Can I Send Marketing Emails to Companies?

Can I Send Marketing Emails to Companies?

In light of the General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulations (PECR) legislation, you may have some doubts about what you can and can’t do regarding marketing emails. One legislation does not replace the other, but complying with one can get you closer to fulfilling the other one’s regulations. It’s necessary to comply with both.

They place specific rules on many things such as marketing calls, emails, texts, faxes, web browser cookies, and customer privacy information. These apply to both business-to-consumer and business-to-business sales and marketing. Regardless, the purpose of this article is to clarify the rules that apply to business-to-business marketing emails.

In short, yes, you can send marketing emails to companies, but you must keep a list of businesses that object or opt out. This applies to the company as a whole and the individuals working in them. However, there are more detailed business-to-business email marketing rules that you must follow, so keep reading the article to know what they are.

Whenever you process personal data, the UK GDPR provisions and requirements apply. This means that if you are able to identify an individual directly or indirectly, the regulations have effect.. To give an example, when you have a business contact’s name and number on file or an email address that can identify them, such as “”, you must comply with the regulations.

Does the PECR or the GDPR State That We Require Consent for Marketing?

No, it isn’t always necessary. While consenting is a lawful way of processing information, some alternatives to it exist. For example, you can justify your business-to-business email marketing by relying on legitimate interests.

Regardless, there are situations where consent is required to comply with PECR. Still, the rules of marketing to companies are different than those of marketing to individuals. Rules on consent don’t apply to any email sent to companies or other corporate bodies (limited liability partnerships, government bodies, and Scottish partnerships). There is one requirement: the sender of the marketing email has to identify itself while providing contact details.

However, even if that’s the case, if the company goes through the trouble of stating that they don’t wish to receive further marketing emails, the best practice is to stop sending them.

What Are the Marketing Email Rules?

You can email any company, limited liability partnership, Scottish partnership, or government body. You can’t email sole traders and some particular partnerships, as the Privacy and Electronic Communications Regulations recognise them as individuals.

That means that you can only send marketing emails towards these small businesses when they expressly consent or buy a product or service from you and fail to opt-out from the marketing emails when given the opportunity to do so. This case only applies if the message includes a unsubscribe, refuse, or opt-out option.

For corporate bodies, proper business sense and regulations recommend the practice of keeping a “don’t email” list for businesses who opt-out. Any new marketing list you obtain should be screened against that list to ensure that you don’t send emails to companies that object to them.

Some GDPR provisions apply whenever you email company workers with an email address with the corporation’s domain. Individual employees have a right to ask you to stop sending them marketing emails on these types of addresses.

What Counts as Consent?

The General Data Protection Regulation’s standard for consent is relatively high. It must leave nothing to doubt, involving a clear and concise affirmative action in the form of an opt-in option. You can’t use a pre-ticked opt-in box. It’s also necessary to include different consent options whenever the data is processed in various manners.

It would be best if you didn’t tie the consent’s processing as a precondition to a service, as it isn’t an adequate lawful basis. A consent request requires the inclusion of the following information:

  • Your business’ name
  • Third parties that make use of the processed information gained on consent
  • The reason you want their data
  • What you want to do with their data
  • They can opt-out their consent whenever they want

Keeping evidence of it is essential: who consents, when the person did so, how they did so, and what you told them. Try and make it easy for them to withdraw their consent whenever they wish to do it.

However, as previously stated, it isn’t always necessary. Whenever acquiring approval proves difficult, you can look for an alternative lawful basis.

When Can I Use Legitimate Interests in Practice?

Legitimate interests are a considerably flexible lawful base. As it doesn’t focus on a single purpose, it allows you to rely on it in different situations. However, that doesn’t mean that it’s always adequate to use. There is an appropriate foundation where you can use it, which is during these scenarios:

  • The impact on the individual’s privacy is minimum
  • Your processing has a convincing justification
  • It’s reasonable for the individual to expect their data to be used in that way

There are more situations where you can use legitimate interests, but these three are the most useful.

What Are the Rules for International Marketing Emails?

Whenever you send emails to companies outside the UK, you need to comply with their countries’ laws. For the moment, countries in Europe possess similar data protection regulations to the United Kingdom. However, some of their rules are more stringent than the UK ones, even more so for business-to-business marketing.

You need to seek legal advice if you want to send marketing emails to companies in other countries.

Can I Hire Another Company or Individual to Send Marketing Emails?

The hired party and yourself must still comply with the GDPR and PECR. You are responsible because you are technically prompting the other party to send the emails. Should your contractor fail to comply with some provisions and requirements, any legal action could be taken directly against you.

The authorities can also consider interceding with the contractor if they continue to ignore the rules, whether deliberate or not. For that reason, having a written contract stipulating the responsibilities your contractor has is ideal. It may be wise to ask your contractor to indemnify you in case they commit a PECR violation.

Should they break the law, causing your organisation some reputational damage and making you subject to legal action, you can seek legal advice and take measures for the contract violation.

What More Should I Consider?

As stated throughout the article, you must remember that whenever you process the personal data of an individual with the purpose of sending business-to-business emails, they have the right to object.

This right applies whenever you process their data for direct marketing. Whenever an individual objects to marketing emails, complying with their wishes is mandatory. You must adhere to their demands even if the processing basis is that of legitimate interests.

