020 3004 2050

What’s with all these OPT-IN Messages?

Like me you are probably receiving OPT-IN messages everyday, claiming that because of the General Data Protection Regulations (GDPR) coming into effect on 25 May 2018 that they now need your “Consent” to continue sending you marketing emails, well here’s my problem with it… …this is just wrong, the thing is GDPR is not about stopping businesses doing business, its not about marketing, it is about making businesses maintain Personal Data properly, as we say treating Data with respect, Consent (OPT-IN) is just one of the six legal basis for processing personal data and despite what many people think it is not the “Golden Nugget”, in fact there is no hierarchy to the 6 Lawful reasons and in many cases is not your best option.


Consent has to be freely and unconditionally given and as easily as consent can be given it can be taken away, therefore consent may not always be the best or right choice.

You should also be mindful if consent to contact someone is removed, then you can no longer contact them, not even about something else, so be very careful where consent is used.

Can I continue sending messages to my existing list?

Business to Business
Yes of course you can, and you do not need to get people to re-consent, additionally if you are already email marketing and they have not objected or asked to be removed then you may be able to say there is a mutual “Legitimate Interest” (Article 6.1.f) which is a lawful basis to process the information, however if you are going to rely on Legitimate Interest you need to carry out a Legitimate Interest Assessment (LIA) and ensure that the recipients rights and freedoms are not affected and are prioritised above the interests of the company, if there is any doubt about the legitimate interest then the best advice is to not send the email, and remember you always need to give the recipient an easy and clear way to unsubscribe.

Business to Consumer
Things do get a little more difficult here but not really because of GDPR, more PECR, ePrivacy and Direct Marketing Act (DMA), it is unlikely you will be able to rely on “Legitimate Interest” (but not impossible) and another lawful reason may be more appropriate, just to make this more interesting… …sole traders come under Business to Consumer, but ultimately the worst that will happen is someone will ask to no longer receive your email, as long as you remove them without delay or distress it is unlikely it will go further, unless you continually spam people or abuse the data you maintain!


Article 4 (11)

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

What about new contacts?

From your website
You need to make it clear and optional to opt-in to any marketing emails and you are not allowed to force signups, so those annoying ‘signup to receive our White Papers’ are generally not compliant, if someone consents to you marketing to them then the consent must be given freely and unconditionally and then the details must only be used for the purpose they were consented to.

Networking Groups
It is highly likely that you will exchange business cards when networking and agree to contacting eachother, but neither of you have agreed to being added to a mailing list and receiving regular marketing emails, you would need to send an email, asking them if they would like to opt-in and clearly explaining the purpose, if they say no then you cannot Direct market to them.

Purchasing data lists
This is interesting, the seller needs to confirm that the subjects are happy to be contacted by you, that consent needs to be explicitly for your company, any third party company does not allow you to use the list, the only person allowed to contact the subject and ask is the seller, you will need to evidence that consent has been granted so take extreame care here.

Existing Customers
You can contact you existing customers and let them know about changes to the products you have already sold them, you may also market about other related services and products you provide.

Our Top Tip!

Carry out a Data Impact Assesment and a Legitimate Interest Assesment and know your data, minimise data you no longer need and be respectful of the data you maintain.

And if you’re still not clear on what to do, seek advice of a GDPR Professional, getting GDPR wrong will seriously damage your business reputation!

Further Reading

Below are some more blog posts that may be of interest to you.

The Annoying OPT-IN Message

What’s with all these OPT-IN Messages? Like me you are probably receiving OPT-IN messages everyday, claiming that because of the General Data Protection Regulations (GDPR) coming into effect on 25 May 2018 that they now need your “Consent” to continue...

What this GDPR then?

GDPR is the General Data Protection Regulations (GDPR) that come into effect on 25th May 2018, it is the biggest change to Data Protection in 20 years and is long overdue, the amount of personal data we process and the way we process it has changed vastly and all...

GDPR is coming!

We can hide from it but truth is the new General Data Protection Regulations (GDPR) are coming into effect on 25th May 2018, these new regulations affect the personal data that every business processes, further more the definition of Personal Data has...

Some Help with Passwords!

We all have passwords for everything we do these days, we’re told to make them complex and then we forget them, so we write them on a post-it note and attach it to our screens! or write it in the back of our diary backwards because nobody else does that...

Small Business Cyber Security Risk

Small businesses are as much at risk as larger businesses. You may remember that in 2017 the NHS was attacked by the WannaCry Ransomeware, despite having dedicated IT staff and plenty of resources they were still forced to cancel appointments and operations impacting...