Is the unsolicited dissemination of email legal under GDPR?

Have you been inundated with emails requesting consent for companies to continue contacting you? Surprisingly, a lot of these emails were not actually required and, in some instances, may even have been sent illegally.

The General Data Protection Regulation (GDPR) introduces a higher standard of consent for companies processing your personal data and ensures that they have a legal basis for doing so. This is in everyone’s interests because GDPR ensures that we have the right to protect our personal data and are aware of how to do so.

Personal data under GDPR includes ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’. Email addresses are considered personal data if they can be used to identify you. For example, 34567@gmail.com would not be classified as personal data as it does not directly identify an individual.

GDPR has caused confusion in terms of who should be emailed to gain consent. This has been particularly apparent where corporate email addresses are concerned. Aside from generic email addresses such as privacy@cyjax.com, corporate ones predominantly include an individual’s full name and the organisation they work for, which of course carries multiple identifiers and is considered personal data under GDPR.

There are two things to consider here, and what has not been made clear enough is that the Privacy and Electronic Communications Regulations (PECR) sits alongside GDPR. Firstly, GDPR stipulates that each company must have a legal basis for processing personal data and provides the requirements for how personal data must be processed. Secondly, PECR stipulates the guidance for how personal data can be used for marketing purposes and what consent must be obtained for particular identifiers. Both of these points require further clarification as there are numerous factors affecting the actions that companies should have taken to be GDPR-compliant.

For companies to process personal data, they have to rely on one of six legal bases, outlined by the Information Commissioner’s Office (ICO) here. This is to ensure that all personal data is being processed ‘fairly and in a transparent manner’. Companies must also inform individuals - either directly or through the company’s privacy notice - how they are processing their personal data.

For the type of marketing and promotional emails being discussed here, the majority of companies will have chosen to rely on either ‘legitimate interest’ or ‘consent’ as their legal bases. Direct marketing is recognised as a legitimate business interest under GDPR. However, the ICO states it can only be relied upon if it can be demonstrated that a person’s data is being used in a proportionate manner, that it has minimal privacy impact, and individuals can reasonably expect to receive the communication. To ensure that companies are compliant with this, a Legitimate Interest Assessment (LIA) must have been completed. There is more risk associated with relying on legitimate interest as there is less legal certainty than that associated with the evidence of consent. If companies have chosen to rely on consent, then PECR also needs to be considered.

Importantly, GDPR does not replace PECR; however, it has changed the definition of consent. Some of the companies that have emailed you have probably already obtained your agreement at some point, but the part that has confused them is whether this reaches the higher standard of consent that GDPR requires.

Under GDPR, you must be able to demonstrate how you got legal consent, when, where (i.e. website, conference etc.), and for what type of marketing (email, text or phone call). This must be reviewed regularly. Consent must also be obtained separately to any other agreement, such as terms and conditions, and, importantly, with a positive affirmative action known as opt-in. Having to obtain consent from individuals to send a marketing email is not new; it has been a legal requirement in the UK since 2003 when PECR came into force. There has been confusion as to whether explicit consent applies to corporate email addresses as it does to private individuals; it does not. Direct marketing to corporate email addresses is considered business to business marketing. Thus, companies can demonstrate that they have a legitimate business interest to process your data and that individuals can reasonably expect to receive the communication.

PECR also states that if an individual is an existing customer who bought (or negotiated to buy) a similar product or service from you in the past and you have given them an option to opt out, both when you first collected their details and in every message you have sent, then you may continue to communicate with them if consent meets the GDPR standard.

To add to the confusion, if the company did not already have permission to email you, they should not have sent you that email asking for your consent. Last year, the ICO fined Honda for emailing 350,000 individuals asking: “Would you like to hear from Honda?” One person complained to the ICO and they found that Honda was in breach of PECR as they did not have adequate consent to send the emails. The ICO fined the company £13,000 and stated: "Sending emails to determine whether people want to receive marketing without the right consent is still marketing and it is against the law."

In short, yes, you will still receive marketing communication to your corporate and private email accounts if companies have decided to rely on having a legitimate business interest to process your personal data. You can, however, email any company and submit a Subject Access Request (SAR) to see what information they hold on you and ask them to remove your data at any point.

At Cyjax, we have spent a considerable amount of time ensuring we are compliant in how we are processing information on our staff, suppliers, customers and potential customers. All this is outlined in our Privacy Notice.