Is consent required for email marketing using third-party data under UK data protection laws?

Key findings

• Explicit consent: For email marketing, particularly when using data acquired from third parties, explicit, informed consent is the primary legal basis required under PECR and UK GDPR standards.
• Third-party transparency: If you intend to share data with third parties for marketing purposes, or receive data from them, the consent obtained must specifically mention these third parties and their intended use of the data.
• Lawful basis: While 'legitimate interests' can be a lawful basis for processing personal data under UK GDPR, it is generally not applicable for sending marketing emails without consent, especially when third-party data is involved. The Information Commissioner's Office (ICO) provides detailed guidance on this, emphasizing that consent must meet UK GDPR standards. You can find more details on their site: ICO's guide to PECR.
• Non-transferable consent: Consent obtained by a third party may not be sufficient for your organization to use the data, unless the original consent specifically included your organization or type of organization. This directly impacts how GDPR affects email deliverability and sender reputation.
• Right to be informed: Individuals have a fundamental right to be informed about how their data is collected and used, especially if it was obtained from a third party. Failing to provide this information can lead to compliance issues and potential blacklisting, impacting your email deliverability.

Key considerations

• Audit data sources: Regularly review and audit all third-party data sources to ensure they meet UK GDPR and PECR consent requirements. Verify the consent mechanism used by the third party.
• Specific consent language: Ensure that the consent language used by your data providers clearly states that data will be shared with your organization (or a category of organizations) for email marketing purposes.
• Transparency in communications: In your first communication with a new subscriber acquired through a third party, clearly state how their data was obtained and provide easy access to your privacy policy.
• Record keeping: Maintain robust records of consent, including when and how it was given, and by whom. This is crucial for demonstrating compliance if challenged.
• Risk assessment: Assess the risks associated with using third-party data, particularly regarding the quality of consent. Non-compliance can lead to significant fines and reputational damage, as well as impacting your email deliverability.

Key opinions

• Legal interpretation variability: Many marketers find the legal guidelines around 'legitimate interests' versus 'consent' confusing, especially for email marketing, often leading to a conservative approach of seeking explicit consent.
• Transparency challenges: It is challenging to be fully transparent about data sourcing when working with third-party providers, as it requires clear communication from the initial data collection point.
• Risk of non-compliance: There is a perceived high risk of non-compliance fines and negative impacts on sender reputation when relying on poorly obtained third-party data. This could lead to emails being sent to the spam folder, necessitating tools like an email deliverability tester.
• Focus on data quality: Marketers recognize that acquiring good quality, consented data, even if from a third party, is paramount for effective email campaigns and avoiding blocklists (or blacklists).
• GDPR's lasting impact: Despite initial concerns about GDPR's specific application to the UK post-Brexit, marketers generally understand that the principles of consent and data protection remain largely enshrined in the Data Protection Act 2018. More information on email marketing compliance can be found through resources like Usercentrics.

Key considerations

• Vendor due diligence: Thoroughly vet third-party data providers to ensure their consent collection practices align with UK data protection laws and your organization's ethical standards.
• Clear user journey: If using a third-party lead generation, ensure the user journey clearly explains how their email will be used for marketing by other organizations. Email domains are considered PII, increasing the need for transparency.
• Opt-out options: Always provide clear and easily accessible unsubscribe mechanisms in every marketing email, regardless of how the data was acquired.
• Internal training: Educate marketing teams on the nuances of UK data protection laws concerning third-party data, especially the distinction between consent and legitimate interest for email.

Key opinions

• Consent is key for email: Experts agree that for email marketing, explicit consent is almost always the required legal basis, differing from other marketing channels like postal mail.
• Legitimate interest caution: While 'legitimate interest' exists as a lawful basis, it is broadly discouraged for email marketing, especially concerning new contacts or third-party sourced data, due to high interpretative risks.
• Data Protection Act 2018: The UK's post-Brexit data protection framework, rooted in the Data Protection Act 2018, maintains high standards similar to GDPR, particularly regarding consent for electronic communications.
• Impact on deliverability: Non-compliant consent practices, particularly with third-party data, significantly risk email deliverability, leading to increased spam complaints and domain or IP blocklisting.
• User rights paramount: The individual's right to be informed about how their data is used and shared is a core principle that cannot be circumvented when acquiring data via third parties. This also impacts how email deliverability is affected by scraped lists.

Key considerations

• Verify consent chains: Ensure that any third party providing data can demonstrate a clear and compliant consent chain back to the original data subject, specifically for email marketing.
• Privacy by design: Integrate data protection principles, including consent mechanisms, into all stages of your email marketing strategy from the outset.
• Regular audits: Conduct periodic audits of your email lists and consent records to ensure ongoing compliance, particularly with any changes in data protection legislation. You can get a good overview from Data Protection Report.
• Contractual obligations: Establish clear contractual agreements with third-party data providers that stipulate their responsibilities for consent collection and data handling according to UK law.
• Monitoring deliverability: Actively monitor email deliverability metrics for signs of poor list hygiene or consent issues, such as high complaint rates or blocklist appearances.

Key findings

• PECR compliance: The Privacy and Electronic Communications Regulations (PECR) specifically require consent for unsolicited electronic marketing communications (emails and texts), with limited exceptions.
• UK GDPR standard: Consent for email marketing must meet the higher standards of the UK GDPR: it must be freely given, specific, informed, and unambiguous. This means a clear affirmative action is required.
• No automatic transfer: The ICO explicitly states that consent is not automatically transferable. If data is sourced from a third party, the original consent must specifically cover the subsequent use by your organization for marketing via email.
• Right to be informed: Data subjects have a right to be informed about how their data is used, especially if obtained indirectly. This includes details of the source of their data. This aligns with overall GDPR's impact on email deliverability.
• Legitimate interest exception: A narrow 'soft opt-in' exception under PECR allows marketing to existing customers if they initially provided their details in the context of a sale or negotiations for a sale, were given an opportunity to opt out, and the marketing relates to similar products or services. This is generally the only instance where deliverability and compliance objectives can be met without fresh consent. More details can be found on Privacy Compliance Hub.

Key considerations

• Document consent: Maintain clear, auditable records of consent, including the date, method, and specific scope of consent provided by the individual, especially for third-party acquired data.
• Specificity of purpose: Ensure that the consent obtained specifically covers the purpose of email marketing and the identity of the sender, if it is a third party.
• Regular data cleansing: Regularly clean email lists to remove inactive or unconsented contacts, minimizing the risk of complaints or blocklistings.
• Privacy notices: Provide comprehensive and easily accessible privacy notices that clearly explain your data processing activities, including sourcing from third parties and the legal basis for processing.