A simple and straight forward question, still no real answer

Discussion in 'General Data Protection Regulation (GDPR) Forum' started by Andrew Phillips, May 16, 2018.

  1. Andrew Phillips

    Andrew Phillips UKBF Newcomer Free Member

    2 0
    So, I am struggling with really understanding what I can and can not do. I sell components, they tend to have applications in specific markets. Generally my way to launch into a new market is to spend several hours / days investigating it, finding companies, names and email addresses then sending a one of email with a bit of product information. If people are interested, they get back to me, if not then I don't hold onto the information, general it has no value to me so why keep hundreds of little spread sheets.

    My question is this, am I allowed to still do this? or is it against the rules now? I can find no where where it appears to address a simple case like this, all the information is aimed at big business.

    Thanks to anyone who knows the answer
    Posted: May 16, 2018 By: Andrew Phillips Member since: May 16, 2018
  2. OMGVape

    OMGVape UKBF Regular Free Member

    177 15
    I would think that if you are finding the company info from published sources then yes, you can do it. But you must include a method for the recipient to “aprove” any further contact.
    Posted: May 17, 2018 By: OMGVape Member since: Jan 21, 2018
  3. twaen

    twaen UKBF Contributor Free Member

    35 1
    GDPR applies to consumers, not business contact details. If you use public business contact details you should be fine. B2B is not in the scope of GDPR.

    Nitty-gritty: Unless you begin using them in non-compliant mode for emails like [email protected] . Give you an example below.

    Say you manufacture car parts, and John works at a car company and has his email on the company website. You can definitely as email John and tell him about your car parts (business context). But if you try to sell him shoes, then you're targeting him as a consumer and not in the business scope above and that would be infringing the GDPR.
    Posted: May 20, 2018 By: twaen Member since: Apr 27, 2018
  4. Andrew Phillips

    Andrew Phillips UKBF Newcomer Free Member

    2 0
    Thank you both for this, it helps a lot and certainly the first post was what I thought, the second post clears up a question I hadn't even thought to ask!
    Posted: May 21, 2018 By: Andrew Phillips Member since: May 16, 2018
  5. Newchodge

    Newchodge UKBF Big Shot Free Member

    11,052 2,825
    You cannot use personal data without permission. Someone's work email address, if it is personal to them, is personal data. So you cannot send an unsolicited marketing email to [email protected], wherever you found the email address. You can cend it to [email protected] as you are not using personal data.
    Posted: May 21, 2018 By: Newchodge Member since: Nov 8, 2012
  6. alexsmith2709

    alexsmith2709 UKBF Newcomer Free Member

    15 3
    I have a similar situation and would like some clarification. I understand I cannot send a "cold email" to an address if it has a personal name like [email protected], but can I send one to an address like [email protected] and address it to a persons name or would I have to use a generic introduction like "To whom it may concern"? The names and email addresses I was planning to use are all on the company websites.
    As I would like to target some other small business in my local area, what are the rules on email addresses like [email protected] and address that have the business owners name in there like [email protected]?

    Posted: Jun 12, 2018 By: alexsmith2709 Member since: Sep 26, 2017
  7. Mark Laurie

    Mark Laurie UKBF Contributor Free Member

    90 15
    I can't post links yet but you might find this helpful just take out the extra spaces and put . where dot is.

    https: // blogdotconvertdotcom/gdpr-cold-emails-means-outbound-strategy.html
    Posted: Jun 12, 2018 By: Mark Laurie Member since: Apr 10, 2018
  8. Paul Carmen

    Paul Carmen UKBF Regular Full Member - Verified Business

    246 57
    Technically you can send an email to anyone under GDPR, it does not expressly forbid it.

    The tricky bit is if someone doesn't like what you do and complains. Most processes for cold emailing will fall over at this point, as they wont have followed any sort of GDPR due diligence.

    The argument for this type of cold email would have to be covered by "legitimate interest", this is the point another poster made about relevance; e.g. you have to show that you've followed a proper process in order to decide and run a cold email programme.

    Essentially, if you have researched the customer first, have a justified legitimate business reason for selling to them (a service that's relevant and would be of interest), plus you are transparent about what you're doing and give them an option to tell you to get lost, you should be OK.

    You have to be confident that your cold email doesn't seriously impact on their privacy, the balancing test. Finding a personal business contact on a website or directory probably doesn't. Buying an email list of private individuals probably does. If you don't follow this process, or you bombard them with emails, you could be in trouble.

