All email marketing campaigns sent to UK residents need to comply with certain rules and regulations in order for the campaign to be deemed as legal. These laws are in place to protect UK residents’ privacy and ensure their safety when interacting with emails from marketers.
Email marketing laws in the UK are governed by the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR). Here’s what these two laws have to say about email marketing:
What Are GDPR and PECR Laws in The UK?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that governs how personal data is collected, processed, and stored in the European Union (EU).
The Privacy and Electronic Communications Regulations (PECR) is a set of regulations that govern electronic marketing activities, including email marketing, in the United Kingdom. The PECR is derived from the European Union’s e-Privacy Directive and is implemented in the UK by the Information Commissioner’s Office (ICO).
How to Comply with UK Email Marketing Laws
Both GDPR and PECR laws define what email marketers need to do to comply with their regulations. Here are key rules to follow if you’re sending marketing emails in the UK:
Consent
Organizations must obtain explicit and freely given consent from individuals before sending them marketing emails. The consent must be specific, informed, and unambiguous. Pre-ticked boxes or silence do not count as consent.
The GDPR requires explicit consent from individuals before sending them marketing emails, while the PECR requires either explicit consent or soft opt-in (where a customer has previously purchased a product or service from the organization, and the marketing emails are related to similar products or services).
Opt-Out
Individuals have the right to opt-out of receiving marketing emails at any time, and organizations must provide an easy way for them to do so. The opt-out mechanism must be straightforward and free of charge. This is usually done by including “unsubscribe” links at the bottom of the email.
Both regulations require organizations to provide an easy way for individuals to opt-out of receiving marketing emails. However, the PECR requires the opt-out mechanism to be provided in every marketing email, while the GDPR does not specify this requirement.
Identification
Marketing emails must clearly identify the sender and provide contact details, including a physical address and an email address for unsubscribing. Both regulations require this, but the PECR requires additional information, such as the company registration number.
Content
Marketing emails must not contain false or misleading information or deceptive subject lines. They must also be clearly marked as marketing emails. The emails don’t have to explicitly say that it’s an advertisement or even use the word “advertisement” anywhere in the content, but they must contain clear advertisement language. For example, if the email is offering a discount, then you must use the word “discount” in the subject line or the body of the email.
Data Protection
Organizations must take appropriate measures to protect the personal data of individuals, including their email addresses and other personal information.
Companies do this by taking appropriate technical and organizational measures to ensure the security of personal data, including email addresses, in their possession. This includes encrypting data and limiting access to authorized personnel. Companies must also collect only the personal data they need to achieve specific purposes, and avoid collecting excessive or unnecessary data.
Transfers
Organizations cannot transfer or sell email addresses without explicit consent from the individuals.
What Happens If You Don’t Comply with GDPR and PECR Laws?
Non-compliance with email marketing regulations under the GDPR can result in significant fines and reputational damage. Non-compliance with the GDPR can result in significant fines of up to €20 million or 4% of annual global turnover, while non-compliance with the PECR can result in fines of up to £500,000.
Do GDPR and PECR Laws Apply When Sending Emails to Corporate Clients?
Yes, PECR and GDPR laws apply when sending emails to corporate clients, so long as the email addresses used to send the emails contain personal data. This means that if the email address includes a person’s name or other identifiable information, the GDPR and PECR apply.
In general, the GDPR and PECR apply to any processing of personal data, regardless of the context or purpose of the processing. This includes processing personal data for the purpose of sending marketing emails, even if the recipient is a corporate client.
