Spam Laws: Electronic Communications Regulations
The new law governing unsolicited email marketing came into effect on December 11, 2003. What are the consequences for your business?
The new Privacy and Electronic Communications (EC Directive) Regulations 2003 came into effect on December 11 2003. The regulations are the UK implementation of a European Union directive designed to protect the privacy of individuals and outlaw unsolicited, commercial electronic communications - including phone calls, faxes, location data and email 'spam'.
At an NMK talk on 18 November 2003, Simon Stokes, of law firm Tarlo Lyons, explained how the new regulations will affect the way you communicate with your clients and customers, and outlined what the implications of the new law are likely to be for companies whose core business is marketing.
Nobody doubts that spam emails are a major irritation, and often a barrier to productivity, but not everybody agrees that legislation is the most effective way to tackle the problem. Many companies are concerned that the new regulations could restrict their legitimate business activities, while the real nuisance spammers will be unaffected, as they already operate outside the boundaries of the law.
Data ProtectionThe first thing to know about the new regulations is that they are designed to enhance existing data protection legislation, and not to replace it. Simon began his talk with a reminder of the rules which we are already legally bound to observe, notably the Data Protection Act 1998. Data protection laws apply to the processing of personal data, and are enforced by the Office of the Information Commissioner, which offers the following principles for good practice on its website:
Data should be
- fairly and lawfully processed;
- processed for limited purposes;
- adequate, relevant and not excessive;
- not kept for longer than is necessary;
- processed in line with your rights;
- secure; and,
- not transferred to countries without adequate protection.
The New Regulations
The Privacy and Electronic Communications (EC Directive) Regulations 2003 follow the 2002 Data Privacy Directive issued by the EU, which was in part an attempt to outlaw email spam. The new regulations will establish a legal framework for dealing with the issue in this country, and provide a degree of harmonisation with privacy laws enacted in other European states. Unfortunately the vast majority of the email spam we receive originates from outside the EU,and won't be stopped by the laws.
If you are involved in sending marketing material by email, sms or image messaging, you will now be required to comply with existing data protection laws and the new regulations. Taken together, the basic rules are that you must identify yourself, provide contact details and allow recipients to unsubscribe.
If you are processing personal data for direct marketing, you must be able to demonstrate that you're are doing so fairly and lawfully - i.e. that the recipient knows how and why their data was obtained, and was aware that they were likely to be contacted. You must also tell subjects of their rights with regard to your use of their data.
If you plan to use lists, the responsibility for compliance lies with you, and not with the company who sold you the list. The first time you use a list, it is good practice to inform recipients why you have their details and give them the chance to opt out of further communications.
Opt In or Opt Out?
Under the 1998 Data Protection Act, the onus is on giving subjects of direct marketing the opportunity to opt out. Under the new regulations this is taken a step further, so that if you are using email or sms, then in general it will now be necessary for the recipient to have opted in and given their prior consent. The same is true for faxes, although with phonecalls the principle is that it's OK to cold call unless the person you are calling has already opted out - i.e. they've informed you that they don't wish to receive calls, or are listed on a register.
In legal terms, for a recipient to have indicated consent, they must have reacted to a question, for example by ticking a check box on a website. However, the new regulations also allow for the concept of the "soft opt-in", which is a little less strictly defined.
Soft Opt In
If you have some kind of pre-existing commercial relationship with an individual, then it will be legal for you to contact them, subject to certain conditions. In Simon's opinion, this rule should extend to people who have merely enquired about the products and services you offer, and not just customers who have purchased from you in the past. The conditions are that:
- your marketing must be for similar products and services;
- recipients must have a simple, ongoing means of refusal.
Individuals and Corporate Identity
The good news for B2B marketers is that the new regulations make a distinction between individuals and companies. The law is primarily designed to protect individuals - private members of the public accessing their personal emails or answering their home phones. This gives marketers freedom to send unsolicited electronic commercial communications to companies and businesses, even if they are targeting named individuals within companies, on their corporate email accounts. As long as you abide by data protection rules (identify yourself, provide an opt-out etc.), this is perfectly acceptable.
