GDPR compliance continues to pose challenges across a wide swath of businesses and business functions that rely on the processing of personal data of EU residents. Sales and marketing departments in particular have faced confusion and uncertainty regarding the lawful distribution of electronic newsletters and other online direct marketing. As a result, many business professionals are continuing to operate – even months after GDPR has gone into effect – under the belief that consent is the sole acceptable legal basis for electronic marketing communications. In fact, alternative legal bases can and should be leveraged in order to continue with successful email and online marketing initiatives that meet GDPR obligations.
Email Marketing to Consumer Contacts
Under GDPR, processing of personal data is generally only allowed with a legal basis listed in Article 6, which includes common bases such as consent, contractual necessity and legitimate interest. While consent is generally an excellent option as the legal basis for email marketing, it may be difficult to obtain and can be challenging to manage. For example, consider how your marketing teams can practically gain consent to send email communications to an individual with whom they have no prior contact or relationship. Fortunately, other legal bases can be applied that meet not only GDPR requirements, but also the expectations of recipients and regulators alike. GDPR Recital 47, for example, expressly mentions that the processing of personal data for direct marketing may be based on legitimate interest. This is further reinforced by Article 21 which sets out the right to object to direct marketing based on legitimate interest.
The ePrivacy Directive
However, GDPR does not operate independently of other applicable laws and the EU ePrivacy Directive must be considered when planning electronic marketing initiatives. Article 13(a) of the ePrivacy Directive permits email marketing only with the prior consent of the recipients, unless the email addresses were received in the context of the sale of a product or a service and the contact details are used for direct marketing of the company’s own similar products or services. In all instances, the recipient must be provided with the opportunity to opt out of the use of their email address for direct marketing purposes at the time their email address was collected and in each subsequent electronic marketing communication.
The new EU ePrivacy Regulation which will replace the Directive soon will not likely loosen these requirements. In fact, the most recent draft of the Regulation requires prior consent and adds that EU Member States may further restrict the use of contact details for direct marketing purposes to instances in which the sale of the product or service occurred not more than twelve months prior to the sending of an electronic direct marketing message.
Country Specific Consent Exceptions
There are additional alternatives to consent for efficient and lawful distribution of electronic marketing messages to consumers without prior consent. The British legislature, for example, extends the application of the “same service or product exception” and applies it to email contact information which were obtained during the negotiation of a contract. Furthermore, according to guidance from the UK Information Commissioner’s Office (and consistent with German case law), email marketers do not need to obtain a separate consent from individuals included in a purchased email list, if valid consent was obtained by the list owner. In order to obtain a valid consent, the email lists owner must, when collecting individuals’ consent, specify that their contact information will be passed on to third parties for marketing purposes. The list owner should also specify the name or a clear description of the third parties to whom email addresses may be sold. Such valid consent should always be verified by the party obtaining the list for marketing purposes.
Other exceptions apply as well. For example, in France, companies may send emails for charitable or non-profit purposes to consumers without their prior consent if the consumer was informed of the use for such purposes at the time of collection of the email address and was able to easily and freely object to such use.
Email Marketing to Business Contacts
The rules set forth by the GDPR and ePrivacy Directive do not distinguish between business-to-business (B2B) communications and those communications that target individual consumers. However, national laws are widely varied regarding consent requirements for B2B marketing communications. Many national advertising and competition laws provide marketers with opportunities to efficiently distribute unsolicited email communications to business customers. Marketers must gain an awareness not only of GDPR requirements, but also of different country-specific B2B consent requirements prior to distributing marketing emails to contacts obtained from general product information requests or even business cards collected during trade shows or other professional meetings.
Countries with Strict Consent Laws
Generally, there are few restrictions with regard to the distribution of electronic marketing materials that a person has specifically requested, as that request will generally be deemed to comprise consent. When exchanging business cards at a trade show or requesting a whitepaper, for example, the recipient of the card must consider whether the exchange constitutes consent to use the personal data contained on the card for purposes of one-to-one communications, or whether the exchange comprises consent to be added to a marketing database which will result in the receipt of future email marketing communications. In most instances, it would be reasonable to assume that such consent does not extend to inclusion in a marketing database, unless this is expressly communicated to the individual.
