{php}echo $_SESSION['the_Crumb'];{/php}

short lines

You've got (unsolicited) mail? Direct Email Marketing: New regulation in the United Kingdom

June 2003

The ability to reach a huge and ever-growing pool of consumers at low cost makes email the ideal marketing option for many businesses. This tool, however, is not without its abusers. AOL recently won almost $7 million in damages in the US courts against a company found to have sent over one billion unsolicited emails or ‘spam’ to AOL customers. European email markets may still lag behind their American counterparts in terms of development, but the volume of spam being generated in Europe is increasing rapidly. At present, estimates suggest that one in eight UK emails is unsolicited, and the cost of spam in Europe each year is believed to be in the region of $2.5 billion. As the problem of spam mounts, regulation is inevitable.

Existing Laws

Until recently the legality of marketing emails in English law has been unclear. The Telecoms (Data Protection and Privacy) (Direct Marketing) Regulations 1998 [1] prevent the sending of unsolicited fax and telephone communications to individuals for marketing purposes, but do not explicitly cover spam.

Marketing communications with consumers were left for self-regulation when English law implemented the Distance Selling Directive 97/7/EC in the Consumer Protection (Distance Selling) Regulations 2000 and so again spam is not directly addressed.

The Data Protection Act 1998 covers the collection and use of personal data. If individuals can show that their email addresses constitute personal data under the 1998 Act they may object to the use of their data for the purposes of direct marketing[2]. Again, however, reference to unsolicited email is not made.

Express regulation appears in the Electronic Commerce (EC Directive) Regulations 2002[3] under which businesses using email marketing must:

ensure that unsolicited commercial emails are clearly identifiable as such on receipt; and
check opt out lists maintained in Member States to avoid sending unsolicited emails to intended recipients who have declined such contact.

In or Out?

Current laws recognise two basic methods of obtaining individual consent to email communications - “opt out” and “opt in” systems. ‘Opt out’ systems require the recipients of unsolicited email messages to take the positive step of requesting that they are no longer sent to them. Without this step, consent to receiving such messages is implied. For ‘Opt in’ systems, the intended recipient of marketing messages must consent to receiving the messages before they are sent or the sender should not contact that individual.

The Directive on Privacy and Electronic Communications (“Directive”)[4]

Legal ambiguity surrounding the status of spam is clarified under the Directive. The Directive is part of a group of measures[5] designed to harmonise EU regulation of electronic communications services. Broadly, the Directive:

redefines “electronic communications”, “telecommunications services” and “networks”;
clarifies the position of email and use of the internet; and
replaces the existing Telecoms Data Protection Directive[6]

Formally adopted in July 2002, EU Member States have until 31 October 2003 to implement the Directive into national law. Draft regulations have been issued in the UK [7] (“Regulations”) and are currently under consultation with expected availability in August 2003.

Effect of the Directive and the Regulations.

The Directive has the effect of extending the controls over unsolicited direct marketing to all forms of electronic communication, bringing spam (and SMS messaging) within these controls.

The main implication of the Directive is the requirement that EU Member States establish an opt-in system [8]. The opt-in system will oblige email marketers to ensure that any commercial email messages they send are addressed solely to persons who have given their prior explicit consent. The need for ‘explicit’ consent means that implying consent from a lack of an individual’s objection will no longer be permitted.

An exception [9] to the general opt-in regime applies to a selling party who has obtained electronic contact details in the context of making a sale to a customer. [10] There, the selling party may use that existing customer’s details to market its own “similar products and services”. In doing so, however, the customer must have the opportunity to object to this marketing free of charge and in an easy manner at the point of sale. This opportunity must also be presented on subsequent marketing communications if the customer does not initially object. Email marketers are not entitled to pass on customer details to another selling party [11]. It is uncertain whether a company within a group of companies would be permitted to promote its products or services to the customers of another company within the same group, but a strict interpretation of the selling party suggests not.

The protection afforded by these opt-in rules only covers “individuals”. Although the Directive requires Member States to ensure the legitimate interests of corporate recipients are adequately protected[12] , it allows Member States discretion over the level of protection they afford corporate subscribers. The UK draft Regulations as currently drafted do not afford corporate subscribers protection against unsolicited email communications. [13] Under consultation of the Regulations, affording stronger rights to corporate subscribers remains open to consideration.

The Regulations also prohibit the sending of direct marketing emails which disguise or conceal the identity of the sender[14] .

Conclusion

With the protection of customers very much at the forefront of their objectives, the Regulations will fill holes in the existing control of unsolicited emails. However, given that much of the spam received in the UK originates from outside its jurisdiction, and even the EU, it is questionable what influence the Regulations will have in bringing an end to the spam problem.

Instead, the new rules mean that businesses will have to reconsider their own email marketing practices. Implying consent because a customer has not objected to unsolicited mails is not enough: opting-out is no longer an option. The Regulations mean email marketing operations must only target those who have solicited the marketing email.

Nooreen Ajmal & Calum Murray

Useful URLs:-

Directive 2002/58/EC:
http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg
=en&numdoc=32002L0058&model=guichett

Draft Privacy and Electronic Communications (EC Directive) Regulations 2003 and DTI Consultation on Implementation of the Directive on Privacy and Electronic Communications:
http://www.dti.gov.uk/industries/ecommunications/directive_on_privacy_electronic_
communications_200258ec.html

Oftel website
http://www.oftel.gov.uk/ind_info/eu_directives/

DTI website
http://www.dti.gov.uk/industries/ecommunications/index.html

[1] S.I. 1998/3170 as amended, implementing Directive 97/66/EC - Telecoms Data Protection Directive.

[2] Section 11.

[3] Implementing the E-Commerce Directive [Directive 2000/31/EC] in the UK ./p>

[4] Directive 2002/58/EC (“Directive”). For URL see “Useful URLs

[5] The other Directives in this group of measures are directive 2002/21/EC (“Framework Directive”); Directive 2002/20/EC (“Authorisation Directive”); Directive 2002/22/EC (“Universal Service Directive”) and Directive 2002/19/EC (“Access and Interconnection Directive”). For further details on these directives please see the Oftel website and the DTI website at “Useful URLs”.

[6] Directive 97/66/EC.

[7] The Draft Privacy and Electronic Communications (EC Directive) Regulations 2003; see “Useful URLs”

[8] Regulation 21 (2) (a) of the Draft Regulations. See also Article 13(1)of the Directive.

[9] Regulation 21 (2) (3) of the Draft Regulations and also Article 13(2) and recital 41 of the Directive.

[10] The DTI Consultation on the Draft Regulations goes further to suggest that email addresses obtained through other means such as through customer enquiries or competitions will also be covered by the exception – see chapter 6 page 37. For URL see “Useful URLs”.

[11] Under the Draft Regulations there needs to be a direct relationship between the selling party and the customer. See the requirement under Regulation 21 (3) (b) of “that person’s products or services only”.

[12] Article 13(5)

[13] Although corporate subscribers may register on the e-mps opt out register and can also exercise individual opt-out rights under the Data Protection Act where their business address incorporates personal data.

[14] Regulation 21(4) (a)