Decision Marketing Data Clinic: Third-party emails

DM ClinicIn the latest in a series of articles, designed to provide advice on data-driven marketing strategies in these turbulent times and beyond, we look at the often thorny issue of third-party email marketing.

The Decision Marketing Data Clinic, in association with REaD Group, is open to all companies and organisations big and small. If you have a burning issue which you would like advice on please email us on

Despite four years of the GDPR and 19 years of the Privacy & Electronic Communications Regulations (PECR) – albeit with several amends during that time – there remain many different interpretations on what and what isn’t possible when it comes to third party email marketing, and there are many potential pitfalls around compliance.

Brands may agree to third party email campaigns because they think compliance is correct – but several organisations have received enforcement notices from the ICO because they’re not doing things correctly. So what should brands be thinking about when considering third party email?

Where are businesses going wrong?
Some organisations have run into difficulties when using third parties to facilitate their direct marketing by electronic means on their behalf. While they are not prevented from doing this, they must ensure they comply with the direct marketing regulation, because even when they are not physically sending the marketing themselves, this does not mean that they stop being responsible for compliance.

PECR applies to the ‘sender’, ‘caller’, ‘instigator’ or advertiser of the direct marketing message. This means that PECR will still apply even if a brand doesn’t send the electronic message themselves or they do not hold the individuals’ contact details that their direct marketing messages are sent to.

It’s also worth noting that the term ‘advertiser’ is not defined in PECR; however, an organisation is seen as the ‘advertiser, ‘caller’, ‘sender’ or ‘instigator’ if they encourage, incite, or ask someone else to send their direct marketing message.

So, when sending emails, for consent to be explicit, the instigator, e.g., the brand or advertiser, should be named in the data collection notice at the time consent was collected and a clearly written, intelligible (not overly legalistic) privacy link should also be available for individuals to understand how their data will be processed. It is the naming in the data collection notice that is the key element as this sets out a reasonable expectation of what the individual has agreed to receive by electronic means, ensuring the processing is lawful, transparent and fair.

As long as the brand or advertiser is listed as the instigator for all data captured, there are no issues with sending emails compliantly. Where a number of organisations have run into issues – including enforcement notices and fines – is due to not being listed at the point of capture, so the recipient of the email had no knowledge that they were going to be communicated to by that company: rather their data had been legitimately collected by a third party (who was listed at the point of capture) but who then contacted them on behalf of the instigator (without their being listed at the point of capture). In the last 18 months, there have been as many as four or five organisations who have garnered approximately £700,000 in enforcement fines for getting this wrong.

One exception to this is where the soft opt-in rule come in to play. For example, if an advertiser has obtained the contact details of an individual during negotiations and/or they bought similar products or services from that organisation, there would be a reasonable expectation and explanation of why an individual has received electronic communication without explicit consent. If advertisers are using the soft opt-in rule, then they should be aware it is best practice to document and be able to evidence this decision.

If companies know about being listed at the point of capture as the instigator but they’re not, why is it okay for them to send emails?
The simple answer is it isn’t okay. And nor should it be. Not only are their penalty implications for doing this, but there is also a moral obligation: data should be processed lawfully and in a transparent and fair manner. Data companies who are aware of this should not be selling data on to other brands or organisations if they are not listed as the instigator at the point of capture.

DMA director of policy and compliance John Mitchison had this to say: “Our expectation is that all members of the DMA abide by direct marketing regulations and the DMA code, which sets the standard of conduct for the industry and ensures each customer is treated with fairness and respect.  Members must not send or instigate the sending of direct marketing by electronic means, unless they have consent as required by UK GDPR the Data Protection Act 2018 and all other associated legislation, such as the PECR.

“It is the obligation of DMA members to always abide by the DMA Code. The Code promotes responsible marketing and provides marketers with an ethical framework for companies that want to do the right thing for their customer and their business. The overarching principle of the Code is to always put your customer first.”

If I want to find new customers and use email to do that, how do I go about it?
The solution to this issue is ensuring that the instigator is named in the data collection notice at the time consent was collected and a clearly written, intelligible (not overly legalistic) privacy link should also be available for individuals to understand how their data will be processed. It should also be noted that, once an instigator is listed in a privacy policy, they can only use the data that is captured from that point on: all historical data is useless.

Provenance is key: the provenance of the data being collected and the ‘what, where and when’ should always be available. Any provider of third-party email data should be able to clearly evidence and demonstrate this. If they can’t, then organisations run the risk of severe fines and reputational loss.

Andy Bridges is data quality and governance manager at REaD Group

Print Friendly