When sending marketing emails businesses should consider the following to remain compliant with direct marketing laws and regulations.
1. You can contact any existing customers
As a general rule, you should not contact any consumers directly by email, phone, text or post unless they have given permission (ie they have ‘opted-in’). However, the rules for existing customers are slightly different.
Under what is known as a ‘soft opt-in’, a consumer who recently purchased something from you and did not opt-out of receiving marketing messages is considered to be happy to receive marketing emails. This is the case even if they haven't specifically consented to receive marketing emails from you. As a result, you can send marketing emails to your existing customers if:
you obtained their contact details by selling them your products and/or services (or by negotiating such a sale, even if the sale is not yet complete)
your marketing email relates to products and/or services similar to those previously bought by (or negotiated with) the customer
you comply with your data protection obligations when processing (eg handling) their personal data (eg name and address)
you obtained consent from a parent (or legal guardian) if the customer is under the age of 13 (children under 13 are considered unable to provide consent and, therefore, an adult needs to provide such consent on their behalf), and
you include an unsubscribe link (see point 3 for more information)
2. You need consent for new customers
If point 1 doesn’t apply, you will need to gain consent from those who have not specifically consented to receive marketing emails from you. You will need consent from a parent (or legal guardian) if the intended recipient of the email is under 13.
The UK General Data Protection Regulation (GDPR) and DPA set out how individuals can consent to personal data processing. For consent to marketing emails to be valid, it must be:
freely given - this means that the customer must be given a genuine choice when providing consent and their decision to consent should generally be disconnected from other terms and conditions (eg access to a service should not be conditional upon consent being given)
specific and informed - this means that it must be very clear to customers what they are consenting to (eg email marketing from your business)
through ‘affirmative action’ - this means that the customer must actively take a step to give you their consent (eg ticking a box which confirms they are giving consent - having pre-ticked opt-in boxes does not count as affirmative action), and
withdrawable - this means that the customer can withdraw their consent at any time and they know how to do this (for more information, see point 3)
You can only use a customer’s personal data for the purposes they consented to. For example, if they consented to email marketing only, you can only contact them through email and cannot call them for marketing purposes.
For more information, read Consent for GDPR.
3. Always provide a way to unsubscribe
Regardless of who you send your marketing emails to, you must always provide recipients with a method of withdrawing their consent at any time. You should make withdrawing consent as easy as possible. For example, by including an unsubscribe link or button, a contact number (also known as an ‘opt-out’ phone number), or a contact email address. For more information, see the ICO’s guidance.
4. Consider your business customers
Points 1 to 3 above only apply to sending marketing emails to private individuals. If you’re marketing your products and/or services to businesses (eg companies and limited liability partnerships (LLPs)), the rules are less stringent.
When marketing to businesses you must identify your business and provide a valid address for businesses to use to opt-out (or otherwise unsubscribe). You should also maintain a ‘do not email’ (or ‘do not contact’) list of any businesses that have opted-out, unsubscribed or objected to your email marketing.
Bear in mind that if you are sending marketing emails to a business’ employee’s personal corporate email address (eg email@example.com) you will need to consider and comply with data protection rules.
Note that certain businesses (eg sole traders and some partnerships) are treated as individuals for direct marketing purposes and you can only email them if they have consented.
For more information, see the ICO’s guidance.