GDPR: Quit Getting Scammed

Dear hoteliers,

Sorry about the grouchy title! But I am so sick of hearing negative comments about the GDPR that certain so-called “professionals” pass off as the truth. I just got back from the WTM, where dozens of hoteliers told me they’ve ended their loyalty campaigns because they’re no longer allowed to email their own clients. Misinformation is keeping them from using this effective strategy. What a pointless loss of profit!

The GDPR was passed nearly two years ago, and we’re still hearing the same tired old refrains: “My lawyer told me BLABLABLA,” or “An expert says BLABLABLA,” or even “On this one blog, I read BLABLABLA.” In 95% of all cases, that BLABLABLA is absolute nonsense, spread by someone who either knows nothing about the subject or has a hidden agenda.

I’m not going to go into the details of the GDPR. Instead, I want to answer a simple yes or no question: “Can you send email campaigns to your own clients?”

The answer is YES, a definitive YES, despite what you may have heard.

The source of this information

The first factor to be determined is the source of your information. Where does it come from? Is it drawn from the law itself, or a subjective interpretation of the law?

A Google search for “GDPR email marketing” brings up a long list of blogs, professionals and other people whose main intention is to make money by providing misinformation on the subject. Their goal: to scare you so that you’ll think they’ve saved you from some terrible danger. What a joke!

Every one of these people is putting out the same message:


As a result you’ve stopped sending out email campaigns, and may even have given up on the concept entirely.

Whether you’re an independent countryside hotel with 20 rooms or a national chain with several hundred establishments (a real example of someone I met recently), you have fallen victim to this massive deception.

So let’s take a look at some reliable sources of information instead: the actual written law, and the organizations responsible for its implementation at the national and/or European level.

What does the law REALLY say?

I’ll spare you the details of the study carried out by Experience on the subject. Instead, here are three excerpts drawn from three truly legitimate sources.


The part of the GDPR that the “professionals” mention:

Among the other data protection principles in Article 5 are “lawfulness, fairness, and transparency.” This means you can only use people’s data if it’s allowed under one of six legal justifications, it must be fair to the data subject, and it must be based on transparent and unambiguous communication with the data subject. (The “data subject,” by the way, is the identifiable person the data is about.)

There are six “lawful bases” for you to “process” (collect, store, use, etc.) people’s data. These are listed in Article 6. The first is consent, which must be obtained unambiguously and after a full explanation of what you plan to do with the data. Specifically:

  • Consent must be “freely given, specific, informed and unambiguous.”
  • Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
  • Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
  • Children under 13 can only give consent with permission from their parent.
  • You need to keep documentary evidence of consent.

The sixth legal basis is to have a “legitimate interest” to process the person’s data. Although the term is vague and could apply to a broad range of situations, you may have a hard time relying on this basis because the “fundamental rights and freedoms of the data subject” can often override your legitimate interest. Moreover, it remains to be seen how regulators and the courts will interpret this basis. You probably don’t want to be a test case.

The other four lawful bases are less common, but it’s a good idea to review Article 6 to make sure they don’t apply to you. The bottom line is that you should be very careful about using someone’s data unless you’re sure the person wants it used that way.

The part of the GDPR that the “professionals” don’t mention:

However, the ePrivacy Directive, specifically Article 13, presents organizations with another way to use a person’s data for marketing purposes that stems from the contractual basis of the GDPR. In the context of a sale of a good or service, an organization, “may use these electronic contact details for direct marketing of its own similar products or services provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner,” according to Article 13, part 2. Essentially this means that an organization can lawfully send you marketing emails about the service they provide you as long as they inform you that you can opt-out at any time and there is the option to unsubscribe in every communication.

United Kingdom:

The part of the GDPR that the “professionals” mention:

The rules on electronic mail marketing are in regulation 22. In short, you must not send electronic mail marketing to individuals, unless:

  • they have specifically consented to electronic mail from you;

You must not disguise or conceal your identity, and you must provide a valid contact address so they can opt out or unsubscribe.

For further information, see our guidance on direct marketing

The part of the GDPR that the “professionals” don’t mention:

You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’.

The term ‘soft opt-in’ is sometimes used to describe the rule about existing customers. The idea is that if an individual bought something from you recently, gave you their details, and did not opt out of marketing messages, they are probably happy to receive marketing from you about similar products or services even if they haven’t specifically consented. However, you must have given them a clear chance to opt out – both when you first collected their details, and in every message you send.

The soft opt-in rule means you may be able to email or text your own customers, but it does not apply to prospective customers or new contacts (eg from bought-in lists). It also does not apply to non-commercial promotions (eg charity fundraising or political campaigning).

For further information, see our guidance on direct marketing

France :

The part of the GDPR that the “professionals” mention:

The main idea: No commercial messages without prior authorization from the recipient.

Advertising by email is allowed as long as people specifically gave you permission to send them marketing messages when they originally gave you their email address.

The part of the GDPR that the “professionals” don’t mention:

There are two exceptions to the rule:

  1. If the prospect is already your client, and the message concerns products or services similar to those already provided by your business.
  2. If the message isn’t of a commercial nature (charity, for example).


As a hotelier contacting your past or current clients, you have absolutely NOTHING to worry about where the GDPR is concerned. Just make sure your clients can easily unsubscribe and request not to receive, or to stop receiving, your newsletter(s). They also need to be informed and understand that their email addresses will be used for internal marketing campaigns about the hotel where they’ve stayed, but never about any other establishment.

Email marketing is currently one of the most cost-effective hotel marketing techniques. Don’t miss out because of ignorant would-be professionals who are trying to build a business model based on misinformation and fear.

Send email campaigns! Build customer loyalty! Lower your commissions!

Thanks 🙂