The gory details of new rules coming up in the Autumn for email marketers have now appeared in draft regulations published by the DTI.
Topic: E-mail marketing
Who: The Department of Trade and Industry
When: March 2003
Where: London
What happened:
The Department of Trade and Industry published its consultation document on the implementation of the Directive on Privacy and Electronic Communications. The plan is to bring the new regulations (currently called "The Privacy and Electronic Communications (EC Directive) Regulations 2003" ("PECRs")) into force by 31 October 2003. The consultation period ends on 19 June 2003 and the government plans to publish the final regulations by August.
Here we focus on the provisions that deal with e-mail marketing, including marketing by text/SMS and MMS.
Current UK law provides no clear guidance on when a communication by e-mail or SMS can be regarded as "unsolicited" but it does make it clear that unsolicited commercial e-mail (excluding SMS/MMS) must identify itself as a marketing communication up front so as to allow easy deletion. On the question of whether or not the communication should be sent in the first place, there are at present no specific UK legal regulations. However, individuals do have the right under the Data Protection Act 1998 to object to use of their data for direct marketing purposes, on a case by case basis, by notifying individual marketers of this objection. Although there is no legal obligation on marketers to actually notify individuals of their right to object at the point of data capture, the median approach appears to be to notify individuals that their data may be used for e-mail marketing purposes, particularly if this is going to involve third party products or third parties sending the e-mail, and to give individuals an opportunity to opt-out of this occurring. There is no separate e-mail preference service, other than a voluntary system operated by the US Direct Marketing Association, but this has suffered from limited take-up and the disadvantage of having to send one's data out of the European Union to a country that does not have EU equivalent data protection laws in order to register with the service in the first place.
As regards corporate subscribers, for instance, where the e-mail address is that of an individual employee of that corporation, each such individual again has the opt-out right under the Data Protection Act where the e-mail address includes their surname and is therefore capable of identifying that individual. Such individuals may also register with the US DMA's e-mail preference service for what that is worth.
Moving away from legal regulation, self regulatory codes such as the DMA Code for Commercial Communications On line and the new British Code of Advertising, Sales Promotion and Direct Marketing ("CAP Code") have more to say about e-mail marketing. Broadly, the current DMA code operates on an opt-out basis, whilst the recent new eleventh edition of the CAP Code (in force, subject to a three month semi transitional period, on 4 March 2003) has tried to anticipate the PECRs by making changes to the Code's e-mail marketing provisions which attempt to mirror the Directive.
Marketinglaw.co.uk has commented in critical terms on this initiative on the part of the Committee of Advertising Practice (see elsewhere under the "E-mail Marketing" topic) and the CAP has responded to these criticisms in a separate piece also appearing on marketinglaw.co.uk.
The first points to bear in mind in relation to the proposed new email regime under the PECRs are as follows:
They apply to marketing email, SMS and MMS (we will follow the example of the draft PECRs from now on by referring to these collectively as "electronic mail");
the rules apply only to "unsolicited" communications. The PECRs contain no helpful definition of "unsolicited" but they do tell us of one particular case where a communication will be treated as solicited. This is where "the recipient has notified the sender that he does not object to communications being sent …. for direct marketing purposes". Is this the same as "consent"? Is it the same as opt-in?
Some say the "previous notification of non objection" test for what is solicited is intended to allow continued use of "legacy lists" after the PECRs come into force. We are not so sure. There certainly is a need for clarity in the PECRs as to what happens to existing non opt-in lists when the new rules come into force, but something more succinct than this is needed.
And if the draftsmen are looking for a more helpful definition of what is "solicited" maybe they should refer to s 5 (I) of the Financial Services and Markets Act 2000 (Promotion of Collective Investment Schemes) (Exemption) Order 2001. This defines "solicited" as "initiated by the recipient of the communication or made in response to an express request from the recipient".
the new rules only apply to electronic mail sent to "individual subscribers". The draft regulations define "subscriber" as "a person who is a party to a contract with a provider of public electronic communication services for the supply of such services." "Individual "is defined as "a living individual and includes an unincorporated body of such individuals "and a "corporate subscriber" is defined as a "subscriber who is not an individual, that is to say a limited company". What does all this mean?