    It is imperative, if you intend to be compliant, that you follow this type of legitimate interest process and keep a documented record of it. You can read more here (we refer to the ICO interpretation, as we mainly have UK clients): https://ico.org.uk/for-organisation...ul-basis-for-processing/legitimate-interests/
    Posted: Jun 12, 2018 By: Paul Carmen Member since: Jan 27, 2018
  9. cjd

    cjd UKBF Legend Full Member - Verified Business

    15,406 3,057
    ^^^ This is the correct answer.

    Increasingly 'legitimate interest' is being seen as the best reaction to GDPR.

    It's a good thing, it forces companies to target, not just spray their spams everywhere. Emails must be relevant to the receiver and the user must be given an easy and obvious way not to receive more of them. You must have thought this process through before doing it and documented your reasons.

    Seems fair enough to me and will result in much higher sell rates.
    Posted: Jun 12, 2018 By: cjd Member since: Nov 23, 2005
  10. ffox

    ffox UKBF Regular Free Member

    1,166 206
    GDPR doesn't expressly forbid it, but PECR does -

    "When can we email or text businesses?
    Sole traders and some partnerships are treated as individuals – so you can only email or text them if they have specifically consented, or if they bought a similar product from you in the past and didn’t opt out from marketing messages when you gave them that chance.

    You can email or text any corporate body (a company, Scottish partnership, limited liability partnership or government body). However, it is good practice – and good business sense – to keep a ‘do not email or text’ list of any businesses that object or opt out, and screen any new marketing lists against that.

    You may also need to consider data protection implications if you are emailing employees at a corporate body who have personal corporate email addresses (eg [email protected]). For further information, see our guidance on direct marketing."

    The last paragraph is the key.
    Posted: Jun 12, 2018 By: ffox Member since: Mar 11, 2004
  11. Paul Carmen

    Paul Carmen UKBF Regular Full Member - Verified Business

    246 57
    @ffox PECR only forbids it for personal email, not business related emails (sole traders is where many get it wrong). The last paragraph you refer to is now the GDPR detail that we've covered already in the post, that is what we are talking about!

    The old data privacy rules are gone, they have been replaced by the Data Protection Act 2018, which is the UK writing EU GDPR into UK law...
    Posted: Jun 13, 2018 By: Paul Carmen Member since: Jan 27, 2018
  12. ffox

    ffox UKBF Regular Free Member

    1,166 206
    Can you post an ICO link to this revision?
    Posted: Jun 13, 2018 By: ffox Member since: Mar 11, 2004
  13. Paul Carmen

    Paul Carmen UKBF Regular Full Member - Verified Business

    246 57
    There is no revision, the old ICO data protection policy is gone, it has been superseded by the details I posted earlier.

    If you go to it you get referred to the 2018 GDPR UK legislation, the link is here: https://ico.org.uk/for-organisations/guide-to-data-protection-404/
    Posted: Jun 13, 2018 By: Paul Carmen Member since: Jan 27, 2018
  14. ffox

    ffox UKBF Regular Free Member

    1,166 206
    1. Sorry, but. Data protection Act 2018 states -
    '3 Terms relating to the processing of personal data
    (1) This section defines some terms used in this Act.
    (2) “Personal data” means any information relating to an identified or identifiable
    living individual (subject to subsection (14)(c)).' - none of the exceptions identify business related mail as exempt.

    2. Data Protection Act 2018 also states -
    '58 (1) The repeal of a provision of the 1998 Act does not affect its operation for the
    purposes of the Privacy and Electronic Communications (EC Directive)
    Regulations 2003 (“the PECR 2003”) (see regulations 2, 31 and 31B of, and
    Schedule 1 to, those Regulations).' - PECR is still very much alive and kicking.

    3. Legitimate Interest is fine for many things, but the PECR states -
    'Whilst any purpose could potentially be relevant, that purpose must be ‘legitimate’. Anything illegitimate, unethical or unlawful is not a legitimate interest. For example, although marketing may in general be a legitimate purpose, sending spam emails in breach of electronic marketing rules is not legitimate.' - https://ico.org.uk/for-organisation...rests/what-is-the-legitimate-interests-basis/
    Posted: Jun 13, 2018 By: ffox Member since: Mar 11, 2004
  15. Paul Carmen

    Paul Carmen UKBF Regular Full Member - Verified Business

    246 57
    You are contradicting yourself though, as "legitimate interest" covers the GDPR angle, as you balance any personal data captured against the legitimate interest. Nothing in it says you can't send emails, you have to carry out an LI analysis and consider the balancing test before you do so, documenting the process.

