Arguments rage over the legality and morality of opting in or out to unsolicited commercial e-mail, but what is opt in and what for that matter is unsolicited commercial e-mail?
Topic: E-mail marketing
Who: Network Advertising Initiative, Interactive Advertising Bureau, DMA
Where: UK/USA
When: May 2001
What happened:
As EU legislators ponder a Directive which could impose a blanket "opt-in" regime across all 15 EU member states for unsolicited commercial e-mail ( thus extending opt-in beyond the five MS who currently criminalise unrequested commercial e-mail), the moral/commercial/legal "opt-in/opt-out" debate rages. The Direct Marketing Association pushes opt-out, the Interactive Advertising Bureau favours opt in, while there are no current signs that the UK government is considering moving from the "opt-out" position it took up at the time of implementing the Distance Selling Directive. In the US, seven companies including Engage, Double Click and 24/7 have formed an industry group called Network Advertising Initiative and pledged to offer all US consumers the opportunity to opt out of receiving their advertising on-line.
But much of the argument and discussion is built on sand. Why? Because views differ as to the meaning of key terminology such as "unsolicited commercial e-mail", "opt-in," "opt-out" and probably the most abused phrase of all: "permission marketing." Not helpful either is the lack of any legally accepted definitions of these terms. This forces advisers and marketers to divine as best they can the meaning of the legal terminology that does apply and how to apply it to practical situations.
A good example is the need under the UK’s Data Protection Act 1998 (and in most other EU states) for "explicit consent" before "sensitive personal data" (data about a person’s sex life, religious or political beliefs, health etc) can be processed. We know this means the person must say "Could you please process my data and [for example] send me information about your products." In an on-line context, however, how does this work? The general wisdom is that the prudent data controller should ensure it has hard evidence of positive prior consent. Failure to tick an opt out box will certainly not be enough. Acceptable will be the individual actively ticking an opt-in box, provided full information is readily available at that point as to the future uses the data controller will make of the information. But what about the data controller "pre-ticking" the opt-in box. Will giving the individual the opportunity to un-tick the box meet the explicit consent requirement? The writer’s feeling is "no" as this is passive, inactive not 'explicit' consent.
How about lumping the "opt-in" process with other aspects of the transaction? For instance "Tick this box if you would like to order this product and agree to our standard terms". This links through to the standard terms which include at paragraph 9 "By ordering any of our products you agree to your data being used for all the purposes set out in our Privacy Policy". The writer’s answer here is that again this would probably not classify as 'explicit' consent.
Separately can e-mail be "unsolicited" if the recipient is on my customer database? "Possibly" is the answer. The critical point is the time of data capture and what the customer was told or would have reasonably assumed at that time about how his/her data might be used.
Why this matters:
No sensible debate can happen on these fundamental issues until there is wider agreement on what crucial terms mean. As reported elsewhere in the June Updates, the Wireless Advertising Association has made a first stab at some definitions and for this they should be applauded.