GDPR: Do I really need consent to contact my customers?

Evelyn Wolf by Evelyn Wolf   30 May


GDPR customer contact

GDPR didn’t make the sky fall on Friday, 25th of May but it certainly caused an influx of myths, scaremongering and emails looking for our consent. One popular myth: Under the GDPR you need consent to contact customers. The scaremongering: You won’t be able to contact customers after May 25th 2018. The result: Lots of emails looking for consent that were unnecessary and in some cases even illegal. So let’s bust this myth and take the fear out of contacting customers!

A “bad” example

Let’s start by illustrating with a “bad” example. A company emails all current customers and states that they need consent to contact you about the service in future and that without consent, the company won’t be able to fulfill their obligations.

There are three major things wrong here:

  1. The company is within their right to contact customers about the service that the customers are paying for.
  2. You cannot make the delivery of a service dependent on consent (i.e. force people to consent).
  3. The company doesn’t understand that consent to process personal data (GDPR) is different from opt-in (ePrivacy Directive) and the rules that come with this (e.g. allow you opt-out etc).

So if these are three big no-nos under the GDPR, how can we contact customers?

Confidence in your lawful basis for processing personal data

The key to understanding who you can contact about what and when lies in the lawful basis for processing personal data and understanding data processes. Once you understand these and gain confidence, you’ll understand how to communicate with customers.

There are six lawful basis in total:

  1. Consent
  2. Contractual Necessity
  3. Legal Obligation
  4. Vital Interest
  5. Public Interest
  6. Legitimate Interest

The GDPR is not here to ruin your business, so each of these lawful basis covers different cases and simply needs to be applied correctly. For customers, we are looking at three potential lanes: Consent, contractual necessity and legal obligation.

The second thing to grasp is that a data process (so one action you take with data, like storing in your CRM system or storing for a tax audit) can only have one legal basis for processing. You cannot switch around as you please (more detail on this here). So let’s run through examples for data processes and legal basis to clarify how you can process customer data:

Legal Obligation

The simple one first. You may have to hold onto contracts, invoices, etc., for legal reasons. This would include audit or tax purposes. This means you can process customer data for this purpose (careful, this doesn’t mean you can contact customers with sales & marketing messages). This lawful basis only applies if it’s dictated by EU or member state law.

Contractual Necessity

In the run up to closing a contract and while fulfilling a contract / ongoing sales relationship, you are in your right to create a data process for handling customer data. You may contact your customers about the contract and any information they need around this. For this legal basis money has to have exchanged hands, it’s not an option for free services or products.

So if you were concerned that your account management team can no longer email customers to set up calls unless they have their explicit consent, see how they are getting on with their purchase etc., you didn’t have to be. It’s okay. You can talk to your customers about this. Phew.

Here’s the but... you cannot send them marketing email. This is a different process and to make things more complicated, the rules around sending marketing emails are defined in the ePrivacy Directive. The ePrivacy Directive means that every EU country has their own specific laws and even some convenient exceptions. This directive will be replaced with a European law soon as well, we’ve written about that topic here and here.


Before we dive into consent, let’s take a step back. Remember, a data process is one action. So a data subject (i.e. your customer) can be involved in multiple data processes; one for audit purposes, one for billing, one for delivering the service. Sales & Marketing are eager to upsell and cross-sell to customers and this is another data process - sending marketing email.

Under the existing ePrivacy directive you require opt-in to send any direct marketing emails (watch out for local laws, in Germany you have the double opt-in where as in other countries you do not require opt-in for B2B marketing emails). Opt-in is not the same as consent. Consent under the GDPR means that a data subject allows you to process their data. Here’s the kicker, in order to send marketing emails you need both. This means your data subject has to agree to two tick boxes:

  1. Opt-in to receiving marketing email (ePrivacy)
  2. Consent to having their data processed (GDPR)

This means for your customers, that you can contact them about what they have bought but you cannot send them additional marketing email unless they consented (GDPR) and opted in (ePrivacy) to this.

A basic example to illustrate: A kitchen appliance company has sold a freezer to a customer. The company may contact the customer about the freezer, it’s maintenance, warranty etc. However, the company may not contact the customer about the dishwasher offer coming up in June (unless they have opted in and given consent to do so).

Some companies opt for legitimate interest as the lawful basis for processing instead of consent for marketing purposes. There are quite a few things to consider including a legitimate interest assessment, a potential Data Privacy Impact Assessment and informing data subjects about your intentions. Legitimate interest may seem like a silver bullet, however, you need to have all your legal Ts crossed and Is dotted otherwise you could get into real trouble (more on this from the ICO here).  

Don’t force consent - do good marketing

If you do good inbound marketing, you will likely have recorded consent and opt-in from your customers to contact them via marketing email while they were still a lead. They may have downloaded an ebook or other resource, and during this process consented and opted-in to receiving marketing email from you. So you are all set to send marketing emails as well as talk to customers about their purchase.

However, if your customer hasn’t given you consent and opt-in freely, you can’t force them into it or worse, make your service dependent on consent. Our suggestion, focus on customer delight / customer marketing in the inbound methodology. Share great customer content like service or support articles or create customer exclusive events, webinar or downloads. If your content is good, your customers will want to receive it.

Remember, present consent in an intelligible and easily accessible form, using clear and plain language. Make sure it’s freely given (nothing pre-ticked or assumed) and that you provide information on how to revoke consent. You can learn more about opt-in and consent differences in this post and this one as well.


Topics: Inbound Marketing, GDPR

Evelyn Wolf

Written by Evelyn Wolf

Inbound strategy specialist and content creator. She will turn your web presence into a magnet and always has wind in her sails.