Many people don’t realize that when Brexit happened the United Kingdom (“UK”) adopted their own version of GDPR, often referred to as the UK GDPR. When it comes to email marketing in the UK, the UK Information Commissioner’s Office (ICO) has made fairly explicitly clear that under the UK GDPR there are only two situations in which you can send someone email marketing: you must either have their prior consent, or they must be an existing customer (this is the so-called “soft opt-in”).
The full name of the UK regulation is “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation)”, and now you know why we refer to it as just the UK GDPR.
Email Marketing Consent Requirements in the UK
On the ICO’s advisory page on electronic mail marketing, they say “In brief, you must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’.”
That’s pretty straight-forward and clear. They go on to say:
The rules on electronic mail marketing are in regulation 22. In short, you must not send electronic mail marketing to individuals, unless:
they have specifically consented to electronic mail from you; or
they are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent.
You must not disguise or conceal your identity, and you must provide a valid contact address so they can opt out or unsubscribe.
Further down on that same page the UK ICO explains exactly what is meant (and only meant) by ‘soft opt-in’:
What is a ‘soft opt-in’?
The term ‘soft opt-in’ is sometimes used to describe the rule about existing customers. The idea is that if an individual bought something from you recently, gave you their details, and did not opt out of marketing messages, they are probably happy to receive marketing from you about similar products or services even if they haven’t specifically consented. However, you must have given them a clear chance to opt out – both when you first collected their details, and in every message you send.
The soft opt-in rule means you may be able to email or text your own customers, but it does not apply to prospective customers or new contacts (eg from bought-in lists). It also does not apply to non-commercial promotions (eg charity fundraising or political campaigning).
The UK ICO explains that “‘Opt in’ means a person has to take a specific positive step (eg tick a box, send an email, or click a button) to say they want marketing. ‘Opt out’ means a person must take a positive step to refuse or unsubscribe from marketing. Some organisations provide opt-in boxes that are automatically pre-ticked. However, the UK GDPR is clear that pre-ticked boxes do not give valid consent. You must use an ‘affirmative’ method of getting consent. We recommend you use unticked opt-in boxes wherever possible.”
Again, pretty clear. So to recap, any email that does not comply with the above can be considered to be, at very least, spam, and in violation of Regulation 22 of the UK GDPR.
Here’s the interesting thing, Regulation 22 is the UK GDPR section on Automated Individual Decision-making and what it says is this:
Automated individual decision-making, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(b) is required or authorised by domestic law which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
(c) is based on the data subject’s explicit consent.
In other words, the decision to send someone email marketing cannot be based on automated processing, or profiling, it must be based on the fact that you have explicit consent from the email marketing target. If they haven’t given you express consent, and if they aren’t an existing customer, then it’s against the law to send them email marketing.
How to Report Spam in the United Kingdom
In August of 2023 the UK ICO confirmed to us that spam originating from a UK-based entity, as well as email that in any other way violates the UK GDPR, should be reported at https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-emails/.