Put simply, ‘yes, you can’ – GDPR standardises data protection and provides greater control over how personal information is stored and processed by both processors and controllers. However, it does not change the rules on sending electronic direct marketing to other businesses in the UK.
But we’re sure you’d like to know more, so here’s what our lawyers have to say on it:
The rules on sending direct marketing communications by electronic means (i.e. email and text message) are contained in the ePrivacy Directive. The ePrivacy Directive is an EU directive that has been transposed into local law by the EU Member States. In the UK, it was transposed by the Privacy and Electronic Communications Regulations (“PECR”).
Under the ePrivacy Directive, a recipient’s prior opt-in consent is required in order to send them electronic direct marketing communications. There is a limited exception to this where the recipient’s contact details are obtained in the context of a sale and the marketing is for similar products or services (known as the “soft-opt in” exception). The soft-opt is effectively an opt-out mechanism; recipients must be given, at collection and on each communication, an opportunity to opt-out.
In the UK however, while the rules on consent (including the soft-opt in exception) are the same, the requirement for consent does not apply to electronic marketing communications sent to corporate recipients (e.g. corporate email accounts such as firstname.lastname@example.org) – the only requirement in this situation is that the sender identifies itself and provides contact details. Other EU countries, for example, Germany, require consent for all electronic marketing communications, regardless of the status of the recipient.
It is likely that the ePrivacy Directive will be replaced in the next few years by a new ePrivacy Regulation, which is currently in draft form making its way through the EU institutions. The ePrivacy Regulation will apply automatically to all EU Member States (in other words it will not need to be transposed into local law like the ePrivacy Directive). It is not yet clear whether the consent rules under the ePrivacy Regulation will apply to corporate as well as individual recipients.
Finally, the GDPR, when it takes effect, will not affect these rules on electronic direct marketing. As is the case under the current Data Protection Act, the GDPR gives individuals a general right, at any time, to object to processing of their personal data (e.g. an email address which includes their name) which is being used for direct marketing purposes.