Latest insights from our experts
GDPR – Do I Need Consent from an Individual Before I Can Email Them?
There has been much confusion about the consequences of GDPR for organisations that need to send emails to individuals.
Some have suggested that the GDPR means that before you can hold an individual’s email address or email them, you need to obtain their consent. This is incorrect.
Where you are not sending direct marketing (i.e. promoting an organisation or product – different rules apply to that) emailing without consent may be permitted provided it complies with other lawful justifications for processing, such as performing a contract with that person or emailing a customer about fees or delivery dates.
The GDPR is absolutely not about requiring individuals’ consent before any data can be used but it does contain additional measures around consent where organisations choose to rely on it or the law requires it.
Where an organisation chooses to rely on it, consent must be freely given, specific, informed and unambiguous. Consent must also be a positive indication of agreement to data processing – it cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be verifiable, for example by a record in the database where the email is held.
Consent is not the only means of lawfully processing individuals’ data. There may be other, safer justifications which your organisation can rely on such as where this fulfils a ‘legitimate interest’. It is often worth exploring these before jumping to the conclusion that consent is required.