GDPR’s Most Frequently Asked Questions: Can a company send an email to their database seeking consent to send direct marketing?

The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR, and concerning related data privacy laws in the European Union.

Question: Are companies allowed to send an email to individuals asking for opt-in consent to conduct direct marketing? 

Answer: The GDPR expressly states that companies may have a legitimate interest in the processing of personal data for direct marketing purposes.¹ If this legitimate interest is not overridden by the individual’s interests or fundamental rights and freedoms, it can serve as a legal basis for the data processing even if the company has not obtained consent. This should not be interpreted as a carte blanche for sending direct marketing to individuals without their prior consent, however.

Directive 2002/58/EC (ePrivacy Directive) provides specific obligations related to direct marketing that is sent using phone, fax, e-mail and other electronic means.  Among other things it generally prohibits the use of “automated . . . communication systems without human intervention” – including automated systems that send electronic mail – unless an individual has provided their “prior consent” to receive such communications.²

In order to obtain the consent needed under the ePrivacy Directive many companies consider sending an email to contacts asking if they would like to receive marketing communications.  While sending an email to business contacts asking for their consent to send future direct marketing is not expressly prohibited (or even addressed) by the ePrivacy Directive (or GDPR), it may conflict with the laws of individual member states.

For example, at least one supervisory authority has stated that “organisations cannot e-mail or text an individual to ask for consent to future marketing messages.  That e-mail or text is itself sent for the purpose of direct marketing and will be subject to the same rules as other marketing texts and e-mail.”³  Based upon that position, the supervisory authority issued a fine against a company that sent a mass e-mail to individuals asking if they would “like to hear” from the company.⁴  The quantity of fines issued by that particular supervisory authority in similar situations have ranged from $0.01 and $0.04 per email (converted to USD) sent.⁵

1. GDPR, Recital 47.

2. ePrivacy Directive Article 13(1).

3. United Kingdom, Information Commissioner’s Office, Monetary Penalty Notice to Honda Motor Europe Limited t/a Honda (U.K.) dated 27 March 2017 at para. 40.

4. Id. at para. 12.

5. United Kingdom, Information Commissioner’s Office, Monetary Penalty Notice to Honda Motor Europe Limited t/a Honda (U.K.) dated 27 March 2017 at para. 60; United Kingdom, Information Commissioner’s Office, Monetary Penalty Notice to Flybe Limited dated 27 March 2017 at para. 59.

[View source.]