Care should taken when contacting small companies, however, as sole traders and partnerships will enjoy the same rights as private individuals under the eyes of the law. On the other hand, large non-commercial organisations such as hospitals, schools and public bodies qualify as companies, and can therefore be contacted. Compared to some other EU states, these conditions are relatively lenient, and it is possible that they'll become stricter in the future.
Penalties and Enforcement
What could happen to you if you break the new laws? As Simon explained, breaching the new regulations could leave you facing a bill for damages (civil liability), and a fine of up to ?5000 (or more if tried before a jury). By flouting data protection laws, you could find yourself convicted of a criminal offence, as well as fending off fines and damages claims. In fact, it is much easier to breach the Data Protection Act, as merely being in possesion of personal data without meeting your responsibilities under the act would make you liable immediately.
But is anybody ever likely to be prosecuted? The message that seems to be coming from the Information Commissioner's Office is that prosecution is unlikely for all but the worst offenders - although if you are given a warning for not observing the regulations and then continue to breach them, you could be in trouble.
The legislation has really been put in place to provide a framework to encourage lawful marketing, but it is recognised that trying to eradicate all spam through the legal system would be impossible at this stage.
Following his presentation, Simon Stokes answered questions from the audience. Some of his answers are summarised below.
Q: Is it still possible to buy lists?
A: Yes, although if a list is more than a year old at the present time, then the list seller won't have complied with data protection laws. Even if you have bought a list, if you are the sender of the communications, then you will be liable under the new regulations. For this reason, more reputable list owners will send your emails on your behalf.
Q: If a customer doesn't complain about receiving emails, does that constitute consent?
A: No, lack of response or silence does not qualify as consent.
Q: What is the status of a sponsored newsletter?
A: If there's a commercial dimension, it must be made clear.
Q: If your list seller sends your emails for you, but they link to rich media stored on your own servers, would you be liable?
A: It would depend upon whether you qualified as a data controller.
Q: Can B2B marketers continue as before as long as they remove sole traders and partnerships?
A: That seems to be the case, although there are as yet no precedents, so watch this space.
Q: Can you contact people if their email addresses are published on their websites?
A: If contact details are publicly available, then the correct procedure would be to contact them once asking if they'd like to receive more information.
Q: If sending emails from a server in the USA, are you liable?
A: If any storage or processing occurs in the UK, then you could be at risk.
Q: What about viral campaigns inviting respondents to submit a friend's contact details?
A: You would have to obtain the friend's consent. You might be okay if you contact the friend explaining who has provided their contact details, and inviting them to sign-up for further communications. But this is a grey area at present.
Information Commissioner website, including guidance on the data protection act.
Simon Stokes, Partner, Tarlo Lyons
Simon Stokes is a partner and head of the Commercial Intellectual Property, Electronic Commerce and Digital Media practices at London law firm, Tarlo Lyons. Mr Stokes specialises in data privacy, electronic commerce/IT and commercial intellectual property law. His clients include major suppliers and consultancies in the media, e-commerce, EDI, chemical, financial and broadcasting sectors. He is news editor of the Computer and Telecommunications Law Review and an editorial board member of Electronic Business Law. He is also a member of the Licensing Executives Society, a member of the City of London Law Society Commercial Law Subcommittee and a Fellow of the Royal Society of Arts. Mr Stokes is the author of two books: Art & Copyright (Hart Publishing) and Digital Copyright: Law & Practice (Butterworths). He is a graduate of MIT and serves as Secretary and Counsel to the MIT Club of Great Britain.
This evening event is presented in association with:
Tarlo Lyons is a modern London firm focused on delivering creative commercial solutions for technology driven business. With 23 partners and 58 fee-earners the firm is proud to be one of the few City firms with Investors In People and Lexcel accreditation. With an increasing number of partners skilled in project and risk management, the firm aims to deliver its services in a way which is efficient, leading edge and relevant to its clients. The firm's clients span global corporates, UK-listed and unlisted corporates, entrepreneurial businesses and individuals, all of whom value the firm's dedication to excellence in service delivery. www.tarlolyons.com.