Home > Analysis
Mind my data Click to visit the homepage

Marketing corporate employees by e-mail

Many of us will be aware that business to business (B2B) marketing by electronic mail is not subject to the Privacy and Electronic Communications Regulations 2003 (PECR). This means that an organisation is not required to obtain consent, or satisfy the soft opt-in rules, before targeting the e-mail addresses of another organisation with direct marketing. However, this doesn't necessarily mean that a business can target any corporate e-mail address with unsolicited electronic marketing.

Organisations can target e-mail addresses such as enquiries@corporatedomain, or sales@corporatedomain with marketing by electronic mail as these constitute generic corporate e-mail addresses. But if a corporate e-mail address identifies an employee, for example, firstname.lastname@corporatedomain, then the e-mail address is likely to constitute personal information. In which case, by processing that e-mail address you'll be processing that individual's personal information and you'll need to carry out that data processing in accordance with the DPA.

So, although the PECR will not prevent you from marketing a corporate e-mail address, you still have to consider your obligations under the DPA if you're specifically targeting the e-mail address of a corporate employee; particularly where you have no prior relationship with that employee. You'll likely be acting as a data controller and the employee will be your data subject and that individual has rights under law, that includes the right to seek compensation for the abuse of their data protection rights in the small claims court under Section 13 of the DPA. It has nothing to do with the individual's employer.

According to the ICO:

Personal data means data which relate to a living individual who can be identified from the data, or, from the data and other information in the possession of, or likely to come into the possession of, the data controller?

The ICO further defines what they mean by identified in their Determining what is personal data guidance:

An individual is 'identified' if you have distinguished that individual from other members of a group. In most cases an individual’s name together with some other information will be sufficient to identify them.

You can see how an firstname.lastname@corporatedomain e-mail address is deemed to constitute personal information by the ICO because it identifies someone that works for a specific organisation.

In light of this, you should assume that all corporate e-mail addresses that include a name will constitute personal information. In some cases, if the organisation is small enough, a first name only on the corporate e-mail address will suffice. When I worked for a multimedia company for example, I was the only Dave working there.

Thus, if you scape profiles from social media and create a likely e-mail address for the individual at their place of work (based on the information obtained from social media), then you'll be processing that individual's personal information at the point you create the e-mail address and you'll need to comply with the DPA before you do anything else with that information. To obtain is to process.

The DPA requires data controllers to process personal data fairly and lawfully; as set out in the first data protection principle. There are eight principles in total, and the main purpose of these principles is to protect the interests of the individuals whose personal data is being processed. They apply to everything you do with personal data, except where you are entitled to an exemption.

Before processing a corporate e-mail address that contains a name, you'll need to consider the following:

1. Does the e-mail address constitute personal information?

Can an individual be identified from the e-mail address? If you created a likely e-mail address for an employee by visiting a social media website such as LinkedIn, then you're going to struggle to convince the ICO or a judge that you didn't have other information about the individual in your possession at the time you created the e-mail address. Furthermore, if you scape profiles from LinkedIn, you'll also be in breach of LinkedIn's terms and conditions.

It doesn't give a good impression, does it? You want the employee to consider your products or services yet by scraping their information from LinkedIn and contacting the said employee, you've demonstrated that you have nothing but contempt for the terms of your contract with LinkedIn. Why would anyone trust such an organisation? Why would any corporate employee recommend such an organisation? WTF!

2. If the e-mail address constitutes personal information, have you satisfied a condition for processing?

If the e-mail address constitutes personal information then you'll need to satisfy a condition for processing the information. You will not satisfy a condition for processing if you've obtained personal information from the public domain. Nor will you satisfy a condition for processing by obtaining the information from a third party unless that third party can demonstrate that they obtained consent from someone that registered with them directly, and that the individual consented for their information to be shared with third parties. You'll be relying on that indirect consent to satisfy a condition for processing so you need to ensure that it was obtained fairly. Consent has to be freely given, specific and informed, and according to the ICO, consent only has one iteration so it cannot be traded.

3. If the e-mail address constitutes personal information, have you provided a fair processing notice?

The first principle requires data controllers to provide, or make readily available, a fair processing notice. Don't think that you don't have to provide a privacy notice just because you didn't obtained the personal information directly from the individual. In other words, you need to contact the individual to make them aware that you're a data controller for their information, explain why you've obtained their information, how you've obtained their information and provide them with a privacy notice or a link to your privacy notice.

You should do this before you target the individual with direct marketing and give them some time to respond. This is because all individuals have the right under Section 11 of the DPA to ask a data controller to cease or not to begin processing their information for the purpose of direct marketing. I can't ask a data controller for my information not to begin processing my information for direct marketing until I know who the data controller is. A failure to comply with Section 11 of the DPA is a contravention of the sixth principle.

To summarise

If you process a corporate e-mail address that contains a name then you should assume that it constitutes personal information. Unless you're operating under a contract with another data controller, then you'll be the data controller for the information and the employee will be your data subject. It has nothing to do with the individual's employer. Although you're not prevented from targeting the individual with marketing by electronic mail, you MUST process their information fairly. And if you've made up the e-mail address for them or found it in the public domain then assume that you have no right to process it.

I'd be wary too about threatening to contact the employee's employer in an attempt to leverage your position. I would consider such an action malicious and I'd make sure that the judge was well aware that the data controller sought to get me into trouble with my employer rather than admit that they've unfairly processed my information.

In my view, organisations that scape our profile information from LinkedIn are worse than spammers. Spammers don't give a toss who they're contacting yet these creepy bastards are searching us out on LinkedIn, making up a likely e-mail address for us and then promoting their products or services to us. You sad, desperate bastards!

I've started claiming compensation against companies that abuse my data protection rights. Since the Court of Appeal disapplied Section 13(2) of the DPA, we no longer have to incur financial damages before a judge can consider distress.

So far this year I've donated £1,500 to charity by settling out of court and that makes me feel good. I'm probably saving these companies a fortune too because if they carry on this way once the GDPR is in force, they face massive fines from the ICO.