By Graham Smith, MarketingGraham.com
Even the most experienced marketing execs and big brands trip up occasionally when sending marketing emails. Just ask Koypo Laboratories Ltd. They were fined £100,000 for sending emails without consent.
But the impact goes beyond receiving a fine, there is damage to your reputation and sales may fall as customers rush to unsubscribe. Too often execs concentrate on the creative side of marketing (art) and ignore the ‘dull’ email marketing laws (science).
So here is a quick round-up of what you need to do on your next email campaign to ensure you stay legal and don’t blemish your name.
GDPR and email marketing (plus PECR?)
I Googled “GDPR UK Law” recently and got 28,800,000 results. Did the same for “PECR UK Law” and got just 99,200 results. I guess not many people write about PECR, which is a big mistake.
Data for email campaigns in the UK is governed by two laws; GDPR and PECR. Their full titles are the ‘General Data Protection Regulation‘ and the ‘Privacy & Electronic Communication Regulation’.
GDPR governs how you store a person’s data, PECR governs how you contact them electronically (that includes email, text and telephone).
GDPR does not distinguish between individual data (e.g. email@example.com) and corporate data (e.g. name@yourCompany.com). To store any personal data you will either need consent or be able to prove you have a legitimate interest.
So, which is best, ‘Legitimate Interest’ or ‘Consent‘? This is complicated and the answer will vary from organisation to organisation. It really depends on how successful you believe you’ll be in getting consent. Sexy companies like Apple or Nike probably have no problem getting people to sign-up for email marketing, but a small firm of local Accountants may struggle.
If you have to rely on legitimate interest (which does not require consent) then you must complete a legitimate interest assessment. This will document the reasons why you believe you have the right to store a person’s data and why it does not damage their rights.
Individual vs Corporate emails
After legally storing a person’s full name and email address, the next thing is to prove you have the right to send them an email. That’s governed by PECR.
If you contact them as an individual (e.g. firstname.lastname@example.org or name@privateEmail.com) you will need their permission (opt-in) before you send the email.
However, if you email them as a corporate (e.g. name@yourCompany.com) you do not need their permission and can continue emailing them until they tell you to stop (unsubscribe).
Either way (individual or corporate), you must ensure your marketing emails have an unsubscribe link.
Regardless of whether they are an individual or corporate, if they unsubscribe you must do it without delay and ensure you have the mechanisms in place to avoid them being emailed by you in the future.
Beware! Sole traders and partnerships will be regarded as individuals. Therefore, you will need permission before you email them. As an example, many Accountancy firms and Solicitors are partnerships.
Do not assume that because they have a .com or .co.uk email address that they are an Ltd or Plc company. Also note that Schools, Hospitals and Government Departments would be regarded as corporate.
UK law vs International law
Does UK or International law apply to your email marketing? Answer? It depends on which law your email marketing platform is using and where your customers/prospects live.
For example, MailChimp applies the USA CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing Act) law to any email campaign using its platform.
But if you are using a list on MailChimp that contains the names of UK or EU citizens then the GDPR law also applies.
Note, PECR states that if you are emailing name@yourCompany.com, and it is a Ltd or Plc organisation, you do not need prior permission – by contrast, the USA CAN-SPAM law states you do need permission before sending marketing emails to any address, including corporates.
What happens if you break email marketing law?
You’ll damage your organisation’s brand and see a spike in unsubscribes if you send unlawful emails, you may also be fined. Fines in the UK are issued by the Information Commissioner’s Office (ICO).
GDPR states fines can be as high as €20 million or 4% of global turnover (British Airways was fined an eye-watering £20m by the ICO for a GDPR failure). PECR has a maximum figure of £500,000 (Decision Technologies Ltd was fined £90,000 for sending emails without consent).
You may be thinking that you will never get caught. While it’s true that many consider the CAN-SPAM law is a toothless dog (there haven’t been that many prosecutions by the FTC since 2003), the ICO in the UK has been more active, issuing over £50m worth of fines in the first 6 months of 2020.
It’s not just the ICO you need to worry about. Spam emails get dumped in the Junk folder and you may find your email domain gets blacklisted or your email platform closes your account.
And don’t think that outsourcing your email campaigns to an agency lets you off the hook. As the ‘instigator’ of the email, the ICO will come after you first.
Do any other laws apply?
The UK Companies Act 2006 states you must include the following information on your letterheads, order forms, company website and, you guessed it, business emails:
Your company registration number;
Place of registration (e.g. Scotland or England & Wales); and
Registered office address
Getting email marketing opt-in (consent)
I use ‘legitimate interest’ under GDPR to store personal data in CRMs, and I abide by the rules of PECR so I don’t need prior opt-in most of the time.
However, all experienced marketers know that ‘permission marketing’ is the most effective. That’s why I include the following text on all my website forms with a tick box – it gives me both GDPR and PECR opt-in.
Yes, please send me the Marketing Graham Bulletin no more than 8 times per year. I understand that I can unsubscribe at any time by clicking the link in the footer of your emails, and you will store my data but never sell it to third-parties.
The tick box is important as GDPR states that if you are asking for consent it needs to be ‘unambiguous’ by using ‘affirmative’ action (note, you cannot pre-tick the box).
The new ePrivacy law
Beware, there’s a new law on the horizon that will replace PECR. It’s called the ePrivacy Regulation and was supposed to be introduced alongside GDPR. That didn’t happen.
The likelihood is that although it’s an EU law, the UK Parliament will introduce a carbon copy (much like they did with GDPR). The final wording is yet to be agreed, but it seems you may need to get opt-in before emailing both individual and corporate email addresses.
When will it happen? My guess is the text will be finalised during 2021 and it might be enforced at some point in 2023.