In some countries with strict email marketing laws, it is clear marketers will not be able to lawfully distribute electronic marketing messages to B2B contacts without a prior explicit opt-in. For example, current German, Danish, Italian, Spanish, Norwegian and Swiss laws require prior consent or the purchase of a product or service in order to lawfully distribute ongoing B2B marketing emails to generally interested audiences. Furthermore, the UK laws require prior consent or a contract (or negotiation of a contract) for the sale of a product or service to lawfully distribute marketing messages to individual business email addresses (e.g., firstname.lastname@example.org).
Country Specific Consent Exceptions
In many EU Member States, companies may send electronic marketing messages to B2B contacts without prior consent or without a prior sale/purchase of a product or service. For example, under Belgian, Dutch, Finnish, French, Irish, Swedish and UK laws, prior consent is not required for email marketing communications to corporate email addresses that do not include individual names, such as email@example.com. Such emails could be used as leads to obtain the personal data of the right individual to receive the messages along with their consent to receive such messages.
There are other country-specific targeted exceptions to consent as well. In Finland, France and Ireland unsolicited marketing messages can be sent to individual business customers or professionals when the message relates to the recipient’s professional activity and the individual was informed of the use for marketing communications. In these countries it may be acceptable, for example, to send unsolicited email communications to a healthcare professional about new medicines that might help them provide the best available treatment for their patients, or to send unsolicited marketing emails concerning a business software to a company’s head of Information Technology.
In the Netherlands prior consent is not required if the individual business email address was made publicly available for advertising purposes (e.g., a company provides marketing or procurement contact information on their website). The Netherlands also permits electronic marketing without consent to business email addresses if the marketer is located outside of the EU and complies with the applicable foreign (i.e., non-Dutch) laws. This will include GDPR, so marketers will still need to establish a legal basis (e.g., legitimate interest) in order to lawfully send electronic marketing messages to business contacts. Bulk emails to business contacts which might be permissible under the US CAN-SPAM Act would therefore not likely be feasible in the Netherlands.
Due Diligence, Transparency and Choice
When distributing email marketing communications, it is clear that marketers must take care to execute their campaigns in-line with applicable legal requirements, including GDPR and ePrivacy obligations. Those responsible for privacy and data protection compliance must be sure that the marketing teams understand applicable requirements and exercise appropriate due diligence prior to sending electronic marketing communications to individuals, particularly those individuals that are residents of the EU. This should include steps to ensure that they provide (1) opt-out information, made available at the time that the personal data is collected, (2) an easy and obvious opt-out mechanism within each marketing communication, (3) the identity of the sender of the email in the “from” line and information that the message includes advertisements in the “subject” line, and (4) a valid and current physical address of the responsible marketer. The marketing team must also be able to efficiently and effectively remove the personal data of all individuals who opt-out.
Furthermore, email marketers who are acting as data controllers must provide a GDPR-compliant privacy notice (Articles 13 and 14) to anyone whose personal data they process during a marketing campaign. This can be fulfilled by attaching an adequate privacy notice to the marketing email or by providing an obvious and easily accessible link to a privacy notice within the email (e.g., many marketers have provided links to appropriate privacy statements in their signature lines).
Contrary to many guidance documents published on direct marketing under GDPR, consent is clearly not the sole legal basis for compliant email marketing. GDPR has, in fact, opened the possibility of relying on legitimate interest as an alternative legal basis for data processing activities supporting direct marketing, including email marketing. When viewed along with ePrivacy requirements, this approach may be particularly useful when the contact information was obtained during the sale of a product or service.
Marketers targeting EU residents must also keep in mind that local European laws may provide further opportunities for effective email marketing campaigns without prior consent. So, while GDPR and the ePrivacy Directive contain requirements that impact direct marketing to EU residents, it is increasingly important that marketers consult local European laws that apply to their targeted audience before relying on consent or other GDPR/ePrivacy requirements for direct marketing messages.
Marketers should continue to consider the expectations of the recipients of their marketing communications. While they should be taking all appropriate steps to execute marketing campaigns in a compliant manner, they should also remain aware that if their communications are in line with the expectations of the recipients, their messages are likely to be welcomed and not result in complaints from the recipients.