Following its increasingly controversial fortunes in the US, “email appending” has started to pop up on this side of the Atlantic.
E-mail marketing-a legal analysis
In e-mail appending, the owner of an e-mail address database often offers a service to marketers who may have a database of individuals which includes their postal address, but not their e-mail address. The concept is simple. The marketer's database is simply matched against the separate e-mail address database. Any matching e-mail address is supplied to the marketer so that they can then communicate with that individual on-line. What are the legal and code pitfalls of this practice in the UK?
For a legal analysis it helps to split this into stages. First there is the appender ("A") providing the marketer ("M") with the email address ("personal data") of an individual ("X") ("Stage 1").
Secondly there is M sending X an unsolicited marketing email.("Stage 2").
Here a lot depends on what happened at the point when the email address was first captured.
Say for example, we have a scenario ("Scenario") where disclosures were given at the point of capture that the email address of X might be shared with third parties with a view to X receiving information about unlimited other products/services.
Suppose also that at the point of capture, an opportunity to opt out of this use were given and X failed to tick the box.
In this Scenario it seems likely that if X's email address ended up in the hands of M by way of the appending process, there would be no non compliance with either the new CAP Code or current UK relevant law. This is providing of course that the Information Commission notifications of A and M covered the process and that all previous disclosures made by M to X were consistent with this happening.
What about the new law coming courtesy of the EU Privacy and Electronic Communications Directive?
This does not have any direct impact on Stage 1, so we can move to….
This is the sending of an unsolicited marketing email by M to X.
Under current UK law, provided the sending of the email is within previous disclosures made to X by M (for instance the email is promoting a third party's products and M had previously informed X that this might happen and X failed to take the opportunity provided to opt out) then there should be no fundamental compliance problem under UK law.
Under new CAP Code, sending an unsolicited email looks compliant provided X is an existing customer of M (as we understand it this will often be the case in an email appends scenario) and M is marketing M's "similar products" and giving X an opportunity to object to further such marketing.
But the position will be different under the new law coming courtesy of the EU Directive. Here, the "soft opt-in" option will only apply where the email address is collected by M itself in the "context of the sale of a product or service" (or as the current draft UK Regulations put it, "during the course of a sale or negotiations for the sale of a product or service") by M to X.
This is clearly not the case with use of an email address after acquisition by way of email appends, so we can forget "soft opt in" here.
Under the Directive there's still the "opt in " route of course, except that this would not apply to the Scenario above even if X has opted in instead of failing to opt out when originally supplying his email address.
This is because X's desire to opt in has to be communicated direct to M and to relate only to direct marketing emails sent by M to X. So again Stage 2 of email appends cannot fly here.
So are there any scenarios in which, under the new law due under the Directive, Stage 2 of email appends might be compliant?
Of course there should be no fundamental problem if M's email is solicited by X, but this is not what we are focusing on.
There is one scenario for Stage 2 under the EU Directive that looks compliant with the new law and the CAP Code. This is where X is not an individual subscriber but the message is marketing products of M similar to products previously sold by M to X.
This is the "non-individual subscriber" carve-out from opt-in confirmed by Mary Tait of the DTI at a recent DMA Data Protection conference. In Mary's view, this was likely to apply principally to unsolicited marketing emails sent to individuals at their office email address (where the subscriber to the relevant electronic communications service is a limited company).
So here, provided there is no opting out by X, there should be no problems under either the new CAP Code or the coming new law.
So what's the conclusion?
Stage 1 can occur compliantly in the "opt out" Scenario described above.
Stage 2 can occur compliantly only if the email is sent to an individual's office email address, X is an existing customer and the email is marketing similar products or services of M to those it previously sold to X.
So email appends isn't 100% non compliant, but there are only limited scenarios in which it can operate within the law/CAP Code.