The GDPR requires organisations to have a lawful basis for processing personal data. Junk mailers rely on either "consent" or "legitimate interest" as the lawful basis. The former is quite specific; advertisers can only use consent as the lawful basis if you have actively opted in to receiving adverts. The consent must be given freely and knowingly — the usual dirty tricks, such as hiding opt-out boxes or pre-ticking opt-in boxes, do not constitute consent.

The legitimate interest basis is a bit of a catch-all basis. Article 6(f) of the GDPR states that your personal data can be processed as long as you can reasonably expect the processing to take place and provided the processing doesn't breach your fundamental rights and freedoms. For the most part, legitimate interest is about common sense. If you contact a company via email you can reasonably expect they will use your personal data to reply to your email, and it is extremely unlikely this processing interferes with your fundamental rights. Similarly, it is perfectly reasonable for your bank to process your personal data as part of fraud prevention efforts.

However, it is not all about common sense. Here is a list with examples of cases in which the legitimate interest basis is commonly used, taken from the ICO website. Can you spot the odd one out?

• Fraud prevention
• Ensuring network and information security
• Indicating possible criminal acts or threats to public security
• Processing employee or client data
• Administrative transfers within a group of companies
• Direct marketing

If you guessed anything other than "direct marketing" then I honestly don't know what to say. Even die-hard marketers can see that sending unsolicited adverts isn't on a par with a bank processing personal data to prevent fraud or an employer processing the personal data of its employees. Yet, it is what the industry lobbied for, and it is what they got.

Legitimate interest and junk mail

Clearly, the legitimate interest basis opens the door for unsolicited junk mail. That said, the legitimate interest basis isn't a get out of jail card for junk marketers. They still need to make you aware your personal data will be processed for "marketing purposes" and they need to give you option to opt out. That is a slight improvement on how junk mail marketing used to be regulated. Prior to the introduction of the GDPR, many junk mailers would go out of their way to trick you into not opting out whenever you bought something online or donated money to a charity. They now need to be transparent about how your personal data will be used.

Similarly, marketers can no longer share your personal data with the infamous "carefully selected third parties" without telling you exactly who those mysterious entities are. That is another improvement, but there is a catch: they don't have to mention who the third parties are in the text accompanying the opt-out box. They are allowed to bury the names of the third parties in an extremely long and boring privacy policy.

In short, the GDPR has definitely made things a little easier for junk mail haters, in the sense that marketers are no longer allowed to trick you into not opting out. But, if you don't actively opt out you might still find that your personal data is not only used to send you junk mail but also sold to other junk mailers, who can then use the same legitimate interest basis to target you with junk adverts.

Legitimate interest and profiling

So far, I have only looked at the practice of sending junk mail. The rules are a lot more lacks when it comes to profiling. If you are not familiar with the term, "profiling" is the practice of "enriching" marketing databases so that ads can be better targeted. It is a huge side hustle for companies like Experian. The credit reference agency uses the open electoral register and data from many other sources to build detailed profiles of people in the UK and then sells that data to junk marketers.

This processing of personal data is mainly done using legitimate interest as the lawful basis. Yet, chances are that, until now, you had no idea this type of intrusive marketing is happening — and you will almost certainly never have been asked for permission. The reason is that organisations that want to sell your data to the likes of Experian don't have to present you with an opt-out box. They are only required to provide information about profiling in their privacy policy.

When the first drafts of the GDPR appeared (at around 2012) it looked likely list brokers wouldn't be able to rely on the legitimate interest basis. This prompted a fierce lobby by the industry. I don't know exactly what arguments they put forward (as lobbying mostly happens behind closed doors) but my guess is they stressed the proposals would kill off a huge industry and that profiling is beneficial for "consumers". Experian, for instance, argues that its "marketing services" help marketers to better understand people, communicate more effectively and at the right time and offer people more relevant products and services. The company's page about how sharing your data can benefit you sums it up as follows:

Allowing your data to be used means you're more likely to receive marketing and advertising for the stuff you're interested in. It doesn't mean you receive more advertising, just more relevant advertising.

But there are other ways organisations use data that can benefit you.

It helps ensure organisations’ databases are accurate and up to date so you don't receive mail for people who have lived in your property before you, or your name isn't misspelled on letters you receive.

It makes organisations more efficient as they can better target their services, reducing their costs which allows them to be more competitive. And more competitive businesses tend to offer better products and fairer pricing to you, helping you save money.

This is essentially the same set of arguments the Postal Preference Service used. The logic itself is true; the more personal information you give to marketers, the better they will be able to target ads. The problem with the argument, though, is that the logical conclusion is that there is no limit to the amount data marketers should have. Clearly, the discussion should be about where to draw the line between profiling and privacy. There is a balance to be struck, and you should be in charge of where that line should be drawn.

To make an informed decision about where you want to draw the line you need to decide how much data you want them to have. List brokers like Experian are a lot less talkative when it comes to helping you make that decision. They don't really want to reveal what data your profile contains. That is why their privacy pages go on and on about how sharing your personal data can benefit you — it is a much more comfortable discussion for them. You would need to send them a subject access request to find out what personal data they hold.

If you care about your privacy then it is much easier to simply stop list brokers such as Experian processing your personal data for "direct marketing" purposes. You won't get targeted ads from companies that buy profiling data from these list brokers but that might actually be a good thing. When you are next in the market for a product or service you could perhaps do the old-fashioned thing and shop around yourself, without marketers holding your hand.

