Suped

Is consent required for email marketing using third-party data under UK data protection laws?

Summary

Under UK data protection laws, specifically the UK GDPR and the Privacy and Electronic Communications Regulations (PECR), obtaining explicit consent for email marketing using third-party data is generally required. While there are narrow exceptions, such as 'soft opt-in' for existing customers, the default stance emphasizes consumer control and transparency regarding personal data. The legal framework aims to prevent unsolicited communications and ensure individuals are fully aware of how their data is processed and by whom.

What email marketers say

Email marketers often grapple with the complexities of consent, especially when considering third-party data. While the ideal is always direct, explicit consent, the reality of marketing efforts sometimes involves data partnerships. Marketers express concerns about the practicalities of proving consent obtained by another entity and the potential for violating an individual's right to information, which can have significant consequences for email performance and compliance. There's a strong emphasis on transparency and avoiding practices that could lead to being identified as spam.

Marketer view

Marketer from Email Geeks believes that if an email address is purchased from a third party, it constitutes an abuse of the individual's right to be informed. This marketer stresses that claiming 'legitimate interest' in such scenarios would be inappropriate and could lead to compliance issues under UK data protection laws.

08 Mar 2019 - Email Geeks

Marketer view

Marketer from RD Marketing points out that the GDPR mandates complete transparency regarding the use and sharing of personal data. They caution that failing to inform subscribers about any sharing of their data with third parties is a prevalent mistake that can result in non-compliance.

26 Nov 2024 - RD Marketing

What the experts say

Experts in email deliverability and data privacy consistently highlight the stringent requirements for consent under UK law, especially for third-party data. They emphasize that while GDPR has largely transitioned into the Data Protection Act 2018 in the UK, the core principles of explicit, informed consent for direct electronic marketing remain paramount. Relying on 'legitimate interest' for email is generally advised against unless specific, narrow conditions are met, and even then, transparency and user rights must be at the forefront. Proper data hygiene and consent management are crucial not just for compliance, but also for maintaining a strong sender reputation and avoiding blacklisting (or blocklisting).

Expert view

Expert from Email Geeks emphasizes that processing any personal data necessitates consent or another valid legal ground. This principle extends to using data for email marketing, meaning simply having an email address, especially one obtained from a third party, does not automatically grant permission to send promotional messages.

08 Mar 2019 - Email Geeks

Expert view

Expert from Spam Resource highlights that email deliverability success hinges on respecting subscriber consent. They note that even if data is technically 'clean,' if the consent chain is unclear or insufficient, it will inevitably lead to spam complaints and damage sender reputation, resulting in emails landing in spam folders.

20 May 2024 - Spam Resource

What the documentation says

Official documentation from the Information Commissioner's Office (ICO) and other legal bodies clarifies the strict requirements for consent in email marketing, particularly when third-party data is involved. It distinguishes between various forms of marketing and outlines when explicit opt-in consent is mandatory under PECR and the UK GDPR. The documentation consistently emphasizes that consent must be freely given, specific, informed, and an unambiguous indication of the data subject's wishes. Crucially, it clarifies that consent obtained by one entity does not automatically transfer to another unless explicitly stated and agreed upon by the individual.

Technical article

Official documentation from the ICO's GDPR FAQs for charities states that consent is not always needed, for instance, for postal marketing. However, it explicitly clarifies that consent is required for certain calls, texts, and emails under PECR. This distinction is crucial for understanding specific electronic marketing obligations.

08 Mar 2019 - ico.org.uk

Technical article

Documentation from Securiti.ai's UK Guide on Direct Marketing via Email outlines that consent obtained for sending direct marketing messages must meet specific criteria. It must be freely given, specific, informed, and an unambiguous indication of the individual's wishes, emphasizing the high bar for valid consent.

01 Dec 2022 - Securiti.ai

15 resources

Start improving your email deliverability today

Get started