GDPR: Can we directly market to business email addresses without express consent?

Whilst advising clients on the latest General Data Protection Regulations (“GDPR”), many have raised the question as to whether a business email address is personal data for direct marketing purposes. As with many new laws that are brought into force, the answer is not straightforward, is not ‘one size fits all’ and requires each business to consider the question for its own purposes.

At its most basic level, personal data is defined as any information that can identify an individual. Where business email addresses take the form of ‘name@business.com’, the individual is identifiable and would therefore fall under the definition of personal data.

However, does this mean your business must get consent from each business contact in order to directly market, say events or information, to them? Maybe.

If the business you wish to market to is a sole trader or a partnership, these are businesses that trade through the identity of individuals. The Information Commissioner’s Office (the independent body governing information rights) has clearly stated that it treats sole traders and partnerships as individuals in respect of personal data. Under the Privacy and Electronic Communications Regulations 2003 (which may be replaced by a new e-Privacy Directive in the future) and the GDPR, it is implied that consent must be sought in order to directly market to such business email addresses whether it is the format set out above or even something more generic such as ‘info@partnership.com’ based on the probability that this is the only business email address available for that business contact.

If the business you wish to market to is an incorporated body such as a limited company or a limited liability partnership, then you may not necessarily have to seek prior consent. Although the email address is identifiable as personal data, you may be able to send direct marketing emails to such a business provided the email is considered to be in your legitimate interest as a data controller but as long as the business contacts ‘rights and freedoms’ are not overridden. This is generally ascertained via the particular relationship between you and the relevant business contact, as well as their expectation of how you will use their contact details. For example, you may have a legitimate interest where the business contact is a client or have taken or received services or goods from you. Therefore, as long as you have an overriding legitimate interest, express consent for direct marketing is not necessarily likely to be required.

The above information still contains many caveats largely based on the fact that we don’t know how the courts will interpret the GDPR until cases come to court after 25th May 2018. What we do suggest in all cases though, is that your business should give each of your direct marketing contacts the right to opt out. Best practice would suggest that you ensure the opt-out process is adequately policed and honoured to help prevent a breach of the GDPR.