The vast majority of emails flooding inboxes across Europe from companies asking for consent to keep recipients on their mailing list are unnecessary and some may be illegal, privacy experts have said, as new rules over data privacy come into force at the end of this week.

Many companies, acting based on poor legal advice, a fear of fines of up to €20m (£17.5m) and a lack of good examples to follow, have taken what they see as the safest option for hewing to the General Data Protection Regulation (GDPR): asking customers to renew their consent for marketing communications and data processing.

Why the GDPR email deluge, and can I ignore it? Read more

But Toni Vitale, the head of regulation, data and information at the law firm Winckworth Sherwood, said many of those requests would be needless paperwork, and some that were not would be illegal.

“Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR,” Vitale said. “The first question to ask is: which of the six legal grounds under the GDPR should you rely on to process personal data? Consent is only one ground. The others are contract, legal obligation, vital interests, public interest and legitimate interests.

“Even if you are relying on consent, that still does not mean you have to ask for consent again. Recital 171 of the GDPR makes clear you can continue to rely on any existing consent that was given in line with the GDPR requirements, and there’s no need to seek fresh consent. Just make sure that your consent met the GDPR standard and that consents are properly documented.”

In other words, if the business had consent to communicate with you before GDPR, that consent probably carries over, and even if it doesn’t carry over, there are five other reasons a company can cite for continuing to process data.

What’s more, Vitale said, if the business really does lack the necessary consent to communicate with you, it probably lacks the consent even to email to ask you to give it that consent.

“In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email.”

The lack of understanding around when and why consent is needed under GDPR has prompted the Information Commissioner’s Office to try to resolve some of the “myths” of GDPR.

“We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them,” Steve Wood, the deputy information commissioner, wrote in guidance for businesses. “So think about whether you actually need to refresh consent before you send that email, and don’t forget to put in place mechanisms for people to withdraw their consent easily.”

Like Vitale, Wood emphasised that asking for marketing consent from people who had not given it initially could be illegal. “It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act,” he said.

Lukasz Olejnik, a privacy researcher and consultant, said part of the problem was that many businesses were not in the habit of recording when and how they received the initial consent to contact customers, instead just storing vast databases of email addresses. “Some companies may simply be unable to demonstrate that they have consents, either because they don’t or they do not have a trace of it.

“This fact – that some companies simply never had consents or are unable to demonstrate having consents – is sometimes discussed among both policymakers and consultants. There are also discussions over companies not respecting even the existing data privacy regulations.”

Paul Jordan, the Europe managing director of the International Association of Privacy Professionals, offered one silver lining. “I think it’s quite clear that a number of companies won’t be ready [for GDPR], but if they can demonstrate they have been planning appropriately [then regulators will give them] a certain leeway.”

If not, those fines – of €20m or 4% of annual turnover – could be waiting.