“Breaking one law to get ready for another” – Take care when obtaining consent to send marketing emails

11 August, 2017

Puzzled by the forthcoming GDPR and unsure how to comply? You’re not alone – a number of businesses have recently tried to prepare for the GDPR coming into force and have made some pretty big errors in the process, sometimes with disastrous consequences.

You may have seen that Moneysupermarket.com was recently fined £80k for sending unsolicited emails to around 7 million individuals who had opted out of its marketing material. The emails acknowledged that the individual had asked not to receive these in the past, and gave individuals the option to reconsider their choice.

This was a breach of the current marketing regulations, the Privacy and Electronic Communications Regulations 2003 (PECR). Under the PECR, you mustn’t send any unsolicited marketing emails to individuals unless you have their explicit consent, with a few limited exceptions. Where an individual explicitly opts out of receiving your marketing material, you must stop contacting them from that point onwards, and must not ask them questions about why they opted out or whether they might like to change their mind.

While emails sent solely for routine customer service purposes will not fall under the Act, you will need consent to send unsolicited emails “for the purposes of direct marketing” which includes asking customers to consent to receiving marketing.

The confusion is understandable. Honda and Flybe also received 5-figure fines for sending similar emails. The upcoming GDPR, which tightens up the rules about what level of consent you need from individuals for certain uses of their data, and a potential update to the PECR, have made data protection a hot topic for businesses recently.


The key lesson here is to carefully consider your GDPR compliance process and always keep in mind what the current law is. Businesses “can’t break one law to get ready for another” as the ICO succinctly put it. At the opposite end of the spectrum, while Wetherspoons’ deletion of its entire customer email database eliminates a lot of potential risk, it won’t be necessary (or sensible) for every business. We’ll be providing plenty of tips for handling GDPR preparation on our website in the coming months, but in the meantime if you have questions about anything GDPR or marketing-related, don’t hesitate to get in touch with Elliot Fry.


For updates from us and the latest Tech news follow us on Twitter @CrippsTechLaw