GDPR and marketing e-mail : let's get things straight
The point of view of Benoît De Nayer
"Like me, you are currently probably drowning under mails from companies you may never have even heard of, inviting you to “reaffirm” your consent to receive marketing and advertising e-mail.
Most of these e-mails appear to have been drafted rather quickly and the wording at times seems rather clumsy. None of the mails I have read to date seem to have been reviewed by a legal counsellor. In fact, some are even downright illegal. All, and I mean all, the “confirmation” emails I have read to date are completely off the mark.
By mixing up GDPR and e-mail consent, they seem to have missed the point. The GDPR does not require you to obtain the specific opt-in of all the contacts in your existing databases (on the contrary even, Recital (171) of the GDPR says that where databases were developed based on consent pursuant to Directive 95/46/EC, the controller can continue to use these databases).
Given the scale of the disaster it occurred to me (a little late I admit) that some education was needed. So let’s start from the beginning.
1. GDPR and e-mail are two different things
Firstly, the GDPR does not mention e-mail anywhere. It isn’t particularly concerned with the channels you use, because it only refers to the processing of personal information.
The provisions about e-mail are set out in a European Directive from 2002 (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector called the “Directive on privacy and electronic communications), which has been transposed into the legislation of the Member States in various ways. This will be significantly reworked in the next few months, in a future e-Privacy regulation but more on this later.
In essence, the Directive says this:
- All e-mail communication to natural persons (you and me) requires the subject’s prior consent (OPT-IN). Except if the e-mail was collected in the margin of a commercial transaction and is used to send promotional messages about similar products. In that case, the OPT-OUT rule kicks in.
- All e-mail communication to legal entities (businesses) does not require prior consent but entitle them to object to this (OPT-OUT).
2. You need data to send e-mails
And that is where the GDPR becomes relevant again. You can’t develop an e-mail campaign without processing personal data (a quick reminder that an firstname.lastname@example.org address is not considered personal data and that its processing is therefore not subject to the GDPR).
And you will say that you need consent to process personal data.
Yes and no: most of the senders I referred to above are wrong in thinking that consent must always be sought for data processing. Nothing could be further from the truth.
Consent is just one of the circumstances under which data processing is lawful (in a sense, it is the “mother of all justifications for the processing of personal data”). When a company bases itself on the person’s consent to process their personal data, it must demonstrate the exact scope of this consent (when was the consent given, through which channel, and so on).
Other circumstances include the law that may require you to process certain data, the performance of a contract and legitimate interests.
Legitimate interests are the exact reason why the GDPR was drafted in the first place. And sometimes they used to justify all kinds of things.
Recital (47) of the GDPR (which can be used for its interpretation) however unambiguously states that commercial prospection can be a legitimate interest.
If we combine this recital with what I said under point 1, you can draw some interesting conclusions:
No prior consent is needed for data processing or for sending prospection e-mails to companies. As companies, which are legal entities, are represented by natural persons, you can send prospection e-mails to an address of the email@example.com type.
The French data protection authority CNIL has corroborated this (https://www.cnil.fr/fr/la-prospection-commerciale-par-courrier-electronique), stipulating that e-mail prospection is still possible without consent under the GDPR.
However, note that the situation differs slightly among countries of the EU. For example, in Belgium, the “Arrêté Royal » of April 4, 2003 (which regulates the sending of e-communications) states that consent is required in order to send prospection e-mails to such addresses.
You must make reasonable use of this consent however. For example, your prospection efforts must solely relate to products and services that may be relevant to the company. You cannot, for example, try to sell a game console to the holder of an firstname.lastname@example.org address without prior consent.
What’s more, the recipient must be able to object to the processing of their data for marketing purposes at all times.
So there is no need for a re-opt in for a B2B prospection database. That said, it may be worth reminding the data subjects whose personal data is contained in this database of the extent of their rights (more specifically of the right to object to the processing of personal data for marketing purposes), inviting them to unsubscribe if the messages do not seem relevant to them. This is simply a case of common sense.
This is a more complex matter. Even if commercial prospection aimed at consumers falls under the scope of Recital (47), it should still be noted that the Directive of 2002 prohibits the use of their e-mail address without prior consent.
The only case where you may use e-mail to send a marketing message to a consumer without specific prior consent is if that consumer has purchased goods or a service, if their e-mail was collected in the margin of this transaction and if you use it to promote similar goods and services (i.e., promote MP3 music to someone who already bought a song).
In that case, this is considered an example of legitimate interests. The data processing is obviously lawful because it is authorised by the law (which transposes the directive).
Here too however, you must give consumers the right to object to this data processing and therefore to all subsequent communication.
In short, for B2C communication, you only have two options for e-mail based marketing communication:
• Either you obtain specific consent from the consumer, entitling you to send marketing communication by e-mail and nothing in the GDPR prohibits you from continuing to rely on this consent.
• Or you have a business relationship with the consumer and rely on this to continue to send the consumer e-mails about products and services that are similar to those he already bought from you. Here again, nothing in the GDPR prevents you from continuing to send the consumer messages based on this relationship.
However, you may not send an e-mail to the consumer asking him to register (or re-register) for your e-mail marketing programme if any of the above situations do not apply to you. And that is exactly what the majority of the e-mails we are all getting lately are asking us to do. In our opinion, they are therefore illegal.
That said, it could be interesting for marketing professionals who can base themselves either on e-mail consent or on the opt-out in the framework of an existing commercial relationship to send consumers an e-mail reminding them about their rights and inviting them to modify their preferences, where applicable.
I hope I was clear. If not, please share your reservations, questions and opinions on linkedin or send me an e-mail at email@example.com
Good luck with your compliance... ."
Benoît de Nayer
Director and co-founder