My husband recently commented on what he described as ‘huge quantities of Corona spam’ arriving in his inbox and asked me if the companies were allowed to send him these. Some appeared to be motivated by a genuine need to communicate information relating to Coronavirus measures, others were perhaps at least to some extent using a marketing opportunity. This off the cuff comment prompted an unsolicited full explanation of the law from me.  After my husband had recovered, it occurred to me that this information would be very helpful to businesses (or those with an inquisitive mind).

An email of this kind needs to comply with both data protection law and the Privacy and Electronic Communications Regulations (PECR). It is easiest to start with the PECR. Basically, if an email contains marketing then it usually requires consent. Commercial companies may be able to contact existing customers using a ‘soft opt in’ rule but this only works if approached carefully and should not be attempted without careful study of the ICO guidance on the subject. Charities cannot use the ‘soft opt ‘in at all. Many organisations have correctly identified that if a message does not contain any marketing then it is not caught by the PECR. A message about Coronavirus measures alone is just a service message not marketing but companies must be careful not to stray into marketing in the same message, for example by straying from an update on the general availability of goods to advertising certain items.

Even a service message not caught by the PECR must comply with data protection law. Somebody’s name and email are being used to contact them and this is a personal data use. This means that the person must reasonably expect such use (consider your privacy notices) and a condition under article 6 of the GDPR must be met. Examples would be that the person has consent, that the company has a legitimate interest in contacting them or that the email contact is necessary for the performance of a contract with that person. Where legitimate interest is relied on, there must be a Legitimate Interest Assessment in place.

In short, desperate times but not an excuse for desperate measures – Approach such emails with care. The ICO’s draft Code on Direct Marketing is a helpful resource.