At last the DTI has published the final version of the UK regulations implementing the EU Directive on Privacy and Electronic Communications and set the date when they will be in force. For more on these key new rules affecting all UK digital marketers
Topic: Digital marketing
Who: The DTI
When: 18 September 2003
For half a year the DTI has been consulting stakeholders on proposed regulations to give the EU Privacy and Electronic Communications Directive the force of law in the UK.
As previously reported on marketinglaw.co.uk, this Directive is the biggest stride yet towards harmonising EU rules affecting digital and non-digital marketing. It contains measures impacting on an unprecedented array of marketing activities and techniques. These include the use for marketing purposes of cookies, data showing where a mobile phone is located, reverse search telephone directories, directories of mobile phone and fax numbers, e-mail, sms/text, fax, automated calling systems and telephone calls to businesses.
The Directive required EU member states to transpose the Directive into their local laws by 31 October 2003. The UK has been consulting on draft regulations since March 2003, and the original plan was to publish the final version of these in August 2003 and have them in force by Halloween.
Since March, however, there have been delays and it was only on 18 September that the final UK rules, The Privacy and Electronic Communications (EC Directive) Regulations 2003, were laid before Parliament and published, with an “in force” date of Thursday 11 December 2003. The regulations can be accessed at here.
So UK marketers now have just short of three months to get their houses in order and ensure that they are operating within the new rules. The Government is by all accounts likely to issue detailed Guidelines on the Regulations in November 2003, but responsible marketers will be wanting some clarity on the position before then. So what are the new rules, and how does the final version differ from the draft?
In this piece we will focus on the provisions of the Regulations dealing with commercial email and sms. In the next three monthly updates on www.marketinglaw.co.uk we will focus on other provisions of the Regulations, analyse their effect and assess their impact.
E-mail and SMS/text marketing
In its response to the March consultation, the DTI reports widespread support from those it consulted for the introduction of general opt-in for email and sms/text marketing. Many saw a move to permission-based marketing in these channels as inevitable given the growing global problem of spam.
On the “existing customer” exemption from opt-in (so-called “soft opt-in” although it’s actually qualified opt-out!) most supported the DTI’s broad interpretation of the exemption in the draft Regulations.
The Directive applied this exemption to messages to individuals whose email addresses had been obtained “in the context of the sale of a product or service.” In the draft Regulations published in March 2003, the DTI broadened this out to email addresses collected “in the course of the sale or negotiations for the sale of a product or service.”
The DTI also softened the Directive when it came to the type of messages that could be sent to these “existing customers”.
The Directive refers to the “direct marketing of its own similar products or services” [ie “similar” to the products or services being bought at the time of the email address first being captured]. The DTI’s draft Regulations referred to direct marketing of products or services which the sender has taken reasonable steps to ensure the recipient is aware of.
Soft opt-in data capture circumstances kept broad, but watch out for the CAP Code!
All seemed set fair then for a marketing-friendly UK spin on the Directive, but UK marketers’ hopes have now been half-dashed.
Final Regulation 22 (3) certainly retains the wider definition of the circumstances in which e-mail addresses can be captured for soft opt-in to apply. These are described as “in the course of the sale or negotiations for the sale of a product or service”. The DTI says in its March 2003 consultation document that it regards this as extending to a situation where “someone has registered an interest in a product and allowed their email address to be recorded for future marketing use”.
This augured well, although it should be remembered that as indicated below under “The CAP Code factor”, the DTI’s business-friendly approach here is currently rendered completely academic by the CAP Code. This is because, in the same context, the CAP Code says that, unless they have previously opted in, digital messages can only be sent to “existing customers” not “actual or prospective customers”. See below for more on this.
What can be promoted is narrower than in draft Regs
When it comes to the subject matter of future emails, however, the final Regulations now revert to the wording of the Directive. In other words for soft opt-in to apply, the future email/sms messages must relate to the products or services of the company which originally captured the email address, and these must be “similar” to what the recipient was buying or negotiating to buy when he or she first provided their email address.
Opting out “without charge”
Another change between the draft and final Regulations relates to the opt-out opportunity that must be provided, both when the email address is first supplied and also whenever future emails/sms are sent.
Previously this had to be a “simple means, without charge, of refusing” the use of the email address or mobile phone number for future direct marketing. Now more clarification is given on the “without charge” aspect.
The relevant wording in the final Regulations now reads “a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use ….”
So an opt out by email or text will be regarded as “without charge” even though actually sending the opt-out message will involve a telecoms cost.
Unsubscribe and sender identity rules apply more widely
Another change between the draft and final Regulations is in parts imposing general rules for direct marketing email/sms
The general rules are requirements that the identity of the person on whose behalf the communication has been sent must not be disguised or concealed, and senders must always provide a valid address to which the recipient can send an unsubscribe request.
