The information on this page was current at the time it was published. Regulations, trends, statistics, and other information are constantly changing. While we strive to update our Knowledge Base, we strongly suggest you use these pages as a general guide and be sure to verify any regulations, statistics, guidelines, or other information that are important to your efforts.

Brexit Update:
Since the UK officially left the European Union on January 31, 2020, the relationship between the two has evolved and continues to be shaped by the ongoing implementation of the withdrawal agreement.

Key Dates:

• January 31, 2020: UK officially left the EU and entered a transition period that ended on December 31, 2020.

• December 31, 2020: The transition period ended, and the UK fully exited the EU single market and customs union.

• January 1, 2021: The UK-EU Trade and Cooperation Agreement came into effect, outlining the post-Brexit relationship between the two entities.

• 2023/2024 Current: The UK and EU are still navigating the ongoing implementation and potential revisions of their post-Brexit relationship.

It's crucial for businesses operating in either the UK or the EU to stay informed about the latest developments and adjust their operations accordingly.

Email Marketing In The UK

What laws and regulations apply?

The UK GDPR governs how organizations collect, use, and protect personal data. It draws heavily from the EU's General Data Protection Regulation (GDPR) but with some minor UK-specific changes. Key principles of the UK GDPR are transparency, accountability, lawfulness, fairness, and individual rights to access, rectify, erase, and restrict processing define the UK GDPR. Ensuring compliance is crucial for avoiding penalties and building trust with data subjects.
 

The Privacy and Electronic Communications Regulations (PECR) derived from European law focuses on electronic communications. PECR complements the UK GDPR by specifically addressing privacy rights in electronic communications like email, text messages, and online calls. PECR received updates in 2004 (marketing calls) and 2011 (cookies, security breaches, ICO enforcement). Key areas of the PECR include unsolicited marketing, cookie consent, privacy of communications, network security, and data breach reporting.

To Whom and what do the Privacy and Electronic Communications Regulations apply?

The PECR are broader than the Data Protection Act (DPA), in that they apply even if your organisation does not process personal data for marketing purposes, i.e., you do not know the name of the person you are contacting. PECR applies if you:

• market by phone, text, email, or fax;

• use cookies or a similar technology on your website; or compile a telephone (or similar public) directory.

PECR and the Data Protection Act are meant to complement each other in policy and practice. There is some overlap among the two, but when there are differences, you must comply with both. If you are processing personal data, you must comply with the Data Protection Act. PECR simply sets out some extra rules for electronic communications.

What are the important terms to understand?

Electronic Communications - Although it is not defined in the PECR, electronic communications generally means any information sent between particular parties through a phone line or internet connection. This includes:

• phone calls

• text messages

• video messages

• faxes

• emails

• internet messages

Electronic communications does not include generally available information, such as the content of websites or broadcast programming.

Consent - In the context of the PECR, consent must be knowingly given, clear, and specific. It must be given to your particular company and to the manner in which you intend to market, i.e., email, phone call (live or automated), text, or fax.

The clearest way to obtain consent is to allow the receiver to click an “opt-in” box. You must always provide the receiver with the opportunity to withdraw consent, or “opt out.” An unticked “opt-in” box is more clear than a pre-ticked “opt-in” box or an “opt-out” box.

How do I comply with the PECR?

PECR restricts unsolicited marketing by phone, text, email, fax, or other electronic message. In general, the rules are stricter for marketing to individuals than to other businesses or companies.

Regulation 22 prohibits you from sending or instigating the sending of unsolicited email marketing messages without the receiver’s specific consent. Under Regulation 23, you are prohibited from disguising or concealing your identity and must provide a valid contact address for recipients to ‘opt--out’ of or unsubscribe from future marketing. The term “soft opt-in” is often used to describe the exception to this general rule, and applies to existing customers. “Soft opt-in” means organisations can send marketing emails if:

• they obtained contact details during the course of a sale (or negotiation of a sale) of a product or service to that person;

• they are only marketing their own similar product or service; and

• they gave the person the opportunity to opt-out of the marketing, both initially when contact details were collected and in every subsequent marketing message.

