We see criticism of companies on social media and elsewhere, often accusing those companies of not complying with the General Data Protection Regulation (GDPR) and rules on direct marketing and consent (often the comments claim that companies shouldn’t ask people to opt out of future electronic direct marketing, when communicating with existing or new customers).
But the criticism is sometimes misguided.
GDPR does not itself deal directly with direct marketing (other than to provide for an unqualified right to opt out of it (at Article 21(3)) and a statement in recital 47 to the effect that the processing of personal data for the purposes of direct marketing may be regarded as carried out for a legitimate interest).
The operative law in the UK regarding electronic direct marketing is, and remains, The Privacy and Electronic Communications (EC Directive) Regulations 2003 (which implement a 2002 European Directive).
These provide that one cannot send direct marketing to an “individual subscriber” (the person who is a party to a contract with a provider of public electronic communications services for the supply of such services) by unsolicited “electronic mail” (which these days largely boils down to email and SMS) unless the recipient has consented or unless the sender
“has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient…the direct marketing is in respect of that person’s similar products and services only…and the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.”
In plain language, this means that when you buy, or enter into negotiations to buy, a product or service from someone, the seller only has to offer an “opt out” option for subsequent similar electronic marketing.
Nothing in GDPR changes this. (And, given the messages from the government, and the ICO, neither will Brexit).
(A version of this article originally appeared on Jon Baines’s personal blog).