Members, membership information and marketing

As the 25 May approaches, one of the questions we’re commonly being asked is: “Do we need to get consent from our entire membership and marketing database before the GDPR comes in?”  The answer is not a straightforward one but , in many cases, it is likely to be “no”.

For charities with a membership base, the good news is that you do not need to seek consent from your members to continue sending them information relating to their membership package (e.g. information on fees and renewals, membership rights, how you are using their membership fees and so on)

The use of membership data for these purposes falls within a charity’s “legitimate interests” which is a non-consent based ground for processing.  Even if you have sought consent from your members in the past, you don’t need to obtain refreshed GDPR compliant consents to use their data for membership purposes.  You can just let your members know that your legal basis for processing their data is to provide membership services to them in reliance on your legitimate interests.  It’s best to provide those members with your updated GDPR privacy policy at this point. 

With all that said, you do still need to be careful with the marketing information that you’re sending. 

Under PECR, you generally need specific consent to send marketing texts and emails to individuals.  The exception to this is the “soft opt in” which allows you to send marketing texts and emails to previous customers about related products and services (for example, a nature charity sending bird-related promotions to a customer that has previously purchased bird seed or other bird paraphernalia).

Remember, though, that the “soft opt in” under PECR does not cover non-commercial promotions (for example, sending fundraising and campaign emails to an existing supporter).  So when sending membership information to members, you need to be careful when straying into the realms of marketing that is not covered by the “soft opt in” under PECR (such as newsletters that extend beyond membership-related information to fundraising campaigns, for example).

For marketing not covered by the “soft opt in”, the ICO’s expectation is that you obtain refreshed consents if your existing consents do not meet the requirements of the GDPR.

Whether relying on consent or “soft opt in”, remember to give recipients an easy way to opt out / unsubscribe from marketing emails and texts.

It’s worth taking a look at the ICO’s website for further information on the GDPR and PECR..  For help with updating your privacy policy so that it complies with the requirements of the GDPR, see the ICO’s checklist here.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Posted by


Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.