Do you need explicit consent to send direct mail under GDPR? The short answer is no. While you may not need explicit consent, you do need to meet the legitimate interest test.
This article contains everything you need to know about GDPR if you’re planning on sending a direct mail campaign and are concerned about exactly what you can and can’t do, and what steps you must do to ensure compliance.
There is a lot of conflicting information on this topic, so we reference all official sources and clear some of the misinformation and fears. This article is also maintained and kept up to date.
How is Direct Mail effected by GDPR?
GDPR (General data protection regulation) has effected all aspects of marketing for any business who serves customers in Europe. (Even if you don’t operate in Europe)
As GDPR primarily relates to peoples personal information, lets look at what personal information is involved in a direct mail campaign:
- Personal Address
- Work Address
- First and Last Name
- Dynamic Personalised Information (such as if sending a birthday card, or including unique personal information in the mailing itself)
Do you need explicit consent to send direct mail under GDPR?
If sending direct mail to your customers, you are likely to be able to not require consent as you will be able to presume what is called “legitimate interest” as explained below.
If you are not mailing existing customers, you must ensure your mailing list is targeted to people who you can justify would benefit from your direct mailing, or it would generally not be considered an unreasonable use of the data then you can also use legitimate interest. For example if you sell services to independent accounts, and your mailing was targeted at individual accountants then you could send under legitimate interest. There is no explicit definition under GDPR so you must make a judgement yourself.
What is legitimate interest?
Legitimate interests is one of the six lawful bases for processing personal data under GDPR which “Does NOT Require explicit consent”.
You must have a lawful basis in order to process personal data and legitimate interest is the most common and wide ranging lawful basis. It is not explicitly defined what constitutes legitimate interest so some judgement has to be made.
Legitimate interest in summary is whenever you use personal information in a way which they would reasonably expect and have a minimal privacy impact.
For example, if you sell shoes and you send direct mail to past customers who therefore have already shown interest in your business and buying shoes. It would be able to send them a direct mail offer for these products. This may also apply if they are not your existing customer but you should make sure the mailing is targeted to people who you can justify are more likely to benefit from your promotion.
The steps you should take to ensure legitimate interest
If in doubt about whether you can send direct mail under legitimate interest use this simple checklist to see what your score is. This should give you an idea of where you stand.
It’s your job to show that you have considered the balance of data privacy and interest of your contacts. Make sure that you can explain and benefit the mailing and that you aren’t doing any unnecessary processing of data (such as referencing race, religion, or sexuality) when not needed.
It is also advisable to make it easy for contacts to be removed from a mailing list and contact.
- ICO – GDPR Direct Marketing Guidance
- EUGDPR – GDPR Regulation
- European commission – GDPR center
- EU GDPR – FAQ
Postary and GDPR
Postary is a platform for sending direct mail online. It is fully GDPR Compliant but there will always be a responsibility on you as a data-controller to ensure you have consent where it is needed and to determine if you have legitimate interest.