GDPR email

[Peter Jennings]

I have been receiving many emails from various companies concerning GDPR. They seem to fall int 2 types. Those that require me to actively reaffirm that I want to be on their mailing list and those that just state that they have updated their privacy statement and invite me to read it if I want to.

I thought that the first email was the only legal way of being compliant with GDPR. The second way is less likely to lose you about 70% of your subscribers, but wasn't good enough as they had to actively agree to be on the list.

Does anyone have a definitive answer to this?

 

[Kat Haylock]

Hey Peter,

I think (any expert feel free to correct me!) the difference is just how you were added to each mailing list, or the initial amount of 'opt in' on your part. I can only talk from the perspective of UKBF, but we were only required to send the Privacy Policy email, because everyone on our mailing list had already explicitly opted in to receive our emails - meaning we were already compliant.

If we were to pull everyone's email addresses from their profiles and add them to our mailing list, I think we'd then be required to send the opt out email.

 

[Peter Jennings]

Hey Peter,

I think (any expert feel free to correct me!) the difference is just how you were added to each mailing list, or the initial amount of 'opt in' on your part. I can only talk from the perspective of UKBF, but we were only required to send the Privacy Policy email, because everyone on our mailing list had already explicitly opted in to receive our emails - meaning we were already compliant.

If we were to pull everyone's email addresses from their profiles and add them to our mailing list, I think we'd then be required to send the opt out email.

I've been doing a little more reading, and whilst it's not at all clear. Another way of looking at it is that you only need to get a positive action opt-in from your subscribers if you intend to send them marketing emails. If you are just sending them information, say a newsletter with no sales spiel, then the "please read our new privacy page" is probably OK. I think it must be so as I've received so many of the latter type of email recently they can't all be wrong. In contrast I've only had a few positive action emails.

Does anyone have a different interpretation?

 

[Phil Richardson]

It can come down to a number of factors.

If it is B2B marketing, with a balance test, you could choose to use Legitimate Interest as your basis for holding data and the PECR is still in law so you need to provide an opt-out.

If B2C and they already have proof on a GDPR approved opt-in there is no requirement to get you to re-opt-in. There is no legal requirements to send you an updated Privacy Policy email but many have.

The content of the email is pretty much irrelevant unless it is needed to fulfill a contract or service agreement.

GDPR isn't just about email marketing, PECR has been in place for many years which covers that, it is about processing data, “process” means collect, store, transfer, use or otherwise act on information.