The ‘soft opt-in’ rule applies to the negotiation of a sale, therefore an actual sale is not required.

Example

A customer logging into a company’s website to browse its range of products or services does not constitute the negotiation of a sale. However, if a customer completes an online enquiry form asking for more details about a product or service, this could be enough to constitute negotiations.

Example

A customer sending an enquiry to ask a company if it can order a specific product could be considered negotiations. But an enquiry to ask if the company is going to open more branches in a particular location is not.

The ‘soft opt-in’ rule does not apply to prospective customers or new contacts (e.g., from buy-in lists). It also does not apply to non-commercial promotions, e.g., charities, fundraising, or political campaigns. These require specific consent.

Sole traders and some partnerships are treated as individuals, and thus, the above rules that apply to individuals would also apply to these sole traders and partnerships. The Regulation 22 consent requirements do not apply to email marketing sent to any corporate body.

Regulation 22 prohibits a person or organisation from sending or instigating the sending of unsolicited email marketing messages. Thus, you cannot get around the rule by asking people to forward marketing messages to friends or to provide you with their friends’ contact details.

Can I use marketing lists?

You are allowed to use bought-in marketing lists and you can create your own marketing lists; however, you are still required to comply with all marketing regulations, which can be particularly tricky when using bought-in lists.

Bought-in marketing lists

Bought-in marketing lists are impractical for recorded call, text, and email marketing, which all require the individual to have given specific consent to receive the particular type of marketing from you. You must also satisfy yourself that any list you use is accurate and the data was collected fairly and that the consent is specific and recent enough to rely on.

Compiling your own marketing lists

Using the details of people who previously bought goods or services from you or who have registered through your website or made an enquiry is a great way to compile a marketing list. However, you cannot assume that because someone provided his contact details, he is happy to receiving marketing from you. You should make it clear upfront that you intend to use his details for marketing purposes. The easiest way to get clear consent is to use opt-in boxes for each type of marketing message you intend to send, e.g., text, email, phone. To ensure you are compiling an accurate and up-to-date list, record when, how, and what type of marketing consent you received. It is also important to note whether it is an individual or a company, as different rules apply to each. If you do not know whether it is an individual or a company, assume it is an individual and comply with the more strict rules.

Sharing marketing lists

If you intend to share your marketing lists with another company or group within your parent company, you must have each individual’s specific consent to do so. You cannot show consent by simply providing the notice in a hard to find, difficult to understand, and rarely read privacy policy.

Responding to objections or opt-outs

As soon as someone objects to or opts-out of your marketing messages, you should add him to your “do not contact” list. You can send an immediate reply confirming his unsubscribed status, but you may not contact him in the future even to ask if he would like to opt-in again. When someone objects or opts-out, you should not delete his information altogether, instead you should add him to your “do not contact” list, to ensure he will not be contacted in the future by mistake. This is particularly important if you buy new leads or marketing lists, as his details may be on a new list.

What are the risks of non-compliance?

The Information Commissioner’s Office is tasked with the enforcement of the PECR. Enforcement measures include: audits, criminal prosecution, and monetary penalties up to £20,000,000. The ICO publishes quarterly updates on enforcement measures taken.

Fortunately, you can mitigate these risks by taking proactive steps to ensure your business is PECR compliant. Here are some key actions:

• Review your electronic communications practices: Identify areas where you might be in breach of PECR, such as unsolicited marketing emails or cookie consent procedures.

• Develop and implement a compliance plan: Create a roadmap to achieve and maintain PECR compliance. This should include data governance policies, employee training, and regular audits.

• Seek expert advice: If you're unsure about any aspect of PECR compliance, consult with a legal or data privacy professional.

By prioritizing compliance and protecting user privacy, you can avoid the risks associated with PECR non-compliance and build trust with your customers and stakeholders. Remember, data privacy is not just a legal requirement, it's also good business practice in today's digital world.
 

Privacy and Electronic Communications (EC Directive) Regulations

Information Commissioner's Office: Guide to the Privacy and Electronic Communications Regulations

Information Commissioner’s Office: Direct Marketing Guide

Information Commissioner's Office: Direct Marketing Checklist

Information Commissioner’s Office: Enforcement Updates