The G-word isn’t history yet, and there still seems to be confusion about whether you can send marketing emails to people. In fact it is not GDPR that covers this, but the Privacy and Electronic Communications Regulations (PECR) which has been around since 2003 – last updated in 2018. The ICO have a helpful checklist on what can and can’t be done here: , and plenty of helpful guidance on PECR if you just put PECR in the ICO site search box.
The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and the GDPR. They give people specific privacy rights in relation to electronic communications.
There are specific rules on:
- marketing calls, emails, texts and faxes;
- cookies (and similar technologies);
- keeping communications services secure; and
- customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
The EU is in the process of replacing the e-privacy Directive with a new e-privacy Regulation to sit alongside the GDPR. However, the new Regulation is not yet agreed. For now, PECR continues to apply alongside the GDPR.
What are the rules on electronic mail marketing?
The rules on electronic mail marketing are in regulation 22. In summary, you must not send electronic mail marketing to individuals, unless:
- they have specifically consented to electronic mail from you; or
- they are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent.
You must not disguise or conceal your identity, and you must provide a valid contact address so they can opt out or unsubscribe.
For further information, see the ICO guidance on direct marketing.