iStock / JLGutierrez

By now, the emails will be incredibly familiar. They have the same chirpy tone, are being sent from brands and ask whether you'd like to get more emails from that company. (It's likely you completely forgot what the company was, let alone what you purchased from it in 2007).

"We're committed to managing and safeguarding the information you give us when looking for a job," reads a typical one from a recruitment website. "CLICK HERE TO STAY SIGNED UP," shouts another before continuing: "We don’t want to lose you, so please take action now". Some have even claimed user accounts will have to be deleted if a reply isn't recieved.


The majority of these emails cite the European General Data Protection Regulation (GDPR), which starts to be enforced on May 25. GDPR introduces changes to how businesses and organisations should handle personal information – and for companies faced with the prospect of huge fines for breaching the new rules, it's causing panic. And that's why you're getting all those emails.

"We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them," Steve Wood, the deputy information commissioner for the UK wrote in a blog post earlier this week. "Think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily," Wood says.

Read next The NHS Test and Trace app has two flaws: QR codes and people The NHS Test and Trace app has two flaws: QR codes and people

But, it turns out, most of these emails are pointless. "In the UK it has been the law since 2003 that you can only send a marketing email to an individual recipient when they have consented to receive it or you have an existing customer relationship with them and have offered them the opportunity to opt out," explains Jon Baines, data protection advisor at law firm Mishcon de Reya.

So why are they sending these emails? It's largely around the fear of GDPR. The regulation says companies can be fined up to €20 million or four per cent of their annual global turnover. Many companies are keen to get their systems in order. Although in the UK the Information Commissioner has made it clear it won't be heavy-handed with fines.


Baines believes a big reason why these emails are being sent at the moment is because of an "increased awareness around the fact that sending marketing emails requires either the consent of the recipient or an existing customer relationship". That awareness has been amplified because of the hype around GDPR.

However, the Privacy and Electronic Communications (EC Directive) Regulations – known as PECR for short – govern marketing messages. These are based upon a European e-privacy Directive and cover messages used for marketing – everything from the pesky emails to text messages.

GDPR doesn't replace PECR but sits alongside it and European regulators are coming up with a new set of e-privacy rules to replace it. Confused? So are the companies emailing you. The result is a slightly messy mix of rules: both GDPR and PECR are dense, legally complex and have a plethora of caveats with exemptions for different scenarios.

Read next These Chrome extensions protect you against creepy web tracking These Chrome extensions protect you against creepy web tracking

What is GDPR? The summary guide to GDPR compliance in the UK Privacy What is GDPR? The summary guide to GDPR compliance in the UK


But the existence of PECR means that in a large amount of cases, companies may not have necessarily needed to send the emails re-asking for permission to keep in touch. "I think a lot of the emails people are receiving are unnecessary, because people have either already consented or are receiving them to business addresses," Baines says. Business email addresses – for instance, rowland@wired.co.uk – fall under GDPR as personal data, but for marketing messages consent to receive them may not be needed.

If people haven't already consented to receive marketing messages, the company sending them will have been in breach of PECR, potentially for many years.

But what is considered consent is a slightly murky affair. With the introduction of GDPR comes an updated definition of what consent is. It's complex but states consent has to be unambiguous and involve someone actively saying yes. For instance, a pre-ticked box saying you are willing to receive marketing emails doesn't count as unambiguous consent. But a box you have to actively tick does.

"If consent is the appropriate lawful basis then that energy and effort must be spent establishing informed, active, unambiguous consent," the ICO's Wood says. As well as consent, there are other ways for companies to obtain and process a person's data and still be inline with the requirements of GPDR.


Ultimately, the overlap between PECR and GDPR has meant some companies will lose subscribers to their mailing lists that have just ignored the deluge of messages being received. In an almost ironic twist, last year the ICO fined Honda and Flybe for sending emails asking people to agree to getting more emails. "Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law," the ICO said at the time.

But there also have been more malicious examples of email consent messages being sent. UK-based cybersecurity firm Redscan discovered phishing emails have been sent that were disguised as GDPR-related emails. The firm spotted a fake email that had been made to look like it was from Airbnb, stating its customers should click on a particular link to update their privacy settings.

When clicked, the link would take users to a spoofed Airbnb website that collected all the details entered and saved them to systems belonging to the hackers that created the website. “The irony won’t be lost on anyone that cybercriminals are exploiting the arrival of new data protection regulations to steal people’s data,” Redscan's director of cybersecurity Mark Nicholls, said in a statement.