In the draft, these applied only to unsolicited email/sms sent for direct marketing purposes to individual subscribers (defined as living individuals or unincorporated bodies of individuals (eg partnerships) which are parties to contracts with providers of public, electronic telecommunications services for the supply of such services) .
In the final version these general rules apply to all direct marketing email/sms, whether or not it is unsolicited, and whether or not it is sent to individual subscribers. In other words, from 11 December 2003, a valid unsubscribe address and absolute clarity about on whose behalf the message is sent will be essential for all direct marketing by email or sms in the UK, whether it is B2C or B2B.
Corporate subscriber carve-out
In the draft Regulations, the opt-in and soft opt-in rule does not apply to emails sent to corporate subscribers.
In its response to the consultation, the DTI reports unease that the distinction between corporate and individual subscribers might not always be clear-cut. However, “given the limited scope for manoeuvre allowed by the Directive” and strong concerns that universal opt-in would be harmful for B2B selling, the Government decided to stick with the relevant provisions.
So applying the definitions in the final Regulations, come 11 December 2003, unsolicited direct marketing email/sms can continue to be legally sent on an opt-out basis to “corporate subscribers.”
Four corporate carve-out caveats
But that’s not the end of the story here, and we can’t leave this section without focusing on four key aspects.
B2B digital marketing on probation
First, the Government says ominously that it is prepared to review the decision it has taken here “in the light of working experience of the new rules.” So the message is that digital unsolicited B2B marketing is on probation and the exception in its current form could disappear if it is abused.
On our reading of the definitions, it is who pays the relevant telecoms service bill (ie the subscriber who pays the bill for the telecoms service at the receiving end) that is key, not whether the email address is that of an individual. Otherwise the opt-in rule would have been stated to apply to messages sent to “individuals” as opposed to “individual subscribers.”
So marketinglaw’s view is that whether the address is info@ or john.smith @ does not matter. If it is @bloggsltd.com at the end of the address, then the legal exception to opt in applies.
Companies and partnerships
Our third key parting shot here relates to the definitions of individual and corporate subscribers. The effect of this is that the “B2B” direct marketing exception to opt-in will not apply to unsolicited email or sms sent to screens where a partnership or sole trader is the subscriber. So as, for example, Osborne Clarke is a partnership, not a limited company, to be legal, unsolicited direct marketing emails to Stephen.email@example.com can only be sent on an opt-in or soft opt-in basis.
The CAP Code factor
Lastly, eagle-eyed readers may have spotted that above we have stressed that under the new Regulations, unsolicited direct marketing email can be sent legally to “corporate subscribers” on an opt-out basis.
Why have we emphasised that this is the legal position?
This is because the situation is different under the CAP Code of Advertising, Sales Promotion and Direct Marketing, the self regulatory Code that all UK marketers must comply with or face the wrath of the Advertising Standards Authority.
It’s been this way since the new edition of the Code was published in March 2003. The crucial new provision is at para 43.4. This states that
“the explicit consent of consumers is required before….. marketing by email or sms text transmission, save that marketers may market their similar products to their existing customers without explicit consent so long as an opportunity to object to further such marketing is given on each occasion.”
Readers might think that this leaves the corporate subscriber exception alive by referring to “consumers”. Sorry, nothing doing. The Code defines “consumer” as “anyone who is likely to see a given marketing communication, whether in the course of a business or not.” [our italics]
So what this means is that unsolicited direct marketing by email or sms may be legal if it is sent to individuals at their corporate email address, but it will still not be permitted in the UK, thanks to the CAP Code.
Satisfactory state of affairs? Hardly, and marketinglaw believes that now the Regulations are in final form and we have nearly three months before they have the force of law, the Committee of Advertising Practice should take this opportunity to make suitable changes to the Code.
Throughout the above analysis we have made it clear that the new Regulations apply to “direct marketing” email or sms.
So if a message sent by email is not for direct marketing purposes at all, then all this aggravation can be avoided? Quite so, and since this is so crucial, is there a helpful definition of “direct marketing” in the Regulations? Er…no.
Is there any other legally recognised definition of “direct marketing” that might help?
Well there is the Data Protection Act 1998. This defines direct marketing for the purposes of conferring the right on individuals to require businesses not to use their data for direct marketing. The definition is “any advertising or marketing material which is directed to individuals.” Hmm. This is not terribly enlightening, although the UK data privacy watchdog, the Information Commission, has commented
“The Commission regards the term “direct marketing” as covering a wide range of activities which will apply not just to the offer for sale of goods or services, but also the promotion of an organisation’s aims and ideals. This would include a charity or political party making an appeal for funds or support and, for example, an organisation whose campaign is designed to encourage individuals to write to their MP on a particular matter or to attend a public meeting or rally.”