You must provide information on what you’re using the personal data for, your processing basis, the length of time you plan to store their information, and the parties with access to it.

If you rely on consent, there isn’t a right to object. However, any individual can withdraw it at any point, and you must cease the processing of their data when they do so.

The Children’s Code – are you ready?

The Children’s Code – are you ready?

A long time ago in a galaxy far away …….. (22 January 2020) the Information Commissioner’s Office [‘ICO’] introduced the Children’s Code.

If you are a provider of ‘Information Society Services’ likely to be accessed by children -defined as under 18 and you are not aware of it then you need to get up to speed.

The Code applies to apps, social media platforms, online messaging, online marketplaces, content streaming services and any websites offering goods or services to children over the internet.

The Code recognises that the digital economy can provide benefits to children but is often not a “safe space” for them. The Code looks to change that – not by seeking to protect children from the digital world, but by protecting them within it.

The Code is already in force but, like the GDPR, it has a 12-month transition period for providers to make the necessary changes.

Affected providers need to be ‘Code Ready’ by 2 September 2021.

Before there was a Code there was a law…

Providers are already obliged to comply with the GDPR and Data Protection Act 2018 and PECR 2003 when processing [collecting, storing, using, sharing, erasing etc.] the personal data of children -any information that relates to them.

It is not enough to comply with the GDPR – an organisation has to be able to demonstrate that it is compliant.   It’s called ‘accountability’. The Information Commissioner’s Office [‘ICO’] has made it clear that if a provider does not follow the code then they may find it difficult to prove that they comply (are ‘accountable’) with the GDPR.

Failure to comply may lead to complaints from children or their parents, potential ICO investigations, claims for compensation, bad publicity, time dealing with issues and, worst-case scenario, fines.

Providers can avoid all of that by being proactive and taking steps to be Code Ready now.

The starting point for any Provider processing personal data is that they must comply with the data protection principles. Simplified these are:

(a)   they must process children’s personal data lawfully, fairly and in a transparent manner.

(b)   a child’s data should only be collected for specified, explicit and legitimate purposes…

(c)    any processing of personal data should be adequate, relevant, and limited to what is necessary

(d)   personal data should be accurate and, where necessary, kept up to date

(e)   it should be kept in a form that identifies the child for no longer than is necessary and,

(f)     it should be processed in a manner that ensures appropriate security of the child’s data….

As stated above a Provider must be able to demonstrate that they comply with the 6 principles above.

Not sure about the principles or how to prove you comply? Contact us -but following the Code will help.


Don’t forget children may have the following rights:

1)     to be informed about how their data is used

2)     to access a copy of it

3)     to rectify inaccurate information

4)     to erase it

5)     to restrict what is done with it

6)     to have others who have received their data notified about any rectification, erasure, or restriction of it

7)     to have it ported to another provider

8)     to object to how it is used and to direct marketing

9)     to object to automated decision making and,

10)  to be notified of certain types of personal data breaches.

What does a Provider need to do?

The code puts forward 15 standards.

Not all will apply to every provider.  They are summarised below:

  1. What is best for the child should be a primary consideration when providers design and develop online services.
  2. Providers should do a Data Protection Impact Assessment (‘DPIA’) to inform them as to what they should do to do away/ reduce risks of harm to children who are likely to access the services.

If you do not know how to do one of these contact us.

  1. Providers should take a risk-based approach to recognising the age of child users and ensure they effectively apply the standards in the code to those users.
  2. Privacy information and other published terms, policies, and community standards, must be concise, prominent, and in clear language suited to the age of the child. Providers should provide additional specific ‘bite-sized’ explanations about how they use personal data at the point data is collected.

For help with this contact us.

  1. Provider’s must not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions, or Government advice.
  2. Providers must uphold their own published terms, policies, and community standards.

Need terms, policies, notices? Contact us.

  1. Settings must be ‘high privacy’ by default.
  2. Providers must collect and retain only the minimum amount of personal data needed to provide the parts of the service in which a child is actively and knowingly engaged. Children should be given separate choices over which parts they wish to activate.
  3. Providers must not disclose children’s data unless they can demonstrate a compelling reason to do so.
  4. Providers must switch geolocation options off by default (unless they can demonstrate a compelling reason it to be on by default, taking account of the best interests of the child), and provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others should default back to ‘off’ at the end of each session.
  5.  If a provider provides parental controls then they should give the child age-appropriate information about this. If a parent or carer can monitor their child’s online activity or track their location, then there should be an obvious sign to the child that they are being monitored.
  6. Providers should switch options which use profiling ‘off’ by default (unless they can demonstrate a compelling reason for it to be on by default, taking account of the best interests of the child). Providers should only allow profiling if they have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
  7. Providers should not use nudge techniques to lead or encourage children to provide unnecessary personal data or turn off privacy protections.
  8. Where providers supply a connected toy or device, they should ensure they include effective tools to enable conformance to the code.
  9. Providers should provide prominent and accessible tools to help children exercise their data protection rights [see above] and report concerns.


Providers need to review their offerings now to ensure they do the right thing and are ‘Code Ready’ by 2 September 2021.  Failure to do will make it more difficult to prove that a provider is compliant with the GDPR. DPA/OK can advise Providers on what their legal obligations are.