Your right to object

I almost skipped over the fact that Experian's propaganda suggests that you have a choice between poorly targeted ads and well targeted ads. There is of course a third option: not receiving ads at all. This is entirely doable; unsolicited addressed advertising mail is relatively easy to eradicate (unsolicited leaflets are a much harder nut to crack). As long as you are organised and determined you can get rid off the stuff.

To do so, you need to tell list brokers and individual junk mailers to stop processing your personal data for "direct marketing" purposes. The right to object is defined in Article 21 of the GDPR. The article supersedes Section 11 of the Data Protect Act 1998 and is more liberal. Previously, your request had to be in writing and you had to refer to the relevant act of parliament. That is no longer the case. If, for instance, you get a marketing call and you tell the caller to stop bothering you then you have made make a legally binding objection. Of course, that doesn't work for aggressive marketers and scammers but, in theory, it should work for legitimate marketing calls.

I strongly recommended making your objection in writing. If you send an email you automatically have a copy of your objection, which will come in handy should the list broker or junk mailer be unresponsive; you can then report them to the ICO (the body enforcing compliance with the UK GDPR). Also, you need to keep a copy of your email and any response you get. You need to be organised. And, it will take some time before you start seeing results. Organisations have up to a month to comply with your request and you will have to contact individual junk marketers as and when they target you. Depending on how much addressed junk mail you receive it might at times feel like a game of whack-a-mole. Stick with it though. You will win the battle.

Example objection email

Exactly how you write your request is up to you. The ICO has an example letter that is a little apologetic; it suggest you should give details about what use of your personal data you are objecting to. The website datarequests.org has a much more formal example letter. Personally, I would use something along these lines:

Eradicating list brokers

As said, Experian is the main list broker in the UK. They make it relatively easy to object to the processing of personal data for marketing purposes: you can opt out via its website. You won't get a confirmation email, so a better option is to send an email to customerservices@uk.experian.com.

Other major list brokers in the UK include Acxiom, CACI, TransUnion, Sagacity and Omnis Data. You can find more information about these and other list brokers (including email addresses) in a Codeberg repository.

Eradicating individual junk mailers

For individual junk mailers you can do the same. You can send an objection email every time you receive junk advertising addressed to you. However, there is a little bit of nuance here. In the last couple of years I have received two pieces of "direct mail", both from companies I regularly buy stuff from. Rather than sending them a formal objection email I instead sent an email to explain that I suffer from a severe junk mail allergy and that I really want them to take me off their mailing list. That is still a legally binding request — remember that there's no particular form of words you need to use — and it did the trick, without sounding hostile.

In other words, you don't have to whack each and every junk mail mole with a sledge hammer. For companies you have dealings with a friendly nudge is just as effective. You can reserve the more formal approach for aggressive junk mailers — that is, the ones adopting the junk mail equivalent of cold calling.

Combining subject access requests and objection notices

Playing whack-a-mole with junk mailers is much more effective if you know where the moles are hiding. So, rather than instantly sending an objection email, you can first sent a subject access request to find out what personal data the junk mailer has about you. Most likely, they got your information from a third party, and chances are that third party is selling your data to other junk mailers as well. In other words, you want stop both the junk mailer and the list broker that is selling your personal information.

It is worth noting that under the GDPR organisations are no longer allowed to charge a fee for dealing with straightforward subject access requests like these. Under the Data Protection Act 1998 they could charge up to a tenner, which made simple requests for information prohibitively expensive. Now that the fee has been scrapped you can have your revenge. The GDPR scares the hell out of junk mail companies, so they almost certainly deal with your subject access request very carefully. That junk mail letter they sent on the cheap suddenly becomes an expensive nightmare!

As with marketing objection notices, there are no strict rules for writing subject access requests. You do need to mention that your email is a subject access request, and you of course need to clearly specify what information you are requesting. Something along these lines should be fine:

Organisations have one calendar month to respond to subject access requests. You can again contact the ICO if they fail to do so.

When you receive a response

If the sender/offender confirms who they bought your personal data from then you can next go after the third party. However, chances are they will claim someone or something (like a spambot) completed an online form somewhere. You could continue the conversation and ask whether or not the date, time and IP address of the form submission were recorded and you could raise this as a concern with the ICO. The onus on making sure that you consented to receiving unsolicited marketing is on the marketer — if they can't weed out form submissions by spambots then they shouldn't be collecting data via online forms. The ICO is unlikely to take any action but reporting such junk marketers might make a difference long term. If they start noticing that junk mailers routinely use the "online form excuse" then they might tighten up the rules (though I honestly wouldn't hold my breath).

Either way, don't forget to send them an objection email after you have received a response. They will probably already have marked your name and address with the label "junk mail hater — do not contact" but it is better to be safe than sorry!

To the occupier junk mail

Finally, objection notices and subject access requests only apply to personal data. By itself, your address isn't classified as personal information. So, if you get junk mail addressed to a generic addressee, such as "The Occupier", at your address then all the above doesn't apply. Unfortunately, there is no alternative solution for adverts addressed "To the Occupier". The Mailing Preference Service, for instance, makes an exception for such items. Your best option is to send the items back to the sender, so that they can recycle the item for you.