Most of us will have received emails over the recent weeks from businesses asking us to confirm that we want to continue to hear from them.
They will use phrases like “we take your privacy very seriously” and “if you don’t tick the box below, we will no longer be able to hold your data or communicate with you”. So, what's the reason for all these emails, and are they necessary?
On 25 May, the General Data Protection Regulation (GDPR) comes into force. Businesses, it seems, are rather confused, and lawyers and other advisers have given mixed views. In many ways, the GDPR simply updates existing European law, which has been in force in the UK since 1998 as the Data Protection Act. Its big thing is to give individuals various rights in respect of personal data relating to them – and it’s always worth remembering that each of us, as well as being involved in some form of business or other, is also an individual, with those same rights. I like to think of myself as the “weekend me”, when I have my individual’s hat on and data is being held about me, and the “weekday me” when I’m a businessman, gathering personal data. The GDPR is all about rights for individuals (the weekend me), and obligations on those who hold their data known as “controllers” (the weekday me).
Sitting alongside data protection law is a related piece of law that goes under the acronym of PECR – the Privacy and Electronic Communications Regulations, 2003. One short section in the PECR addresses the issue of direct electronic marketing, and it has been in force for about 15 years.
It requires that organisations that want to send unsolicited electronic marketing to individual subscribers need to get consent (or they can rely on the other gateway, namely that they collect an email address in the course of a sale of goods or services, and give the person the right to opt out of marketing emails).
There are various key words there: “unsolicited” is important – if I ask to be sent mailings by an organisation, they are solicited; if I am not an “individual subscriber”, I am also outside the scope of this restriction. An individual subscriber is someone who signs up directly to an email provider – or as I think of it, firstname.lastname@example.org, rather than email@example.com. On top of this, the information commissioner has made it clear that sending an email asking someone to opt-in to receive emails is itself a marketing email – so sending one of those breaches the restriction in the PECR.
The bottom line is this: those emails you’re getting are all unnecessary or themselves in breach of the very law they are seeking to comply with. No wonder we might be getting fed up with them.