The data protection rules businesses must follow for cookies, email marketing, and social media advertising

When collecting, using, and sharing personal data for digital marketing, businesses must follow the UK’s data protection regulations

In this article, we talk to expert James Bore to look at how these laws impact businesses’ use of cookies, email marketing, and social media advertising.

Key data protection rules covering digital marketing in the UK are UK GDPR, the UK’s version of the EU’s General Data Protection Regulation, and the Privacy and Electronic Communications Regulations (PECR).  

These two laws work together. UK GDPR is the overarching framework that governs user consent and the processing of personal data. PECR provides specific rules for digital marketing and communications. 

Fail to follow the rules and you could face significant financial penalties from the Information Commissioner’s Office.  

So, what does this mean for your marketing activity? 

Cookies 

Cookies are files that are downloaded onto a user’s device when they visit a website. They are used to enable website functionality, as well as tracking a visitor’s behaviour which the website owner can use for marketing purposes.  

The key to legally compliant cookies is consent. Essential cookies that are purely for website functionality, such as remembering login details or items put in a shopping basket, don’t require user content, but non-essential cookies that are used for analytics, tracking, or advertising purposes do need consent.  

‘Consent must be real and informed consent’, advises James Bore from IT and cyber security consultancy Bores. ‘No pre-ticked boxes and no “by using this website you agree to accept cookies” messages. Users must make an active and informed choice. The moment anything other than essential functionality comes in it must be a genuine option.’ 

This means that a user must be provided with clear information about what the cookies do and why they are being used, and they must be able to take what is described as an affirmative action, such as clicking an ‘accept’ button. 

Email marketing 

The general rule for sending marketing emails to B2B and B2C is that you need prior consent. This consent must focus specifically on receiving marketing emails from your business, so you can’t just include it in general terms and conditions.   

For existing customers, you might be covered by the ‘soft opt in’ rule. This means you can send email marketing messages without specific prior consent if:  

1. you got the individual’s contact details because they bought something from you;  
2. the marketing is for similar products or services; 
3. and you gave them the clear opportunity to opt out when you first got their details and in every message you send.  

You cannot send them emails for an unrelated product that your company sells. E.g., A customer signs up to receive updates about your leadership training programme. Because their consent was specifically for leadership-related content, you cannot then add them to your mailing list for your new HR software. 

For B2B email marketing, sole traders are treated as individuals so consent is required. However, for corporate bodies (a limited company, Scottish partnership, limited liability partnership, or government body), consent is not needed. They must still be given the option to unsubscribe in every message though, and the Information Commissioner’s Office’s recommends keeping a ‘do not email or text’ list of any businesses that object or opt out, and screen any new marketing lists against that. 

As James Bore advises, legally compliant marketing emails must include the following: 

• Clearly identify who is sending the email (business name). 
• A valid physical postal address for the sender, not just an email address. 
• A simple, one-click or one-action way to unsubscribe. 
• A functional contact method to reply. 
• Clearly visible subject lines and the sender identity. 

Social media advertising 

Techniques for advertising on social media platforms include retargeting, which is displaying an advert for a product or service people have previously viewed on your website, and custom audiences, which is advertising targeted to specific groups of people who have already shown interest in your brand. 

For retargeting, a tracking pixel is used, a piece of code installed on the user’s browser to track their behaviour. As this is non-essential tracking, prior and affirmative consent is required. 

Custom audience advertising involves uploading lists of customer data to social media platforms so that your advertising can be targeted towards them. This requires prior consent or you might be able to use the soft opt in rule for existing customers if: 

1. the person is an existing customer; 
2. you collected their data during a sale or negotiation for a sale; 
3. you gave them a clear chance to opt out at the time of data collection and in every subsequent communication; 
4. your marketing is for similar products/services to what they originally bought. 

The importance of a privacy policy 

A privacy policy is a document that tells users how their personal data is collected, used, shared and, protected, including through cookies, email marketing, and social media advertising. It is required under UK GDPR. 

James Bore advises that the key factors in a legally compliant privacy policy are: 

• Write in plain language that is clear and understandable.  
• Be specific about the data you collect and exactly why. 
• Be transparent about any sharing with third parties and why. 
• Be clear on your legal bases for processing data. The six are consent, contract, legal obligation, vital interests, public task, and legitimate interest. Find full details on the Information Commissioner’s Office website.   
• Explain how long you will keep data, and why you need to keep it for that time 
• Explain the rights of data subjects. 
• Explain how to contact you about data privacy. 

A high degree of the onus falls on the business when it comes to data protection rules that can often feel confusing and burdensome. But the consequence for those businesses found to be in breach of data protections rules is crippling, with the maximum penalty being £17.5m or 4% of total turnover in the preceding financial year.  

It is for this reason that company policies and training should be put in place so that all employees understand what is required of them when utilising digital marketing. 

Latest articles