Who Can You Email?

There is, understandably, a lot of confusion over who we, as business owners and managers, can email.

Blake Consultants data protection expert Andrew Roberts, hopes to provide clarity in this blog and answer the much verbalised, and pondered, question: who can I email?

Here’s the short answer:

You’ll be pleased to know that there is in fact a short answer to this question which is:

·        Any business employee of a larger company,

·        Any customer or previous customer,

·        Anyone who you have consent to email.

There are caveats to each of the above, so here’s the longer answer….

Here’s the long answer:

Data protection in the UK is not just about GDPR. If it was, you’d be able to email anyone under GDPR’s ‘legitimate interests’ basis, as this basis specifically allows direct marketing.

Direct marketing is defined as any approach to sell or market to someone. I often hear that direct emails from sales people don’t count under data protection rules; this is incorrect, they do and they are classified as direct marketing.

Lawful Reasons for Processing

There are 6 lawful reasons for processing, but in this blog we’re going to focus on 3: legitimate interests, consent and contract. Contact us if you’d like more information on the other reasons you can use to process personal data.

Legitimate interests

Using legitimate interests as a basis for processing data comes with a need to balance your interests (the legitimate interests) and the rights and freedoms of the individual.

In the UK, we have another regulation that relates to emails: PECR (Privacy and Electronic Communications Regulation), which specifies that for consumers, you need their consent to email them.

It also specifies that if a contact is a corporate employee, then you can email them without their consent (using legitimate interests), so long as you give them a clear and easy way to opt out of marketing.


A lot of the GDPR is about definitions, and with PECR thrown into the mix, we’re into a few more.

consumer is a private individual or a sole trader or certain types of smaller partnerships.

corporate employee is an employee of any other type of (generally larger) business in the UK.

How to identify a Consumer vs a Corporate Employee

One way of identifying a consumer is if the email is a gmail or hotmail type addresses (‘free’ email domains). In theory (because the free email domains like gmail and Hotmail are with the individual rather than companies) if you see a free email domain, the data subject will be a consumer.

There are business that use free email domains, and there are consumers who pay for their own domains, so applying this rule is not going to be 100% accurate and you’ll have to make sure that you:

·        have robust processes to remove people who opt out, or complain; and

·        a good grovelling process if people get irate, but it is an approach used regularly.

Legitimate Interests Assessment

If you do use legitimate interests as a basis for targeting corporate employees, it’s a good idea to conduct a Legitimate Interests Assessment. This is something that used to be a mandatory requirement, but is now (as of Brexit) highly recommended rather than required.

This assessment shows that you have thought through how you are balancing your interests against the rights and freedoms of the people you are contacting, in case someone wants to check you’ve done the required introspection.

Are Corporate Email Addresses Personal Data?

One quick aside; I still hear discussions about whether corporate email addresses are personal data.

They are.

The email addresses can be legally owned by the organisation that manages them, and also be classified as personal data because they identify the individual who works for the company. There is no conflict in GDPR/PECR in this classification.


If you use consent to email prospects or customers, you need to be aware of a few restrictions in using consent.

These restrictions are quite tight and I’d recommend that you use a different basis for processing if you can – talk to us so that we can help you find another basis for processing i.e. contract or legitimate interests if appropriate.

The restrictions:

‘Consent’ (or an ‘opt in’, same thing for clarity) needs to be freely given, be a positive action, be specific and granular and is time constrained.

Let’s break that down:

·        ‘Freely given’ means that you can’t gate content so people have to give consent to receiving your newsletter (as an example) before being able to download a white paper.

·        You can’t pre-tick opt in boxes on web forms (the positive action part) – almost everyone knows this, but I still see pre-ticked checkboxes on web forms where consent is being captured.

·        You can’t opt people in to ‘general marketing’ if you’re using consent, you have to specify what they will receive and be granular about timescales. Don’t go overboard and don’t over-commit, but something along the lines of “a monthly email newsletter” is adequate.

·        And, something that is missed by a lot of people, you need to refresh your consent as it is time constrained. The GDPR doesn’t specify when, but best practice in the UK is every 2 years.

Note: it’s not entirely clear what is meant by ‘refreshed’ and I’ve seen different interpretations. Does the refresh need to be specific where people must tick another box on a web form, and re-set the clock of the time constraint? Or is it enough that people have interacted with you in some way (a click on an email), and during that interaction, have not opted out (technically, withdrawn their consent)? I haven’t found anything definitive on this.

Whatever you decide (and a lot of data protection is about asking you to think about and make these kind of decisions), document how and why you came to the conclusions, and put in place a specific process so that you can age people out of your communications after the refresh period is finished, if you haven’t managed to re-obtain their consent. Have systems in place to help you with this – I still receive ‘opted in’ emails many years after the supposed best practice limit.

Your CRM will be a valuable tool to manage this data. Talk to us if you don’t have a CRM or if the one you have isn’t giving you this visibility.

Soft opt in – what is it, can I use it?

You might have heard of a soft opt in, which is a good mechanism to use to keep in touch with customers and ex-customers.

If someone has bought a product or service from you, then you can assume that they have given you consent to contact them about related products or upgrades or refreshes. This is a soft opt in.

Soft opt in constraints

There are a few constraints to using a soft opt in:

·        You have to have gathered the data yourself (you can’t use bought-in lists),

·        You must give individuals a chance to opt out,

·        The topics you send emails on should be related (in some way) to what the customer bought,

·        As with a true consent, the soft opt in is time constrained.


If someone does become a customer, then you can, of course, communicate with them so that you can deliver your product or service.

In this situation, you’re using the basis of ‘contract‘ to process the data.

You can also use ‘contract’ when communicating with a prospect if they have engaged in the sales process. The prospect has to be “taking steps to enter into a sale” – and you can’t take the mickey out of this definition, they need to have shown they are serious about buying from you in some way. You can also use contract with the customer when you’re processing their data in relation to the product or service that they have bought.

Don’t confuse using the basis of contract with the consentlegitimate interests or soft opt in that you might use to market to the individual about other products and services.  Separate the two into different processing ‘chunks’.

Unsubscribes and Privacy Policies

When you do email someone, always make sure there is a link to your privacy policy, and an unsubscribe link. The individual you are emailing has the ‘right to be informed’, and you should facilitate this right by giving the individual the ability to see how you’re processing their data through a link to your privacy policy. And you need to make sure your privacy policy covers the different ways you can process data in clear and succinct terms.

If you are unsure if your privacy policy is as it should be then you’ll be interested in next week’s article ……

One final thought

As I’ve touched on, the way you implement data protection is a lot about definitions; definitions which may not line up with how terms are commonly used. Even in law, consent means different things in different contexts.

Data protection is also about balancing risk for you and for the individuals you are targeting.

Overall, data protection is based on you spending time working out what still allows you to do what you need to do as a business, and balance how you can reduce – or mitigate – the impact that your activities might have on the individuals whose data you are processing.


If you need any help with data protection’s how, what, when, why, who or where, Blake Consultants is here and can help. Contact us on hello@blakeconsultants.co.uk or call us on 01635 592020

At Blake Consultants, we’re experts in helping businesses just like yours to grow. An extra pair of eyes, some knowledge and experience or a canny question here and there can yield amazing things. Give us a call or email us to find out more.