GDPR - Customer Email Database

Those GDPR emails you got… all for nothing!

Or the GDPR emails you sent to get re-consent – which maybe you regret?

Is there any good news?

Yes! You don’t have to worry about not ploughing through the 50+ emails you got in late May asking if you want to “stay in touch”. How annoying and so non-GDPR all that malarkey was… Those companies can, and probably still are, mailing you. I know I’m getting tonnes of email and I didn’t re-consent to ANY of the re-consent emails I received.

So what’s the bad news?

You shouldn’t have received most of those emails in the first place.

It’s not new for me to say this but I’ll remind you again… at the time, and still now, experts and legal beavers said European consumers didn’t need to be on the receiving end of the avalanche of emails which landed in their inboxes.

A large number of businesses who were clearly uncertain (or mislead?) about the implications of the new rules asked their whole customer databases to re-confirm already given consent. The first trouble with this is they already had given their consent by being a customer. ICO guidance suggests the customer relationship can be used as one of the forms of consent if the purchase was within a 2 year period.

If you gave your consent to receive marketing emails from a company in the past then that consent is still valid.

But perhaps most importantly… Companies don’t need consent to send marketing emails to existing customers.

“There is a lot of fuss about this … In a lot of cases they don’t need this consent,” said Willem Debeuckelaere, Belgian data protection chief and deputy chair of the newly created European Data Protection Board that coordinates privacy enforcement across Europe.

Businesses do not don’t need additional consent to send marketing emails to existing customers.

Are you regretting falling for the myths and following the mass exodus? 

The only situation in which a company needs to ask for additional consent or look to apply one of the other forms of consent, is when it sends marketing emails to contacts that are NOT existing customers.

The exceptions to this rule are organisations holding large troves of email addresses but never asked recipients if they wanted to be included on email lists. Such “spammers” could face fines and enforcement action — but would have already been in breach of EU law (and specifically the e-Privacy Directive) before GDPR and the new data protection rules kicked in. So that’s really a moot point.

The companies who did send emails asking for renewed consent might be in a difficult situation now. In most cases, the email was unnecessary at best and a poor business decision at worst. The net result was they found their marketing database was decimated and one of their largest assets unavailable.

Many of the companies who sent out emails asking for consent lost a sizeable portion of their mailing list. While some people did willingly respond and provide the sought after re-consent, there were plenty of customers who said no, with the sizeable majority not responding at all. The latter is hardly surprising as its estimated the average user had 50 of these (I got a lot lot more I can tell you!)

GDPR: mailing lists – the myths

GDPR and the rules surrounding existing mailing lists have become a regularly raised question.

So, let’s look at the key questions…

Did you have to delete your existing mailing lists and start from scratch? – NO

Did you need to contact everyone on your mailing list before 25th May and their consent to be contacted? – NO, not everyone.

Can you continue to write to businesses as they don’t have to have given consent to email them – YES you can write to B2B customers, limited companies, limited liability partnerships as long as you give them the opportunity to opt out of contact every time you send them an email. Sole traders are considered an individual.

Having addressed the myths, let’s look at the options available to secure the consent required.

Firstly, it should be noted any form of consent must be audit-able and should you be required, on a case by case basis, to show the evidence of the form of consent for a given database record you must be able to do this. For customers this is often easier as you will have some form of account or order history.

The key to understanding who you can contact means you need to appreciate the lawful basis for processing personal data.

There are six lawful basis in total:

Contractual Necessity
Legal Obligation
Vital Interest
Public Interest
Legitimate Interest

GDPR was never designed to ruin your business, so each of these lawful basis covers different cases and simply needs to be applied correctly.

For paying customer data, we are looking at FOUR of these: Consent, Contractual Necessity, Legal Obligation and Legitimate Interest

Here are the legal basis to process customer data:

Legal Obligation

You may have to hold onto contracts, invoices, etc., for legal reasons. This would include audit or tax purposes. This means you can use customer data for this purpose. This lawful basis only applies if it’s dictated by EU or member state law.

Contractual Necessity

When closing a contract or sale and while fulfilling the contract / ongoing sales relationship, you are in your right to create a data process for handling customer data. For this legal basis the customer must have paid for their goods to services.


Under the existing ePrivacy directive you require opt-in to send any direct marketing emails (watch out for local laws, in Germany you have the double opt-in whereas in other countries you do not require opt-in for B2B marketing emails).

Some companies opt for legitimate interest as the lawful basis instead of consent for marketing purposes.

There are quite a few things to consider including a legitimate interest assessment, a potential Data Privacy Impact Assessment and informing data subjects about your intentions. Legitimate interest can be used as a form of consent for existing and regular customers.

Let’s finish with 10 more myths about GDPR…

Myth 1

GDPR only applies to EU citizens so you just need to segment your list.

>> No! The regulation applies to anyone who finds themselves in the EU, also travellers.

Myth 2

You‘ll be fined 20M€ or 4% of your worldwide turnover.

>> No! It’s unlikely you’ll be fined at all. If somebody complains about you then it doesn’t mean that the data privacy authorities will immediately start an investigation.

Myth 3

You have to ask everybody on your list to opt in again.

>> No! You do not need to ask previous and current clients or customers to opt in again as you can use the lawful basis of a contract and legitimate interest to keep your clients up to date and send marketing emails until they decide to opt out.

Myth 4

You cannot offer freebies any longer to build your email list.

>> No! The regulation states you cannot bundle offers but doesn’t mean you cannot offer free gifts or downloads anymore.

Myth 5

You have to use a double opt in.

>> No! The regulation does not mention double opt in and there is no need to start to use a double opt in if you weren’t using it before.

Myth 6

You need to use tick boxes.

>> No! The regulation does not mention tick boxes or insist on their use. A clear and unambiguous statement of consent at the point of registration or purchase is sufficient.

Myth 7

You need a cookie bar

>> No! There is no mention of a cookie bar in the regulation because the whole discussion around cookies is covered by another law, PECR, due  in 2019.

Myth 8

You cannot use Facebook retargeting ads.

>> No! Using Facebook ads is based on legitimate interest. This means your subscriber has shown interest in a product or a service and you are now reminding them with your retargeting ads. The same is true for Google and LinkedIn retargeting.

Myth 9

You cannot use Google Analytics any more or other anonymous tracking.

>> No! Google Analytics, like most tracking tools, anonymises IP addresses of website visitors.

Myth 10

If a client asks you to delete their data, you need to comply.

>> No! Not necessarily. Some company law supersedes data privacy laws in a sense that you need to keep records for a certain number of years.

Read more of my articles on GDPR:

GDPR = Got Desperate People Rich(er)
How You Continue To Use Your Bought-In Mailing Lists After GDPR 




November 7, 2018