Version Last Updated: April 2020
2
matters, and that a data subject is entitled to withdraw their consent at any time, and
should be able to do so as easily as they gave it.
Recital 32 GDPR makes clear that silence, pre-ticked boxes, or inactivity on the part
of a data subject will not constitute consent under the GDPR, and therefore will not
be sufficient to demonstrate consent for the purposes of electronic direct marketing,
where required under the ePrivacy Regulations.
Is consent explicitly required for all cases of electronic direct
marketing?
The general rule for electronic direct marketing is that it requires the clear,
affirmative consent of the recipient (such as by specifically opting-in) under Regulation
13 of the ePrivacy Regulations.
Nevertheless, consent is not specifically required in respect of every instance of
electronic direct marketing, and there is an exception to the general requirement for
consent, but only in cases involving existing customers, where certain other conditions
are also met.
Under Regulation 13(11) of the ePrivacy Regulations, where an organisation lawfully
obtains electronic mail contact details ‘from a customer … in the context of the sale of a
product or service’ (i.e. this only applies to existing customers), consent to electronic
direct marketing is not required as long as the following further conditions are met in
relation to the electronic direct marketing communication:
a) the product or service being marketed is the organisation’s own product or
service,
b) the product or service being marketed is of a kind similar to that supplied to
the customer in the context of the original sale,
c) the customer must be clearly and distinctly given the opportunity to object
to the use of their details at the time those details are collected, as well as each
time the organisation sends an electronic marketing message to the customer,
and
d) the initial direct marketing communication must be sent within 12 months of
the date of the original sale to the customer.
This means that an organisation must not send direct electronic marketing to a
prospective customer who does not complete a purchase, for example where they
browse online for products but do not complete the checkout process.