GDPR - do I need to get fresh consent for my email marketing


Here is what you need to know about re-consent and email marketing if you are thinking about obtaining fresh consent from your list.

1. Decide the lawful ground for all of your processing of personal data including for sending marketing emails.

2. The ICO guidance is that legitimate interests for email marketing MAY be a lawful ground of processing where you do not need to obtain consent for the purposes of PECR.

3. You need to obtain consent under PECR where:

a. The email marketing is ‘unsolicited’; andb. The email marketing is to an individual (which includes sole traders and partnerships); andc. The soft opt in doesn’t apply

4. The soft opt in applies where:

a. you have obtained the contact details of the recipient of that email in the course of the sale or negotiations for the sale of a product or service to that recipientb. the email is in respect of similar products and services only; andc. the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

5. In order to rely on legitimate interests, you have to carry out a balancing test and record your decision making (you can use the assessment form in my GDPR pack).

6. You may decide that you do NOT have to obtain fresh (or any) consent from:

a. Limited companies or LLCsb. Existing customersc. Prospects with whom you have had negotiations about similar goods or services.

7. If you decide that you can send marketing emails on the grounds of legitimate interests, then you need to send an email with your updated privacy policy and informing those relevant email subscribers of their right to object to the processing (or opt out). There is an email in my GDPR Pack for this.

8. If you decide that consent is your lawful ground of processing to send marketing emails to certain of your email subscribers, then you need to look at whether you already have a GDPR standard of consent for those subscribers (check the ICO's website here for a checklist to work this out). If you do, then great, you don't need to do anything apart from send out your new privacy policy and remind them of their right to opt out.

9. If you decide that consent is your lawful ground to email certain email subscribers and you don't have the GDPR standard of consent (see the above ICO checklist), then you need to get a fresh consent that is to a GDPR standard. This needs to be done before 25 May 2018 or you will no longer have a lawful ground of processing. There is an email template you can use in my GDPR Pack for this.

You must then opt out of marketing emails all those people who did not re-consent to the marketing emails before 25 May 2018.

10. If you decide you need consent to send marketing emails to certain subscribers and you don’t actually have any consent for that email marketing, then you can’t email those subscribers to request that consent.

11. Flybe were fined because they emailed to people who had previously unsubscribed and Honda did not have any records of consent, but this was NOT because they didn't have a GDPR standard of consent and were obtaining the new higher standard of consent.

12. If you have previously obtained consent for email marketing from people who you may not need to do so, then the Working Party have stated that you have a one off chance to change your lawful ground of processing before GDPR comes into force.

For those of you established outside of the EU, PECR does not yet apply to you but is likely to from 2019.

Read more:


If you're interested to know more and to ask your own questions to top business lawyer Suzanne Dibble and learn from the experience of lots of other small business owners, then click here to join our thriving membership!

GDPR Facebook Group Page

Suzanne DibbleSuzanne Dibble is a multi-award winning business lawyer who consults with multi-nationals on data protection law and the upcoming GDPR. The Legal Services Board and the Law Society have heralded her innovative approach to helping small business owners with complex regulations. Suzanne worked with Richard Branson at Virgin where she managed a group wide data protection project which resulted in Virgin nominating Suzanne for the Solicitor of the Year Award and subsequently Suzanne was runner up in this prestigious award. Suzanne has had second to none training and experience at a top City law firm, leading billion pound deals and being on the board of £100m+ business (resulting in her being listed in the Who’s Who of Britain’s Business Elite two years in a row). Suzanne is one of the few lawyers that really understands the online world and the small business world and puts law and regulation in the context of your business. There has been a lot of scaremongering and hype about GDPR (with the headline fines of 20m) and Suzanne brings a practical, balanced approach.

DISCLAIMER: as I do not know your individual circumstances, none of my blogs, my videos, my guidance in the Facebook group or any other materials available to you where I have not taken you on as a one to one client shall be construed as legal advice and I shall have no liability to you in any circumstances should you choose to rely on any of the materials I publish.

Insert Image

Data Breaches Happen. How Prepared is your Organization?

Avoid administrative fines by being fully compliant with GDPR!

Download Suzanne Dibble's Customizable GDPR Compliance Pack to Protect Your Business!