Latest insights from our experts

Dan Griffin

Posted 13 October 2017
by Dan Griffin

Will the GDPR Require New Consent From Existing Customers?



We are often asked if businesses need to ask their existing contacts to opt-in to receive marketing communications again once the General Data Protection Regulation (GDPR) comes into force in May 2018. This an important decision, the consequences for getting it wrong can include reputational damage and significant fines by the Information Commissioner’s Office (ICO).

Email

For email marketing the answer is simple – do not send email marketing to individuals unless they are a previous customer or you know they opted in to receive it when they signed up to your mailing list, responded to an advert, or met you. That requirement will not change under the GDPR.

If you are unsure and want to obtain consent, emailing to ask for it is illegal. Emailing prospective customers who have not previously consented to receive electronic communications for the purpose of asking them to opt into emails is deemed spam for the purpose of the Privacy and Electronic Communications Regulations 2003 (PECR) and could result in fines. Honda, Morrisons and Flybe have all been fined for similar email campaigns which included individuals who had already opted out or had not opted into marketing communications.

Being able to show a legitimate interest does not change the requirement for a prospective customer to opt in to electronic marketing so direct marketing by email under the GDPR will still require explicit consent. It is not possible to rely on legitimate interest instead.

Writing to customers by post may be available as a last resort where an organisation requires an ‘opt in’ to email for example where they are handling sensitive personal data, making new uses of existing data or simply want to email the customer. There is nothing in the GDPR, PECR or ICO guidance to date which says a customer cannot be asked by post to opt in to email communications.

Post

For marketing by post the answer is not straightforward and will depend on:

  • How consent was originally obtained (if at all)
  • What the business intends to do with the customer data – is it going to be used for the same purposes?

For marketing by post, if you can demonstrate that customers have given consent under the old Data Protection Act 1998 then provided how the data is used will be consistent once the GDPR comes into force then it is probably unnecessary to obtain it again. Consent may have been provided by a pre-ticked box or implied consent under your existing terms of business or privacy policy.

Where it is not possible to show consent, businesses may be able to continue using data for non-electronic marketing communications even if they cannot show customers gave consent, provided the data is being used for a legitimate interest. There is little detail on what amounts to a legitimate interest in the GDPR save that it can include direct marketing. Further ICO and EU guidance is awaited.

We have been asked by some businesses if they can simply write a letter saying ‘unless you say otherwise we will assume you consent to us sending you marketing communications by post’. Our advice is generally that you can but there is little point provided you are continuing to use the data for the same purpose as before, simply continue to rely on the legitimate interest provisions.

If you require any advice regarding this matter, please do not hesitate to contact our experienced team of solicitors.

Want to know more?

Request a call back or ask us a question using our quick-contact form.
Alternatively you can call us on 01392 207020.

About the author

Dan Griffin

Dan Griffin

Associate

Associate within commercial litigation