GDPR: you’re all getting it wrong

If I get one more email telling me that “GDPR means we have to ask you to opt-in” I think I’m going to go postal. Let’s do this slowly, and this time with feeling.

Marketing (and fundraising) emails are covered by the Privacy and Electronic Communications Regulation 2003. That’s right, a 15-year-old piece of legislation. It says that if you’re going to send commercial email or texts to a natural person, they must opt-in first. You have to offer them the chance to opt-out every time you send them something. If they have bought something from you, and you only want to send them marketing about similar things from you, then you can pre-tick the opt-in box at the time of purchase. Otherwise it has to be unticked by default.

If you’re going to send commercial email for business-to-business purposes, you do not require prior consent, but you still have to offer the opt-out option on every communication, and you do need to be sure that the recipient is a business, not a natural person.

None of this has anything to do with GDPR. What GDPR says is that you have to justify your data processing. Consent is one way to do it, but often neither the only nor the right way. Most processing of data for the purposes of sending out marketing emails would be justified under Article 6.1f  – it’s in your legitimate interest to do it, and you believe that that interest outweighs the consumer’s right to privacy. Which, if we’re just talking about a name, an email address and their prior browsing and purchasing history from you, is probably true. You need to write that justification down, and show it to the natural person if they ask for it – or to the ICO, if they ask for it.

If you fancied sending them a letter in the post, or phoning them – provided you dial the number by hand – you would not need their consent. The only reason consent is relevant for email and SMS is because of PECR 2003.

So if you’re writing to me now to ask for my consent to write to me in future, you’re telling me two things:

1. You don’t understand the GDPR
2. You aren’t sure whether you already had my consent under PECR 2003.

The first thing is embarrassing. The second one is bad. Because if you aren’t sure that you had my consent, why have you been writing to me all this time? That’s breaking the law, that is. And a whole lot of people have been fined for doing it. Want to join them?