GDPR caused a lot of confusion when it first appeared, and it’s still causing confusion now, but one of the most complex and tricky subjects is about when businesses can and can’t email their customers.
For years companies have been sending out emails to anyone that appears on their mailing list without thinking if it is legal to do so; it’s a classic tactic to upsell.
There were rules about this in the privacy regulations (known as ‘PECR’) long before the GDPR came along.
GDPR and PECR make the rules extremely clear and gives the ICO teeth to act (and they do act) if people break the rules.
What emails can I send?
One of the problems with sending emails is differentiating between the two distinct types.
There are transactional emails and there are marketing emails.
If someone buys something off your site, then there’s likely to be a process they have to go through in order to receive their goods.
It’s usually fairly simple:
- Add a product to a cart
- Checkout from that cart
- Fill out some details
- Receive confirmation, order status, delivery emails
Those emails at the end of the process and then any updates about that order are transactional emails because they relate to that transaction.
If anything else is generated, such as a follow-up to ask if your product was received, and maybe a review, could also be seen as transactional.
However, if you then send an email trying to upsell, such as “We hope you loved your socks, would you like a pair of matching gloves?”, is marketing.
If you send emails to do with the customer’s account, such as updating passwords, changes to terms and conditions, things like that, then those are transactional also.
This is fairly self-explanatory.
If you try to sell something to your customer, or your email explains new website features or other things that are meant to entice your customers to click and go check out the site – that’s marketing.
Fairly clear, no?
Here’s the problem. Some people still break the law, others are going over the top.
I’ve seen websites that have a form where people can download an e-book. They need to put their details on it. The form also has a tick box that says “Please tick this box if you consent to us sending you this e-book.”
GDPR says the customer should give clear consent, in this case, the consent would be in the form of actually filling out the details to request the e-book and submitting it. .
Imagine it if someone requested the form but then didn’t allow you to send it to them?
Gaining clear consent
When someone is checking out of your store, you can offer them the option of opting in to receive updates from you.
This is usually in the form of a tickbox somewhere on the checkout page – importantly, it needs to be un-ticked initially.
There is also something called the soft opt-in. This is where someone buys from you and gives their email to you as part of the buying process. PECR allows you to take the view that your customers, having bought from you, would not mind knowing about similar products. So as long as you give them a chance to opt-out at the time they buy the product from you and give them a right to opt-out every time you email them then that’s OK.
And that’s really it.
The law is extremely clear on what can and cannot be sent to customers, and it leaves little to interpretation.
The simple fact is, if you want to market to customers then you need to have their permission or you act under the soft opt-in. There are no clever ways around it, and if you break the rules of GDPR and PECR, you’re in danger of being picked up by the ICO and fined.