GDPR, PECR and Legitimate Interest: you already have consent

Posted on April 30, 2018 at 12:48 pm Written by

do I need consent to carry on emailing after the GDPR?

Every hour on the hour I’m asked the same question (sometimes twice an hour on busy days)

“With this GDPR thing, do I need consent to carry on emailing my data?”

My answer remains the same. “Yes”.

“Oh”, followed by a nervous pause, is often the reply.

But here’s the scoop, under current law you have needed consent to email your database since 2003.

The Privacy and Electronic Communications Regulations (PECR) we all currently abide by (and will continue to abide by after May 25th) requires consent for email marketing.

I guess PECR back in the day didn’t have a good PR agent like the GDPR has…

(Amazing what the threat of a WHOPPING FINE will do to an attention span)

an existing customer who bought a similar product or service from you in the past

So do you have consent as the law stands? In a nutshell:

The rules on electronic mail marketing are in regulation 22. In short, you must not send electronic mail marketing to individuals, unless:

  • they have specifically consented to electronic mail from you; or
  • they are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent.

You must not disguise or conceal your identity, and you must provide a valid contact address so they can opt out or unsubscribe.

Tick those boxes? Congratulations – looks like you have consent.

But do I need to get my database to re-confirm consent under the GDPR.

No, you do not.

I understand the confusion

I understand the confusion, it’s only been in the last 2 -3 months that published media on the subject has stopped saying consent is what you need under the GDPR and started talking about the other 5 (YES 5!) lawful basis that allows you as a business to process data under the GDPR.

The biggest one being Legitimate Interest. And here it is, in another nutshell:

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

So you as a business (you’re the controller mentioned above) have a legitimate interest in emailing your database. In the bluntest of terms, they have money and you have product, you need that money to survive.

Of course it is not that simple, but it’s not hard to implement either. I recommend reading the guide on Legitimate Interest produced by the DPN.

the marriage of PECR and legitimate interest is a viable option

So the marriage of PECR and legitimate interest is a viable option. Using both of these correctly means you do not need your entire database to re-confirm / confirm consent.

Have you noticed more and more big brands sending “please read our new privacy policy” emails instead of consent? This is PECR and Legitimate Interest in action

Ironically, this is the mere tip of the iceberg. Even with consent you could still face a fine from the ICO if the rest of your ship isn’t in order.

Get your data protection and marketing strategy in order

The GDPR is all about Protection not communication. (That’s why it’s the GDPR not the GDCR)


Ask yourself, “if the ICO came knocking with a complaint do I have”:

  • An up-to-date GDPR ready privacy policy on my website
  • A documented breach policy
  • An appointed Data Proctection Officer (DPO)
  • A documented access request policy
  • A documented data retention policy
  • A documented clear roadmap of how and where data is collected and stored
  • A list of my data processors.

They will look for these as well as consent, without them you could be facing one of those WHOPPING FINES…

Follow Darren Hepburn on Twitter

Darren Hepburn

Operations Director at NewZapp


Get the latest Email Marketing updates & insights