There is also the CAP Code, which contains helpful lists of what it does and does not regard as a marketing communication. But will this be regarded as definitive by the Information Commission or by a court applying the new Regulations? Only time will tell, and in the meantime senders of commercial emails or sms looking at this exception will need to take advice in each case.
Another crucial aspect of the new Regulations is that if the communication is solicited, neither opt in nor soft opt in apply, and legally, marketers can carry on sending marketing emails/sms until the recipient opts out.
So do we have a helpful definition of “unsolicited” or “solicited” in the Regulations? Funnily enough, in the draft, some help was offered. Proposed Regulation 21 (6) stated:-
“For the purposes of this Regulation, a communication shall not be treated as an unsolicited communication if the recipient has notified the sender that he does not object to communications being sent, or at the instigation of, the sender for direct marketing purposes.”
This looked encouraging. It certainly seemed much more industry-friendly than the only other relevant UK statutory definition marketinglaw has been able to find. This is in regulations introduced under the Financial Services and Markets Act 2000 defining a “solicited” communication. These narrowly define such communications as either “initiated by the recipient” or “made in response to an express request from the recipient.”
Legacy database angle
Other industry pundits also saw 21(6) as a get-out for legacy databases. This was in the absence of anything else in the draft Regulations that suggested existing databases could carry on being used for digital marketing after the new law came into force.
Unfortunately, all this optimism was blown away by the final Regulations. Regulation 21 (6) had gone and there was nothing remotely similar in its place.
And pouring salt on the wound for legacy list users, the Response to the Consultation confirmed that the draft Regulations contained no transitional saving for existing lists. It also stated, in terms, that the idea of having any special saving for legacy databases had been considered and rejected. This was partly because of fears that such a transitional exemption could be abused by marketers.
So far as the meaning of “unsolicited” is concerned, we are back to square one, and marketers looking to ensure their messages are “solicited” and escape opt-in will need to take advice.
The “instigation” angle
The opt in and soft opt in rules apply to transmitting or sending (confusingly both expressions are used) emails or sms in the relevant circumstances or “instigating” that transmitting or sending.
This seems to cater for situations where list owners arrange for any third party to send the communications on their behalf. But at what point does the transmitting cease to be “instigated” by the list owner and become sent by the third party entirely as a venture of its own, so that the list owner can have no liability? Unfortunately the final Regulations contain no definition of “instigation,” so again marketers will have to take advice if they believe this issue could be crucial to contemplated activity. This may also have an impact on contractual provisions dealing with processing of data for marketing purposes.
How are the new rules to be enforced?
The draft Regulations continued to give the Information Commission the right to take action against transgressors either in response to a complaint or on its own initiative.
The Response to the Consultation reports many expressing concern (with considerable justification) that current enforcement sanctions and processes were slow and laborious and were therefore being exploited by repeat offenders. Others suggested a power to force service providers such as ISPs and telephone operators to disclose the source of emails or calls suspected of breaking the rules on unsolicited direct marketing. On the other hand there was a concern as to how this could be done in a way that did not expose the discloser to liability under the Data Protection Act 1998.
At the end of the day, the Government’s response to all this has been to make no decision on any possible changes without further consultations with stakeholders. In the meantime the enforcement provisions of the final Regulations stay the same as they were at the time of the draft. In other words, the Information Commission will be the enforcement body of first resort, using the powers and mechanisms under the 1998 Data Protection Act.
Right to sue for damages
In addition, individuals who suffer damage by reason of any contravention of the rules will be able to bring proceedings for compensation, and defendants to such proceedings will be able to avoid liability on the basis that they had taken such care as in all the circumstances was reasonably required to comply with the relevant requirement.
Also there are the powers Oftel already has under the Communications Act 2003. Under these, Oftel (and after December 2003 Ofcom in its place) can take action and levy fines of up to £5000 for persistent misuse of telecommunications networks.
Finally, as already mentioned, given the stricter regime for commercial email and sms under the CAP Code, the Advertising Standards Authority may find that its digital marketing caseload increases substantially as public awareness of the tighter regulatory landscape grows.
Why this matters
Inevitably, as the source of so much spam is outside the EU, these new rules are not going to make the problem go away overnight. In addition, given the Government’s refusal to contemplate any immediate step change in the enforcement landscape, even those who transgress the new rules that are within its jurisdiction are unlikely to face instant and punitive policing action.
On the other hand, responsible digital marketers will want to take this chance to stave off even more draconian legislation and/or the imposition of “sledgehammer” technological solutions that don’t discriminate.
They will want to ensure that their activities are compliant come 11 December and the next few weeks give them an excellent opportunity to get their houses in order. At the same time, a thorough compliance audit to ensure conformity with other legislation impacting on email and sms marketers, such as E commerce and Distance Selling Regulations and data protection legislation generally, would be a sure-fire way, going forward, of maximising the value of contact and customer databases, and of the businesses that use them.