Post – GDPR B2B email marketing was supposed to be a nightmare: oblivious of ePrivacy Directive exceptions, a few advisers suggested that all mailing lists should be deleted unless consent was obtained before the 25th May ‘GDPR deadline’. Three months later, Dr Bostjan Makarovic, the founder of Aphaia, outsourced Data Protection Officers, gives hints on how to make your B2B marketing fully lawful – even in the GDPR era.
GDPR allows for B2B direct marketing
GDPR expressly notes that it is the data controller’s legitimate interest to engage in direct marketing activities. However, to understand under what conditions one can actually send out B2B marketing emails, one needs to check out the rules of the ePrivacy Directive. These rules continue to run in parallel with those of the GDPR. ePrivacy Directive will soon to be replaced by ePrivacy Regulation but no major changes are anticipated in relation to these rules.
When can I send out B2B marketing emails?
If you have your office and staff in the UK, B2B email marketing rules applicable to you are particularly generous. Privacy and Electronic Communications (EC Directive) Regulations 2003 limit the general prohibition of unsolicited emails to B2C emailing. This means that you are generally allowed to send out B2B marketing emails, including to email addresses such as john.smith@company.co.uk.
However, other EU Member States might be less generous than the UK when it comes to such exceptions, and some establish the same regime for B2B and B2C. If you have your office and staff in such a Member State, you would need to obtain the corporate email ‘in the context of the sale of a product or a service’ or seek express consent. You would further need to enable an easy opt-out at the time of the original transaction and in each subsequent email communication, say in the footer of the email.
Things to remember
- The right to object to direct marketing (or opt-out, as it is regularly called in this context) is absolute under GDPR. So even if your marketing is B2B, where a corporate email address includes an individual’s name, they may at any time demand that you cease your communication. Again, an opt-out button in the footer of each message might be desirable in this context, and you need to maintain an opt-out register;
- Always include at least the full name of your business to avoid any claims of false or concealed identity, plus always enable replying to the same email address or another clearly visible contact email address to enable effective exercise of the addressee’s privacy rights;
- Publish a GDPR-compliant privacy policy that is clearly accessible from the emails sent or at least from your website;
- Be mindful of legislation applicable in the Member State of the addressee: EU ‘passporting rights’ might protect you from that Member State’ stricter regime but your addressee might still be unhappy;
- If you decide to seek consent to prevent any ambiguities, keep in mind that such consent may be withdrawn at any time and that you need to inform the data subject thereof at the time you ask for their consent.
