In light of the General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulations (PECR) legislation, you may have some doubts about what you can and can’t do regarding marketing emails. One legislation does not replace the other, but complying with one can get you closer to fulfilling the other one’s regulations. It’s necessary to comply with both.
They place specific rules on many things such as marketing calls, emails, texts, faxes, web browser cookies, and customer privacy information. These apply to both business-to-consumer and business-to-business sales and marketing. Regardless, the purpose of this article is to clarify the rules that apply to business-to-business marketing emails.
In short, yes, you can send marketing emails to companies, but you must keep a list of businesses that object or opt out. This applies to the company as a whole and the individuals working in them. However, there are more detailed business-to-business email marketing rules that you must follow, so keep reading the article to know what they are.
Whenever you process personal data, the UK GDPR provisions and requirements apply. This means that if you are able to identify an individual directly or indirectly, the regulations have effect.. To give an example, when you have a business contact’s name and number on file or an email address that can identify them, such as “firstname.lastname@company.com”, you must comply with the regulations.
Does the PECR or the GDPR State That We Require Consent for Marketing?
No, it isn’t always necessary. While consenting is a lawful way of processing information, some alternatives to it exist. For example, you can justify your business-to-business email marketing by relying on legitimate interests.
Regardless, there are situations where consent is required to comply with PECR. Still, the rules of marketing to companies are different than those of marketing to individuals. Rules on consent don’t apply to any email sent to companies or other corporate bodies (limited liability partnerships, government bodies, and Scottish partnerships). There is one requirement: the sender of the marketing email has to identify itself while providing contact details.
However, even if that’s the case, if the company goes through the trouble of stating that they don’t wish to receive further marketing emails, the best practice is to stop sending them.
What Are the Marketing Email Rules?
You can email any company, limited liability partnership, Scottish partnership, or government body. You can’t email sole traders and some particular partnerships, as the Privacy and Electronic Communications Regulations recognise them as individuals.
That means that you can only send marketing emails towards these small businesses when they expressly consent or buy a product or service from you and fail to opt-out from the marketing emails when given the opportunity to do so. This case only applies if the message includes a unsubscribe, refuse, or opt-out option.
For corporate bodies, proper business sense and regulations recommend the practice of keeping a “don’t email” list for businesses who opt-out. Any new marketing list you obtain should be screened against that list to ensure that you don’t send emails to companies that object to them.
Some GDPR provisions apply whenever you email company workers with an email address with the corporation’s domain. Individual employees have a right to ask you to stop sending them marketing emails on these types of addresses.
What Counts as Consent?
The General Data Protection Regulation’s standard for consent is relatively high. It must leave nothing to doubt, involving a clear and concise affirmative action in the form of an opt-in option. You can’t use a pre-ticked opt-in box. It’s also necessary to include different consent options whenever the data is processed in various manners.
It would be best if you didn’t tie the consent’s processing as a precondition to a service, as it isn’t an adequate lawful basis. A consent request requires the inclusion of the following information:
- Your business’ name
- Third parties that make use of the processed information gained on consent
- The reason you want their data
- What you want to do with their data
- They can opt-out their consent whenever they want
Keeping evidence of it is essential: who consents, when the person did so, how they did so, and what you told them. Try and make it easy for them to withdraw their consent whenever they wish to do it.
However, as previously stated, it isn’t always necessary. Whenever acquiring approval proves difficult, you can look for an alternative lawful basis.
When Can I Use Legitimate Interests in Practice?
Legitimate interests are a considerably flexible lawful base. As it doesn’t focus on a single purpose, it allows you to rely on it in different situations. However, that doesn’t mean that it’s always adequate to use. There is an appropriate foundation where you can use it, which is during these scenarios:
- The impact on the individual’s privacy is minimum
- Your processing has a convincing justification
- It’s reasonable for the individual to expect their data to be used in that way
There are more situations where you can use legitimate interests, but these three are the most useful.
What Are the Rules for International Marketing Emails?
Whenever you send emails to companies outside the UK, you need to comply with their countries’ laws. For the moment, countries in Europe possess similar data protection regulations to the United Kingdom. However, some of their rules are more stringent than the UK ones, even more so for business-to-business marketing.
You need to seek legal advice if you want to send marketing emails to companies in other countries.
Can I Hire Another Company or Individual to Send Marketing Emails?
The hired party and yourself must still comply with the GDPR and PECR. You are responsible because you are technically prompting the other party to send the emails. Should your contractor fail to comply with some provisions and requirements, any legal action could be taken directly against you.
The authorities can also consider interceding with the contractor if they continue to ignore the rules, whether deliberate or not. For that reason, having a written contract stipulating the responsibilities your contractor has is ideal. It may be wise to ask your contractor to indemnify you in case they commit a PECR violation.
Should they break the law, causing your organisation some reputational damage and making you subject to legal action, you can seek legal advice and take measures for the contract violation.
What More Should I Consider?
As stated throughout the article, you must remember that whenever you process the personal data of an individual with the purpose of sending business-to-business emails, they have the right to object.
This right applies whenever you process their data for direct marketing. Whenever an individual objects to marketing emails, complying with their wishes is mandatory. You must adhere to their demands even if the processing basis is that of legitimate interests.
You must provide information on what you’re using the personal data for, your processing basis, the length of time you plan to store their information, and the parties with access to it.
If you rely on consent, there isn’t a right to object. However, any individual can withdraw it at any point, and you must cease the processing of their data when they do so.