You may have heard about the latest NHS mess up that led to 780 patients having their names and HIV status revealed in an email. This was caused by a very simple mistake that had disastrous consequences for these patients. Read more

Whoever sent the email put the recipients’ names into the To: section instead of the Bcc:, and easy mistake to make but one that would never have happened if the sender had used an email campaign provider such as Mail Chimp. Read our previous blog to get tips on using Mail Chimp.

In addition to my role running my Internet marketing company I am also a part time lecturer in Website Design in which I cover the Data Protection Act as an important part of the module. The Data Protection Act 1998 regulates emails which contain personal data (e.g. individuals’ names and e-mails)


The Data Protection principles


Schedule 1 of the Act sets out eight Data Protection Principles which require personal data to be:

  1. Processed fairly and lawfully, and to be processed only under certain specified conditions;
  2. Processed only for specified lawful purposes and not processed in any way incompatible with those purposes;
  3. Adequate, relevant and not excessive in relation to the purpose (or purposes) for which personal data are processed;
  4. Accurate and where necessary kept up-to-date;
  5. Processed no longer than is necessary for the purpose or purposes;
  6. Processed in accordance with the rights of the data subject, e.g. so that a copy can be made available to the individual concerned;
  7. Protected by appropriate technical and organisational measures; and not be transferred to any country outside the European Economic Area unless that country ensures in relation to processing of personal data an “adequate level of protection” for rights and freedoms of data subjects acceptable to the EU.

If you are using email for marketing purposes then you must ensure that you comply with the Date Protection Act 1988 to avoid breeching the law.

Opt-outs, opt-ins and soft opt-ins

Opt-outs, opt-ins and soft opt-ins are three different ways of obtaining consent to send marketing emails.

Opt-outs are when the recipient has been given the opportunity to opt out of receiving emails, but has not done so.

Opt-ins are when the recipient has specifically expressed that they wish to receive your emails

Soft opt-ins are when you contact your existing customers with similar products to the ones they have bought even if they haven’t specifically consented, however they must have been given the option to opt-out at the point of purchase and in every email you send.

Buying lists

Nothing in the law prohibits you from buying lists of email addresses but if you’re considering it, use a reputable company and you should ask for a warranty that the list has been lawfully collected. Even then, we wouldn’t recommend it.

Some practices may be legal, but not necessarily good for your business or morally right. To keep within the law and maintain your reputation, follow these basic guidelines;

Who can you contact by email?

  • Anyone who has completed an online newsletter form or signed up to your company and checked a box giving you permission to email them
  • Anyone who has given you their business card and given you permission to email them
  • Any customer who has bought similar products from you before within the last 2 years
  • Anyone who has completed a paper from allowing you to contact them via email

Who can’t you contact by email?

  • Email addresses copied from websites or business cards without the recipient’s permission
  • Anyone who has not given their permission
  • Anyone from a third party list that has been purchased
  • You cannot contact anyone when your sender identity is falsified or hidden
  • You cannot email recipients without providing them with means to opt-out

Online Toolbox Ltd does not provide legal advice on the Data Protection Act or other government policies; this is only a guidance and good practice guide. If you want to know more please seek professional legal advice.