website of the day honarable mention

GDPR 2018: Marketing to a prospective client

Question: If a user purchases or enquires through your website, can you still market to them after May 25th 2018? Or would the customer have to specifically opt in for this in order to do so?

This is a big one as I know quite a few of our e-commerce clients, and many sites out there currently do this.

Direct Marketing

Recital 47 of the GDPR says direct marketing is a legitimate use of personal information. Legitimate use is the lawful basis for processing personal data lawfully (one of the 6 that can be used lawfully to process personal data, consent being another key one for marketers). So the answer is yes, providing you can cover all the requirements in the appropriate sections of the Direct Marketing Checklist.

ICO states the most important thing to remember is that you can only carry out unsolicited electronic marketing if the person you're targeting has given you their permission.

However, there is an exception to this rule. Known as the 'soft opt-in' it applies if the following conditions are met;

  • where you've obtained a person's details in the course of a sale or negotiations for a sale of a product or service;
  • where the messages are only marketing similar products or services; and
  • where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don't opt out at this point, are given a simple way to do so in future messages.

When you send an electronic marketing message, you must tell the recipient who you are and provide a valid contact address.

Postal Marketing

Yes, if they’ve covered all the requirements in the appropriate section in the Direct Marketing Checklist.

Record everything!

To make sure you are GDPR compliant, there is a strong focus on auditable records. Recording interactions such as ‘soft opt-ins’ with prospective client's helps provide you with evidence to show the UK Authority your lawful basis for processing personal data, or in other words, sending them direct or postal marketing. Always think to yourself, if a person filed a case against you with the ICO regarding a data breach or misuse of personal data, can you provide the ICO with evidence that is legally sound.

For more crucial insights into GDPR and preparing for 25th May 2018, read another from SOZO’s GDPR Blog:

GDPR 2018: GDPR is a great opportunity for Marketers!

GDPR 2018: Consent and SOZO's advice

GDPR 2018: What to do now/Where do I start?!



Disclaimer: The information in this article is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an adviser or solicitor, or consult the Information Commissioner’s Office (ICO -


tell us about your project

If you’re looking for a digital agency to become your long-term partner to help your business succeed online then we'd love to hear from you. Whether it's branding, websites, ecommerce or SEO, we have the experience to get it right.

get in contact