Only six months since the new email marketing regulations arrived, the ICO issues the third edition of its guidance on how to comply. New help on viral marketing, email appending, third party lists and more.
Topic: Digital marketing
Who: The Information Commissioners’ Office (“ICO”)
Where: Wilmslow, Cheshire
When: May 2004
The ICO published a revised version of its “Guidance to the Privacy and Electronic Communications (EC Directive) Regulations 2003″ (“Regulations”).
This means that only just over 6 months after the Regulations came into force, we are already into the third version of the Guidance.
The changes have been driven mainly by the introduction of the Corporate Telephone Preference Service, reported separately on marketinglaw.co.uk. However, the ICO has taken the opportunity to make various other revisions.
Unfortunately, the ICO has not made available a marked-up version showing the changes in detail. All that is supplied is an “Appendix 1: Summary of Changes to Version 2.” This is fine so far as it goes in that it indicates the paragraphs where changes have been made and some of the affected wording. However, it is something of a task to identify the precise changes.
Let’s look at the updates in a bit more detail, so far as they apply to digital marketing.
The ICO finally takes official notice of the fact that the terms “subscribe” and “unsubscribe” are commonly used to indicate agreement or objection to receiving future marketing communications. This is of course of particular relevance in an e-mail marketing context.
Enforcement action by the ICO
The ICO spells out that enforcement action by the ICO is in four stages:
preliminary enforcement notice
prosecution for breach of notice.
The ICO pleads here for greater powers (it’s been doing this for a while). It wants to have the power to take swift, effective regulatory action where there is persistent and deliberate non-compliance. Currently, it is severely hamstrung.
For example, an enforcement notice can be appealed and whilst under appeal any requirement in the notice to stop the complained of conduct is suspended. This means that in practical terms a company can continue with non-compliant activities while the appeal is on-going, and in a recent case the enforcement action took almost a year to resolve.
All this means that there are practical constraints on the number of companies against which the ICO can take formal action at any one time.
The ICO also complains about its information gathering powers. It has for instance no powers to compel third parties to provide it with information to help track down non-compliant companies.
The ICO mentions this particular technology for the first time in the context of controls over e-mail marketing. It comments that marketing messages transmitted using Bluetooth, for example, messages sent to all Bluetooth enabled handsets within a given radius, will be considered electronic mail and caught by the new Regulations.
Valid addresses in a mobile phone context
The ICO accepts that short code numbers could be used as a valid address in text messages as long as they do not incur costs other than the cost of message transmission. As good practice, the Guidance goes on, a valid website address (where further valid contact details can be found) or a valid PO Box number should be included in any promotional text message. For a short code to qualify as a valid address, the sender of the message itself must ensure they clearly identify themselves in the message, the use of the short code must not incur a premium rate charge and it must of course be valid.
The ICO underlines that for the time being an e-mail mailing list compiled before 11 December 2003 (the date the Regulations came into force) can still be used provided it was compiled in accordance with privacy legislation in force before 11 December 2003 and has been used “recently.” This applies of course unless an intended recipient has already opted out of receiving such messages.
In this context the ICO reminds us that in its view, privacy legislation in force before 11 December 2003 did not permit the sending of unsolicited text/picture/video messages without prior consent. In other words, legacy lists of mobile telephone numbers cannot in the view of the ICO be used to send unsolicited marketing texts without express prior opt in.
Recently used legacy lists
If a legacy list has to have been used recently to be useable again, what does “recently” mean? At this stage, the ICO says it means a list that has been used in 2003.
For how much longer will pre-11/12/03 lists be useable?
The ICO indicates that around the first anniversary of the Regulations coming into force, in other words mid December 2004, it will begin to take a much stricter line on the use of lists compiled before December 2003. It accepts however, that where a list has been compiled and used before December 2003, but after that it continues to be used regularly, with opt out reminders, and is updated and weeded appropriately, such a list can continue to be used indefinitely.
Third party e-mail lists
The ICO expands its comments here on the knotty problem of whether the use of an e-mailing list supplied by a third party can be compliant. The challenge here is that the recipient of the e-mail has to have previously “notified” the sender or the person instigating the sending that they consent to the receipt of future unsolicited marketing e-mails.
To start with, the ICO says that “it is difficult to see how third party lists can be compiled and used legitimately after 11 December 2003 on any other basis than one where the individual subscriber expressly invites, i.e. solicits marketing by electronic mail.”
