With six months to go until the General Data Protection Regulation (GDPR) comes into force, many organisations would be forgiven for focusing solely on preparing for compliance. However, for those engaged in electronic marketing, GDPR is just one part of privacy law reform.

What does the law say at the moment?

Marketing by electronic means, such as email or SMS, is also governed by the Privacy and Electronic Communications Regulations (PECR), which sits alongside the Data Protection Act 1998. As with the 1998 Act, PECR is derived from an EU Directive.

PECR supplements the 1998 Act with additional rules that govern when an organisation can send unsolicited marketing by electronic means. In short, unsolicited electronic marketing can only be sent where the recipient has given consent.

However, the law is not that straight forward. Where contact details are collected while selling goods or services to an individual, the organisation can send unsolicited marketing to that person about similar goods or services, provided that the communication gives the individual an opportunity to opt-out of future marketing (the “soft opt-in”).

PECR also sets out rules on using cookies and other online tracking technologies for websites, mobile apps and emails.

The interaction between the rules on electronic marketing and data protection can be complex. For example, PECR does not generally regulate business-to-business electronic marketing, but sending such messages to a sole trader or English partnership is regulated by PECR. However, regardless of whether PECR applies, all electronic marketing sent to an individual (whether in a personal or professional context) is subject to underlying data protection law, including the right to object to direct marketing.

Will the rules on electronic marketing change?

 In January 2017, the European Commission published proposals for the ePrivacy Regulation, which would replace the existing Directive and national implementing legislation such as PECR. While the ePrivacy Regulation is not expected to change the basic rules on electronic marketing (in particular, the soft opt-in is expected to remain), whether or not consent is valid will be based on the rules in GDPR.

Under GDPR, consent must be “freely given, specific, informed and unambiguous,” and given by a statement or “clear affirmative action.” In particular, pre-ticked boxes, silence, and bundling consent up for multiple purposes (for example, “tick here to agree to our privacy policy”) will not be acceptable. GDPR does not provide for any “grandfathering” of existing consents.

The Commission originally planned for the ePrivacy Regulation to come into force on the same day as GDPR. However, with the text yet to be finalised, it is unlikely to come into force until late 2018 at the earliest. Potential amendments include the possible extension of the ePrivacy Regulation to all business-to- business communications.

What should I be doing to prepare?

While we do not have a finalised text for the ePrivacy Regulation, it is sensible to build the ePrivacy Regulation into any preparations for GDPR. It is important for organisations to understand:

  • What electronic marketing they carry out – in particular, whether a message is a genuine service message or marketing;
  • Whether this is based upon consent or the soft opt-in; and
  • Where they are relying upon consent, whether it complies with the requirements under GDPR Organisations should also be reviewing their data capture forms and privacy.

In many cases, organisations may be able to rely upon soft opt-in for electronic marketing, but that will not be the case where an individual has previously indicated that they do not wish to receive electronic marketing, or where contact details have been obtained other than at the point of sale or by another legal entity.

Where consents do need to be “repapered”, organisations will need to plan their strategy carefully.

It is tempting to encourage everyone on your CRM system to sign up to electronic marketing, using GDPR compliant consent. However, sending such a message to someone that has not previously agreed to receive electronic marketing will breach PECR, as that email itself is marketing. The ICO has fined a number of organisations this year for sending such individuals what purports to be a service email asking them to update their contact details, but is actually marketing.

While those organisations were trying to ensure that they had GDPR compliant consent in place for the new rules coming info force, they fell at the first hurdle. The need to understand what marketing individuals have agreed to previously underscores the importance of good record keeping – something that becomes even more important under GDPR.

Martin Sloan @lawyer_martin is a partner in the Commercial Services Division at Brodies LLP.