    The PECR legislation (which also changes later this year) allows you to email businesses, not individuals, I agree with you on this and it is covered in black and white in your own initial quote above.

    We have taken advice on this and it's where our position comes from, we don't offer legal advice. You are free to take your own interpretation, but we believe it to be wrong.
    Posted: Jun 13, 2018 By: Paul Carmen Member since: Jan 27, 2018
  16. ffox

    ffox UKBF Regular Free Member

    1,166 206
    Nothing I've posted on this thread is an 'opinion', legal or otherwise, nor do I proffer 'interpretations' of the legislation. I merely quote, in each case, the relevant section of the regulation, be it GDPR, PECR or Data Protection 2018.

    The OP asked if he could use harvested email addresses for marketing -
    The answer, quite plainly is no.

    You offer 'legitimate interest' as a means of regularising cold email marketing, yet current regulations do not allow this (see my post above).

    'Legitimate Interest' is a valid legal basis for processing where a marketing or sales relationship already exists, but not in the case of unsolicited email.

    PECR is indeed up for revision, but we won't know what changes have been made until it is ready to be passed onto the statute books.
    Posted: Jun 13, 2018 By: ffox Member since: Mar 11, 2004
  17. Paul Carmen

    Paul Carmen UKBF Regular Full Member - Verified Business

    246 57
    Except you've confused two pieces of legislation to try make a point and failed to do so.

    Where does it say you can't send email in GDPR, none of the passages you've quoted say that, the whole ICO GDPR text doesn't say that?

    Your spam quote would apply to personal individuals under PECR, not business individuals.

    Your own quote on PECR says you can send business related email "You can email or text any corporate body"!
    It referred to the old data protection legislation for individual business emails, but that's irrelevant, as when you view the current UK legislation, GDPR permits it under "legitimate interest" if you've gone through the analysis and balancing process. PECR always allowed it if its to a business email, just not a personal one!

    My original post said all this!
    Posted: Jun 13, 2018 By: Paul Carmen Member since: Jan 27, 2018
  18. cjd

    cjd UKBF Legend Full Member - Verified Business

    15,406 3,057
    That's equally plainly wrong.

    Of course you can't 'harvest' email addresses from random websites and send spammy emails to them. That's the point of the regulation. Equally, the point of the regulation is not to stop companies using direct marketing methods. Just to make them think hard about how they do it.

    You *can* send relevant, targeted emails to people who would not be surprised to receive them so long as you follow the ICO's guidlines on legitimate interest.

    You *can* send an email about a new battery component you've developed to the address of the head of battery development at BetterBatteriies Ltd that you've ripped from his website. You *can't* send the same email to a small greengrocer.

    You also have to record your decision and the justification for doing it beforehand and provide an unsubscribe link.

    All perfectly reasonable really.
    Posted: Jun 13, 2018 By: cjd Member since: Nov 23, 2005
  19. ffox

    ffox UKBF Regular Free Member

    1,166 206
    I suggest you read it all again -
    'The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and the GDPR. They give people specific privacy rights in relation to electronic communications.'

    This is still the current legislation.

    See my post for 7.45Pm yesterday.

    There is no 'old legislation' it is all still on the statute books and still active.

    No it doesn't -


    This is from the PECR guide which must be read side-by-side with GDPR and Data Protection 2018 and was in my post yesterday at 07.45 PM.

    @cjd - please note this last. When the PECR rules are changed later this year this MAY change, but for now it stands as written.

    But, you may do as you wish. It is unlikely that there will be any significant action as it is not planned that the ICO will become a large enforcement body. Small business will continue much as it has in the past and only gross beaches of the regulations will be pursued.

    Personally, I will still relegate all unsolicited email to the bin, unread. Hopefully businesses which display email addresses on their websites will change these to generic addresses like [email protected] or [email protected] Such addresses are much easier to filter.
    Posted: Jun 13, 2018 By: ffox Member since: Mar 11, 2004
  20. Alan

    Alan UKBF Legend Full Member - Verified Business

    6,131 1,696
    It is all a bit mute anyway, as the emails will general drop into the spam folder and even if they don't if you have auto categorisation they will be put under promotions and ignored.

    And even if they do hit the inbox, then there is generally a 2 step process 1) click the unsub link 2) delete or mark as spam

    Posted: Jun 13, 2018 By: Alan Member since: Aug 16, 2011