Click here to listen to Legal Changes to Business to Business Email Marketing podcast

If you're planning an email marketing campaign, there are a number of regulations to be complied with and the EU has just created more regulations but these don’t take effect until 2018.

The Current Situation

The basic principles are:-

·         This only covers business sending Marketing emails to individuals, not to businesses. (sole traders and partnerships count as individuals for this purpose)

·         The sender must not conceal their identity and must also provide a valid means of opt out from further emails.

·         Organisations must not send marketing emails without the permission of the recipients. However, it is allowed if the recipient is already a customer and is given the option of opting out of further emails.

 ‘Soft’ opt-in

There are circumstances in which you can treat an individual subscriber as having consented to receiving emails from you, even though they haven’t specifically done so. This is called ‘soft’ opt-in.

This only applies where you already have a business relationship with the customer and you are marketing only similar products to whatever the customer has previously bought or shown interest in. Also the customer must be offered an opt-out.

There are a lot more details but that’s the basics.

The New Regulations

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union.

The commission’s intention is to give citizens back control of their personal data.

This regulation was adopted on 27 April 2016 and takes effect on 25 May 2018 after a two-year transition period and does not require any enabling legislation to be passed by individual governments.

The key points are that opt-out is replaced by opt-in, all recipients must have opted-in to receive marketing email and that there is no longer any difference between business and consumer marketing email. It is now all ‘personal’ information.


According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."

Responsibility and accountability

The notice requirements remain and are expanded. They must include the retention time for personal data and contact information for data controller and data protection officer has to be provided.

Citizens will have the right to question and fight any automated decision making.

Privacy settings must be set at a high level by default.


You must obtain explicit consent for any data that you will store and give explicit information on the uses for that data. Data controllers must be able to prove consent was granted and citizens must be allowed to withdraw their consent.

Right to erasure


Citizens must be allowed to query their data and to request its removal on a number of grounds including inaccuracy and non compliance.

These new regulations come into force in May 2018 but companies should start to apply them as soon as possible as they are good practice and potentially avoid customer issues. Following these new rules will also lead to more carefully planned campaigns that are likely to produce better results.

Anti-spam law is enforced by the Information Commissioner and breaches can lead to a fine of up to £5,000. There is also civil liability to anyone who suffers damage as a result of the breach. The rules are in the Privacy and Electronic Communications (EC Directive) Regulations.

Refer to for more details.


Do click on the Facebook or Twitter icons on top right to follow Fight Back Ninja

Ninja Signature