Then the ICO retreats from this position a little. It says that arguably consent for unsolicited emails could be given via a third party. A great deal would depend, however, on the clarity and transparency of the information given to the intended recipient when their contact details were collected by that third party.
Tick-box wording examples
The new Guidance provides some helpful examples of tick-box wording for various scenarios.
These underline the fact that getting opt-in consent or getting individuals to “solicit” emails is not as difficult as you might think.
How does an individual “solicit” contact from third parties on a particular subject?
The ICO gives an example of a tick being placed in a box next to wording such as:
“I want to hear from other companies that offer gardening products. Please pass my details on to them so that they can contact me.”
So that’s not too difficult is it?
How can individuals “solicit” e-mails from third parties on unspecified subjects?
Wording suggested here by the ICO, against a tick box, is:
“I want to hear from other companies about their on-line offers. Please pass my details on to them so that they can contact me.”
Getting an individual’s consent to receiving unsolicited third party e-mails on specified subjects
The wording suggested by the ICO here, again against a tick box, is:
“If you’d like us to pass your details on to other organisations working to protect the environment, tick here.”
How to consent to receive unsolicited third party e-mails on unspecified subjects
The ICO suggested wording against the tick box here is:
“We’d like to pass your details on to other companies so that they can send you on-line offers. If you agree to this, tick here.”
In this context, however, the ICO counsels particular caution. Again, the test is whether it can be said that by actively ticking a box close to particular wording, the individual has notified a third party of his or her consent to receiving messages.
In a brand new section the ICO goes into some detail about the regulatory position on viral marketing.
The ICO gives two examples, either:
(a) a marketer (“A”) asks a person (“B”) to forward A’s original marketing message to a friend or friends (“C”); or
(b) A asks B to hand C’s contact details over to A.
The ICO says that it has come to its attention that some companies mistakenly see these options as a way of getting round the “prior consent” rule.
The ICO says that in example (a), it could be said that A is encouraging B to break the law by sending unsolicited messages to C without C’s prior consent. The ICO strongly advises A to encourage B only to forward e-mails to those that B is certain are happy to receive them. It goes on to say that where A incentivises B to do so, there is strong argument that A is the “instigator” of the sending of the message and therefore legally responsible for it.
In case (b) A is clearly liable for any messages sent to C. The ICO emphasises that details collected in this way cannot be used unless A is satisfied that C has notified B that C consents to receiving such messages. The ICO advises therefore that A should ask B to confirm that B has the consent of C. A should also check that C’s details have not already been suppressed following an opt out request.
The ICO also recommends that A warns B, when first asking B for C’s email address, that when A sends C an email A will tell C it got C’s email address from B.
The ICO goes on to say that it is particularly important to follow this procedure where B has been incentivised by A to provide A with C’s e-mail address.
Appending e-mail addresses
This is another new section to the Guidance.
Appending happens where a marketer has a list of established customers, but it excludes mobile numbers or e-mail addresses. The marketer then gets those contact details from a separate, bought-in list. Can the marketer then proceed to contact its customers by e-mail or mobile phone without breaking the rules?
The ICO comments that if the list that has been bought in is an opt-in list, depending on the precise terms of the opt in notification, it may be possible to say that the customer has notified the marketer, via a third party that they are happy to hear from them by e-mail or text message.
However, the ICO warns that one of the most frequent comments made in complaints it receives is “Where did they get my e-mail/mobile number from? I certainly did not give it to them.” In this context the ICO says “you may wish to send a “low-key” message explaining where you have got their details from and double-checking whether they are, in fact, happy to hear from you via this medium. You could not assume consent from their failure to respond.”
In other words, an opt in response should be the only basis upon which further use is made of an e-mail address obtained by appending.
In another new section to the Guidance, the ICO deals with the situation where clear gifs are put into marketing e-mails in order to work out how successful e-mail campaigns have been. Are these caught by the new Regulations?
The ICO answers emphatically that they are indeed caught and that as with cookies, the recipient of the e-mail using this device must be told about it in the message itself. It must also be explained how to switch the clear gifs (or web beacons) off.
Why this matters:
Lurking in this third version of the Guidance are some very helpful further pointers to digital marketing compliance. We have yet to see reports of any specific ICO action being taken to enforce the Regulations, but the indications as to the ICO’s thinking contained in this amended Guidance should help digital marketers follow a compliant path.