The GDPR and junk mail

Lawmakers and journalists have made bold claims about the EU General Data Protection Regulation (GDPR) over the past few years. ‘It will mitigate the threat of cyber attacks’. ‘It will give individuals more control over their personal data’. ‘It will lead to strict punishment for poor data protection practices’.

These are all true, or at least there’s ample evidence to suggest as much. But some people have claimed that the GDPR also signals an end to the piles of junk mail that accumulate in letterboxes and doormats day after day.

That, we’re afraid to say, isn’t quite true. Although you might expect to get less junk mail, because organisations are no longer allowed to sell your personal data to other marketers without your consent, the other requirements of the GDPR may lead to an increase in postal marketing.


Legitimate interests

Many organisations are under the impression that they always need consent to contact individuals. You will have seen this in the swathes of GDPR privacy policy emails you no doubt received over the past few weeks that asked your permission to continue receiving messages. However, consent is just one of six lawful grounds for processing personal data under the GDPR, and is generally the least suitable option. This is because the GDPR toughens the requirements for getting and keeping consent.

Legitimate interests will be more appropriate in most scenarios, whether you’re planning to send emails or postal messages. It allows private-sector organisations to contact individuals provided they have a genuine and legitimate reason (including commercial benefit) to process personal data without consent, and it is not outweighed by negative effects to the individual’s rights and freedoms.

But that doesn’t explain why you might see a surge in postal marketing in particular. After all, legitimate interest applies just as much to email correspondence as any other method.



The problem is with the Privacy and Electronic Communications Regulations (PECR), a law that sits alongside the GDPR. The PECR govern certain electronic and telephone communications, but not postal marketing, and usually requires organisations to obtain consent. This raises issues in the way organisations contact individuals.

If organisations need consent to comply with the PECR, they must also use consent for the GDPR – otherwise they’re using two lawful grounds for the same processing activity, which is illegal.

Legitimate interest therefore has limited use for electronic communications, but there are no such restrictions for postal marketing. However, it’s not a completely fool-proof technique; marketers always need to balance their own rights against consumers’, and the GDPR makes it clear that individuals should be protected as much as possible.


GDPR compliance guide

You can find out more about the GDPR’s lawful grounds and its other requirements by reading EU General Data Protection Regulation – A Compliance Guide.

This free green paper provides an overview of the key changes introduced by the GDPR, the scope and impact of the Regulation, and the areas that organisations need to focus on.

A version of this blog was originally published on 19 April 2018.

Subscribe to our weekly newsletter

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.