Marketinglaw's view on this, and it is a view that was echoed by Mary Tait of the DTI at the recent DMA Data Protection Conference, is that marketers will not need to worry about either opt in or soft opt in if they are sending an unsolicited marketing e-mail to an individual at their office e-mail address and they are confident that the individual in question is an employee of a limited company who will be paying the relevant electronic communications services bill. In other words, with the exception of partnerships, there is a clear carve-out from opt in and soft opt in for B2B e-mail marketing, to which opt out will continue to apply;
for all unsolicited electronic mail to individual subscribers, whether sent in an opt in or "soft opt in" scenario, the identity of the sender, or the person on whose behalf the communication is made, must not be disguised or concealed (a rule dove-tailing with existing regulations requiring the identity of the sender to be clearly stated) and the recipient must be provided with a valid address to which the recipient may send a request for such communications to cease.
So what is the basic position under the new rules? Assuming we are dealing with electronic mail to individual subscribers which is unsolicited, then unless so called "soft opt in" applies, the regime will be that all such communications will be illegal unless the recipient "has previously notified the sender that he consents for the time being to such communications being sent by or at the instigation of, the sender for direct marketing purposes".
The DTI itself shorthands this situation as "prior consent or opt-in" and clearly the two principal requirements here are that the "previous notification of consent" involves some active step taken by the individual and secondly that the entity that sends the unsolicited electronic mail has to be either the recipient of the consent notification from the individual in the first place or acting "at the instigation" of the entity that receives that notification.
If this "prior consent/opt in" requirement cannot be met, then there is one other way in which an unsolicited electronic mail can be legal. This is the so-called "soft opt in".
Aside from the general "non-concealment/disguising" of the sender's identity and valid address requirements set out above, there are three basic rules for soft opt in.
The person sending the electronic mail or instigating its sending ("Sender") must have obtained the contact details of the recipient "in the course of the sale or negotiations for the sale of a product or service to that recipient". This is a helpful expansion of the words of the Directive, which refer to the email address being provided "in the context of a sale or purchase". In its commentary, the DTI expands on this still further and talks about a situation where someone has registered an interest in a product and allowed their e-mail address to be recorded for future marketing use with a right to opt out at any time. The DTI's view at present is that "the most important safe-guards here are that contact details are fairly collected and subscribers are clearly informed of, and given a chance to object to, use of their data for direct marketing by that same business. As long as these conditions are met and there is a direct relationship of some kind between the two parties, it does not seem necessary to insist that there must have been an actual purchase for this exemption to apply".
The direct marketing is in respect of the Sender's products or services only and the Sender has taken reasonable steps to ensure that the recipient is aware of the nature of those products and services.
This is something of a departure from the Directive, which talks about the Sender only being able to market products and services of the Sender which are "similar" to those being sold at the time the email address was first captured. The DTI's concern with this is that its meaning is not clear. It cites an example of a supermarket only being able to e-mail its on-line customers about special offers on baked beans if that is what they have bought before, instead of being able to direct market its whole range of food and other products or services.
The DTI's suggestion is that the "similar products and services" approach be ditched in favour of something closer to the existing regime under the 1998 Data Protection Act. This would restrict a business to direct marketing the kind of products the addressee would have reasonably expected it to market at the time they gave or agreed to use of their contact details. For instance a business could market the products available at the time that the consumer made the purchase or provided their contact details, but not necessarily those of a business that it took over, or a substantively new product range. "The key safeguard" here, the DTI commentary goes on, "is that addressees' contact details are fairly obtained in the first place – given that if in doubt, they have the right to opt out in any case (and businesses will have an incentive to monitor their own marketing practices in order to avoid this happening) it seems sensible to give a broader rather than a narrower interpretation to the "similar products" restriction". This is backed up by the requirement in the draft regulation that the Sender takes reasonable steps to inform the individual of the kind of products it deals in at the time that it captures the recipient's e-mail details in the first place.
The recipient has been given a simple, free means of refusing the use of the contact details for the purposes of such direct marketing at the time that the details were initially collected, and where he did not initially refuse the use of the details, at the time of each subsequent communication.
Why this matters:
Although it is still not clear how the new rules will apply to use of existing lists, an understanding now, rather than later, of the likely approach to be taken in the PECRs is clearly essential for marketers. This will ensure that the databases they are building now will give them the best possible launch pad for compliant marketing by electronic mail after Autumn 2003. Separately, is encouraging that rather than simply trotting out the wording of the EU directive, the DTI has in the draft regulations gone for an approach that is clearer and more consistent with the existing position under Data Protection Act 1998. We remain concerned, however, about the "clarification" that is offered as to what is not an unsolicited communication and we hope for greater clarity on this aspect in the final regulations as published.