportunity to opt-out at that time.
As the EU works to introduce the ePR, businesses face the challenge of complying with the GDPR and the PECR. Moreover, given the imminent arrival of the ePR, companies must prepare for complying with the new upcoming regulation too.
Let us help you with this hurdle to GDPR compliance.