Europe’s information commissioners have produced an “Opinion” on the interpretation of new digital marketing regulations. Enlightenment or more confusion?
Topic: Digital marketing
Who: The “Article 29 Data Protection Working Party”
Where: Brussels
When: February 2004
What happened:
The national Data Protection Commissioners of the member states of the EU, meeting as a super group called the “Article 29 Working Party,” have published an “Opinion” on the proper interpretation and application of a particular part of the recent EU Directive on privacy and electronic communications.
The specific provision on which the opinion focuses is the one dealing with direct marketing by e-mail or SMS, Article 13.
The “Article 29 Data Protection Working Party” is a standing advisory body on data protection and privacy issues in Europe. Given that the UK has only just recently implemented the relevant directive (by way of the Privacy and Electronic Communications (EC Directive) Regulations 2003, which came into force on the 11 December 2003), and the marketing industry is still wrestling with understanding and implementing the new regulations, it was to be hoped that this new “Opinion” would shed further light.
In various respects, the Opinion does do exactly that. It also attempts to strike a blow for further harmony across the EU, noting that up until now, various parts of Article 13 have been subject to “differences of interpretation.”
Messages left on answering machines
The Opinion reminds us that in view of the wide definition of “electronic mail” in the Directive, any messages by electronic communications, where simultaneous participation of the sender and the recipient is not required, are covered. This therefore includes newsletters sent by e-mail as well as messages left on answering machines.
Consent
On the question of consent, for instance where prior consent is required before unsolicited direct marketing e-mails can be sent to “individual subscribers” who are not existing customers, the Opinion offers further clarification.
Such prior consent (or “opt-in”) must be “legitimate, explicit, and specific”, it offers.
Accordingly, such consent could not be obtained by way of the “general acceptance” of terms and conditions governing registration on a website for example. In other words, according to the Opinion, whatever else the punter is being asked to agree to, there must be a separate box which they have the option of ticking, which relates solely to the issue of whether they would like to receive future unsolicited direct marketing e-mails.
Otherwise, the consent would be only “implied” and such a species of consent is not compatible with the Directive’s requirements. Similarly, pre-ticked boxes are not acceptable in this context.
Third Parties
In the vexed area of the passing of e-mail addresses to third parties, the Opinion confirms the position currently taken in this area by the UK’s own “Office of the Information Commissioner” (“OIC”). The disclosures provided to the data subject at the point when the e-mail address is captured must indicate the goods and services or categories of goods and services for which those third parties will be sending marketing e-mails.
Code fix recommended
To help further understanding of how the appropriate consent can be obtained, the Working Party announces that it will be inviting industry, via bodies such as Fedma, to incorporate into their codes of conduct and promote specific methods to collect consent in accordance with the relevant legal requirements.
The codes should also deal with “practical elements” such as specific indications in headers so that e-mails can be identified easily by users and filters. Here it should be noted that so far as the UK is concerned, the only specific legal requirement in this area is contained within the E-Commerce Regulations 2002. These require that if an e-mail is solicited, then its marketing nature must be identified in the body of the message and if the message is unsolicited, its marketing nature must be apparent immediately the message is received, without having to open it.
Lists of e-mail addresses
The Opinion deals also with legacy lists. There is no saving or transitional provision in the Directive for existing e-mail lists and accordingly the opinion underlines that strictly, until a list has been adapted to the new opt-in requirements it cannot be used under the new regime. This means that selling such incompatible lists to third parties is also not legal and that companies wishing to buy lists of e-mail addresses should be cautious that they are in accordance with the relevant requirements.
Here the Opinion goes rather beyond the current position of the UK’s own OIC. This has said that despite the strict position under the UK regulations, the OIC is prepared to take a relaxed view of the continuing use of legacy lists by those who have compiled them, so long as opt-out requests are honoured and the list was compiled in a manner compliant with the law that applied at the time of its compilation. The list must also have been used relatively recently in the view of the OIC, which means within the last year.
Opt-out opportunity
Here the Opinion underlines that it should be possible to opt-out of receiving further direct marketing e-mail or SMS using the same communication services e.g. by sending an SMS to opt-out of an SMS-based marketing list.
E-mail harvesting
The automatic collection of personal data on public internet places, for example the web, chat rooms etc is unlawful under the general Data Protection Directive (95/46/EC). This is because it constitutes unfair processing of personal data, the Opinion says, and this is also the case when automatic collection is performed by software.
E-mails to legal persons
The Opinion also looks at unsolicited direct marketing e-mail or SMS sent to legal persons (for example companies) as opposed to individuals.
Here, the Directive allows member states to choose either opt-in or opt-out.
As of late 2003, more than half of EU member states had chosen “opt-in” (the UK has gone for opt-out) but the Opinion comments that it is sometimes not easy to distinguish between e-mails sent to natural and to legal persons.
It recommends that “practical rules should be developed” to aid that distinguishing process. In the meantime the Opinion raises three issues:-
1. the practical rules should take account of the cross border effects. In other words what rules should be applied to a direct marketing e-mail sent from the UK (opt-out) to a corporate subscriber in Italy (opt-in);
2. how can a sender determine whether a recipient is a natural or a legal person from looking at the e-mail address. Natural persons for example may use e-mail addresses with pseudonyms or generic terms and purely because they do this, they should not be deprived of the legal protection that they are entitled to under the Directive;
3. Another issue relates to persons who have not directly subscribed to electronic communications services at all. This can be the case for the members of a family or for employees working for a given company, whose e-mail address consists of their personal name followed by the @ sign and then the name of the company and for instance “.com” or “.co.uk”.
Here the Opinion reminds us that even though the recipients may not be “subscribers” and therefore may not be caught by the Privacy and Electronic Communications Directive at all, existing data protection laws in the basic EU Directive 95/46/EC (contained in the UK equivalent which is the 1998 Data Protection Act) still apply to such communications, meaning for instance that those individuals have the right to opt-out of receiving further such messages.
Soft opt-in and “similar” products and services
Another section focuses on the “soft opt-in” route to legality for direct marketing e-mails. This is where the e-mail is unsolicited, but the e-mail address was obtained in the context of the sale or negotiations for the sale of a product or service and an indication given at that time that future unsolicited direct marketing e-mails would be sent.
Here the Opinion reminds us that any subsequent e-mail has to be sent by the same natural or legal person that collected the e-mail address in the first place and was selling or negotiating to sell its products at that time. This means that subsidiaries or mother companies of the original selling company cannot send such messages.
So far as the concept of “similar products and services” is concerned, the Opinion accepts that “this is not easy to apply in practice”. But the Working Party offers some help here (which is consistent with the position currently taken by the UK’s own OIC). This is that similarity may best be judged from the objective perspective, in other words the “reasonable expectations” of the recipient, and this is preferable to judging it from the perspective of the sender.
Why this matters:
This Opinion has been interpreted by some, including the UK’s Direct Marketing Association, as putting forward a position which is much stricter than the current UK regulations implementing the Directive on a number of points.
It is suggested for example that the Opinion requires opt-in consent to be obtained before direct marketing e-mails are sent to employees and their company e-mail addresses. This is not the way we understand the Opinion, but whatever the correct interpretation of the document, it nevertheless provides some useful additional insights into the interpretation of the Directive and of our own UK Regulations, in addition to those already offered by way of guidance from the OIC.
