What are the requirements to be compliant with PECR and GDPR?
Email marketing communications must comply with the GDPR and the strict rules within the UK’s Privacy and Electronic Communications Regulations (PECR). The GDPR does not replace PECR. Existing PECR rules continue to apply, but using the new GDPR standard of consent. The rules on electronic mail marketing are in regulation 22 of the PECR. In short, an organization sending marketing materials must receive consent from the individual, or the individual must be an existing customer who bought a similar product or service in the past. The process for existing customers is known as the soft opt-in. If the individual is an existing customer, the organization must give the individual a simple way to opt out both when it first collects the individual’s details and in every message the organization sends to the individual thereafter.
What is consent? What are the methods to obtain consent?
The current prevailing practice for collecting email addresses for marketing mailing lists is to bury a pre-ticked “subscribe” checkbox somewhere on an order or registration form, but that practice does not comply with the GDPR. As stated in Recital 32:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her . . . Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
Consent should be obvious and require a positive action to opt-in. As written in Article 7:
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
As such, consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
Once the individual has given their consent freely, the organization must continue stay compliant. To maintain compliance, first the organization must keep clear records to demonstrate consent. Second, the organization must give the user the right to withdraw consent and offer them a way to withdraw at any time.
What must be included in marketing emails?
The following is a checklist to assist in compliance with PECR and GDPR:
☐ Check that consent is the most appropriate lawful basis for processing.
☐ Make the request for consent prominent and separate from your terms and conditions.
☐ Ask people to opt-in a direct and positive way.
☐ Do not use pre-ticked boxes, opt-out boxes or other default settings.
☐ Use clear, plain language that is easy to understand.
☐ Specify why you want the data and what you are going to do with it.
☐ Give separate distinct options to consent separately to different purposes and types of processing.
☐ Name your organization and any third parties who will be relying on the consent.
☐ Tell individuals they can withdraw their consent.
☐ Ensure that individuals can refuse to consent without detriment.
☐ Avoid making consent a precondition of a service.
☐ When presenting online offers directed to children, ensure that you have age-verification measures (and parental-consent measures for younger children) in place.