GDPR means you need consent to send me emails

No it doesn’t. Don’t be “one of those people”.

Photo by Gerd Altmann from Pexels

Note: I’m writing this from a UK legislative perspective. Though the GDPR applies across the EU, other legislation may be in play in certain jurisdictions that causes things to differ slightly.

In my work as a data protection consultant and outsourced DPO, I’m often faced with inaccurate interpretations of the law by my clients, who I have to gently encourage to look at things a different way. But that’s why they hire me, and it’s my job to help them identify what they must do to comply with regulations and how they can do it without disrupting their business. It’s important for me to be an advocate for both data subjects and the controllers and processors who hold their personal data, and not to see the GDPR as a weapon to wage war with.

But recently I’ve been dismayed at the prevalent misunderstanding that because a slew of companies sent sometimes unnecessary GDPR consent emails, the GDPR “means” that companies may no longer email anyone who has not given their prior consent, or “opted in” to receiving that company’s communications. I’ve even had someone try to make a data subject access request on behalf of an entire company. If you don’t know why that’s absurd, read on.

The GDPR doesn’t regulate marketing emails

The only place “email” is used in the entire document is Recital 23, which isn’t about email marketing. The GDPR isn’t designed to deal with marketing by electronic means because there’s already a law in place to deal with that, Directive 2002/58/EC and in the UK, its enabling legislation, The Privacy and Electronic Communications (EC Directive) Regulations 2003, commonly known as “PECR”. While EU legislators have begun discussing a new instrument known as the ePrivacy Regulation to replace it, that hasn’t happened yet, and if and when it does, it won’t be for a while.

The GDPR applies to personal data

Personal data is so explicitly defined in the GDPR, in such detail, but with rather a wide scope, that it’s hard to get it wrong — if you actually read the law. It only applies to data that identifies or could be used to identify, directly or indirectly, a living human being. Those living human beings are called data subjects, and they have rights. Those rights include the pre-existing right of access to data held about them, along with some new ones under the GDPR, and the famous one, the Right To Be Forgotten (which is really called “erasure”). But I can’t exercise my neighbour’s data subject rights, nor can I insist they be applied to data that isn’t personal data. That’s why asking for data held about a company has no basis in law, and why data controllers have to take steps to verify that it really is the data subject who has made a request.

Consent is one of SIX lawful bases of processing

Handily presented in Article 6, consent is the first of six in a list of acceptable reasons for a government, company or other organisation to process personal data. “Processing” is also rather explicitly defined, and very wide in scope. Even storing data is a form of processing. The other five are often neglected because consumers don’t get asked about them. That’s the point with not being consent — you won’t be asked — but you still have rights and the GDPR overall still applies.

Business email addresses ARE different, even the “personal” ones

Some of the most heated disagreements have come from people asserting their rightness while ignoring the fact that PECR Regulation 22, which makes consent mandatory for marketing emails to “individual subscribers”, simply does not apply to business email addresses. The rules are a little more nuanced, but they are the rules. As the definitions in Regulation 2 aren’t crystal clear, the ICO has published guidance to clarify that sole traders and unincorporated partnerships are considered “individual subscribers”, while government bodies, public and private limited companies and limited liability partnerships are “corporate subscribers”. Recipient email addresses operated by corporate subscribers are not subject to the consent requirement or its exemptions in Regulation 22.

Email marketing is processing, but processing isn’t email marketing

Not needing consent to send marketing emails to an address identified as operated by a “corporate subscriber” within the meaning of PECR and the ICO’s clarifications, doesn’t mean that now “the GDPR doesn’t apply”. If the email address constitutes or is associated with an individual, then it is something that directly or indirectly identifies a living human being, and that personal data needs to be protected. Just not necessarily with consent. There are 5 other valid ways to store and use that data, remember. So the processing of personal data and the delivery of marketing emails are different things, that in the case of individuals, require the same remedy: consent. But in the case of business addresses, they don’t. That’s how business-to-business prospective email marketing works. Otherwise people wouldn’t do it, and the ICO would be coming down like a ton of bricks on everyone who is trying to stimulate the economy by marketing their products and services to companies they don’t yet have a relationship with. Which would obviously be absurd.

It’s hard to prove what isn’t

When something is written, if someone doesn’t believe you, you just have them look and read it. But when something isn’t, and someone insists that it is, what are you supposed to do? Write this article.

If you’re confused by data protection law, maybe you need help from someone who isn’t. Visit and get in touch.