“Dear Jon
You know us. We’re that firm you placed an order with a few months ago. You may remember that at the time we took your order we explained we were going to send occasional marketing emails to you about similar products and services, but you could opt out then, and at any subsequent point.
We know that since 2003 (with the Privacy and Electronic Communications Regulations) (PECR) it’s been unlawful to send unsolicited marketing emails except in circumstances like those above.
We’re contacting you now because we’ve noticed a lot of competitors (and other firms) who are either utterly confused or utterly misrepresenting a new law (separate to PECR) called the General Data Protection Regulation (GDPR). They’re claiming it means they have to contact you to reconfirm your consent to receive marketing emails.
GDPR actually says nothing of the sort. It does explain what “consent” means in data protection terms in a slightly more strict way, but for companies like us, who’ve respected our customers and prospective customers all along, it makes no difference.
In fact, the emails you’re getting from those companies, asking you to “reconsent”, are probably actually direct marketing emails themselves. And if the companies don’t already have your consent to send them they may well be breaking the law in sending them. If you think we’re exaggerating, look at the fine the Information Commissioner’s Office (ICO) levied on Honda last year.
In fact, you’d do well to look at the ICO’s website – it’s got some good stuff on this, both for customers like you, and for companies who are confused by this.
It all really boils down to treating customers well, and not assuming you can send direct electronic marketing without actually looking at what the law says.
So yes, this is a marketing email, and yes, it is lawful, and yes, it is more than a little pompous.”
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 
You forgot to include an Unsubscribe button in your model email…
Haha – fair cop!
Pingback: Start Up: TurboTax’s dark patterns, fiduciary Facebook, Rome’s (real) collapse, Xiaomi and GoPro?, and more | The Overspill: when there's more that I want to say
How does the below demonstrate “explicit consent”?
You may remember that at the time we took your order we explained we were going to send occasional marketing emails to you about similar products and services, but you could opt out then, and at any subsequent point.
It doesn’t need to. They would be relying on regulation 22(3) of PECR (“soft opt-in”). That’s one of the main points.
Gotcha. But doesn’t that change under GDPR? You have have to demonstrate explicit consent regardless of the PECR in the past?
No. PECR is unamended.
I am wondering how by sending these emails companies are not attracting attention on their past practice. I have recently been asked by a school alumni to consent to get further communications. The privacy policy states they do wealth profiling of students and parents, including social media and news tracking. They use email tracking to see who opened their emails, and best part is they share data with US office. I can guess they have been doing this for some time.
I was no way aware of this kind of profiling tgey’ve Been doing.
Is this not opening a door to remedies?
How can they send personal data to the US?
Does soft opt in apply here? The email doesn’t actually attempt to sell any product or service. The ICO website says “[Soft opt in] also does not apply to non-commercial promotions (eg charity fundraising or political campaigning).”
If it’s a marketing email sent to an individual subscriber, then soft opt-in applies. If it’s not a marketing email (and remember, whatever it is, it’s also entirely fictitious) then PECR doesn’t apply in any case.
Pingback: GDPR – an unqualified right to rectification? | informationrightsandwrongs
Thank you for a great post, you helped me a lot.