Summary
- Businesses conducting email marketing in Australia must comply with both data protection and electronic communications laws, which carry serious penalties for breach.
- The rules differ depending on whether you are emailing individuals or corporate recipients, with stricter consent requirements applying to individuals.
- Individuals can object to receiving marketing emails at any time, and businesses must honour those requests promptly.
- This article is a plain-English guide to email marketing law for business owners operating in Australia, prepared by LegalVision, a commercial law firm.
- LegalVision specialises in advising clients on data protection and electronic communications compliance.
Tips for Businesses
Obtain clear consent before emailing individuals. Maintain a suppression list to record opt-outs. Check whether recipients are corporate or individual subscribers, as different rules apply. Review your signup forms regularly to ensure they meet legal requirements. Keep records of how and when consent was obtained.
Email marketing is a powerful growth tool, but businesses must navigate strict legal obligations before hitting send. Two key laws govern this area: the UK General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR). Getting these rules wrong can result in heavy fines and even criminal proceedings. This article will set out some of the key legal considerations for businesses engaging in email marketing.
Email Marketing Rules
There is nothing to stop you from sending out email marketing. For example, sending promotional emails and marketing emails. Businesses often do this to help with brand awareness and to reach potential customers. However, complex legal rules apply, and this is a topic businesses tend to struggle with. In particular, there is a misunderstanding about whom you can send email marketing to and if you need signup forms for email marketing.
Let us explore the difference between these two below.
GDPR
The UK GDPR governs the processing of personal data. This applies to email marketing and email marketing campaigns when the personal data of people is used. Indeed, when utilising email marketing, businesses often use personal data.
PECR
PECR governs the rules on using electronic communications for direct marketing. PECR contains very strict rules around using emails, texts and phone calls for direct marketing. Direct marketing is defined as communication (by whatever means) of advertising or marketing material directed to particular individuals. PECR applies various rules that you need to follow for email marketing and email campaigns.
In practice, you need to consider both sets of laws when carrying out email marketing.
UK GDPR and Email Marketing
If you use personal data for email marketing purposes, the UK GDPR rules apply.
For example, suppose you plan to send a marketing email promoting a new product to Joe.Bloggs@LegalVision.com.
Since you are using an individual called ‘Joe’s’ name and Joe can be identified within the email address, this constitutes personal data under the UK GDPR rules.
You will, therefore, need to consider and document your ‘lawful basis’ (i.e. legal reason) for processing Joe’s data to send him a marketing email.
Usually, for marketing purposes, the most common grounds businesses rely on to send marketing emails are legitimate interests and consent. Let us explore these in further detail below.
Legitimate Interests
This is where you carry out a balancing test to see what impact your email marketing would have on the rights and freedoms of people you are marketing to. For example, you should consider if an individual would expect you to use tier personal data for marketing purposes.
Consent
This is where the individual has given consent to receive marketing. Consent must be freely given, specific and informed. If relying on this ground, you must have obtained valid consent before sending marketing emails.
You should also note that individuals can object to their data being processed under the UK GDPR. So, if at any time they ask you to stop using their data to send them marketing emails, you must do so. In practice, a marketing suppression list can help track who has objected to email marketing. It can also be a good idea for your business to check how its marketing campaign performs. For example, seeing unsubscribe rates may help you understand what email content is working and what is not.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.
PECR and Email Marketing
PECR’s purpose is to safeguard the privacy rights of both individuals and businesses who receive electronic communications. As well as complying with the UK GDPR rules above, you must comply with PECR for email marketing purposes.
PECR applies different rules for email marketing, which depend on who you are emailing.
Let us explore each set of rules in further detail.
1. Emailing Individual Recipients (Consumers, Sole Traders, Non-LLP Partnerships)
Usually, you must have recipient consent when sending email marketing to individuals. Individuals refer to consumers, sole traders and simple non-incorporated partnerships. Consent needs to be freely given, specific, informed and unambiguous. The consent must be an obvious form of positive action. For example, individuals can demonstrate consent by ticking a box or emailing you a confirmation to show they agree to receive marketing emails. You cannot rely on a pre-ticked box.
There is a very limited exception that allows you to send email marketing to individual recipients who have not given consent. This is known as the ‘soft opt-in’. The soft-opt in itself has several conditions. In short, it allows you to send email marketing to customers who have purchased from you before and did not opt out of receiving your marketing emails.
2. Emailing Corporate Recipients (Limited Companies, Limited Liability Partnerships, Public Bodies)
The rules are more relaxed when email marketing to companies. You can send marketing emails to ‘corporate subscribers’, that is, companies and LLPs, without consent. However, this does not apply to sole traders and non-LLP partnerships. For those organisations, you will still need to obtain consent.
Despite the relaxed rules, note that individuals receiving marketing emails should always have the right to unsubscribe.
In practice, businesses often need help understanding which rules apply to which customers. The use of ‘consent forms’ and ‘opt-ins’ can also cause a lot of confusion. Businesses often make mistakes in their marketing signup forms. However, the data protection regulator can impose heavy fines for breaching the rules. Fines for breaching the UK GDPR can be up to £17.5 million or 4% of your annual turnover, whichever is higher. Penalties for breaching PECR are also severe, with fines of up to £500,000. In addition to financial penalties, the regulator may also begin criminal proceedings against you. If you are unsure about email marketing and the rules applicable to your business, you should take legal advice on this complex topic.
This factsheet sets out how your business can become GDPR compliant.
Key Takeaways
Most businesses engage in email marketing. However, the legal rules around this are complex and mandatory. When engaging in email marketing, you must consider the rules under both the UK GDPR and PECR. The implications of breaching these rules are serious, including heavy fines. Therefore, you must ensure that your email marketing campaigns comply with these laws.
LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced e-commerce lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Your business must comply with both the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR). UK GDPR governs the processing of personal data, while PECR sets rules for electronic communications used in direct marketing. Non-compliance can lead to significant fines and damage to your business’s reputation.
PECR specifically regulates the use of electronic communications, such as emails, for direct marketing purposes. It requires businesses to obtain proper consent before sending marketing emails to individuals. Understanding and adhering to PECR is crucial to avoid legal penalties and maintain customer trust.
It lets you email previous customers without consent, provided they didn’t opt out of marketing at the time of purchase.
UK GDPR breaches carry fines up to £17.5 million or 4% of annual turnover. PECR breaches carry fines up to £500,000.
We appreciate your feedback! Request your free consultation now.
