A merry spam-free Christmas
It is getting less and less fun to do business using mobile phones and email! First of all, on 1 December, the Government introduced a new regime for the users of mobile telephones. Anyone caught using a mobile whilst driving a vehicle, without a hands-free set, faces an on-the-spot fine of £30 and/or prosecution. A two-month period of grace in England and Wales has not been replicated in Scotland – so much for the Christmas spirit! But there is also a new regime for desk-bound types, since much tighter rules have been introduced for the regulation of direct marketing by way of email and SMS text messages.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 came into force on 11 December 2003. These implement EC Directive 2002/58/EC which is concerned with processing of personal data and the protection of privacy. The regulations also concern the use of cookies (small files left on a web user’s computer so that the website knows who the user is and which pages they visited, when next they come calling).
There has been some business and a lot of political pressure to do something about spam emails. According to MessageLabs, spam email now accounts for over 50% of all email communications. To give some idea of the growth, spam accounted for 3% of email less than 18 months ago. Various calculations have been bandied about but one of the more reliable suggests that a company employing 500 people could be losing £3,300 per month in productivity due to the time taken to deal with spam alone.
This is all the more surprising when one takes into account the UK’s implementation of the E-commerce Directive by means of the Electronic Commerce (EC Directive) Regulations 2002. These regulations already require that “unsolicited commercial communications must be clearly and unambiguously identified as such”. They require that unsolicited email communications must be capable of being identified as such without opening the message.
Who, when and how
The new regulations being introduced in December 2003 will affect:
- Who you can email
- When you can email them
- How you can email them.
In short, from 11 December 2003 it is, as explained below, a criminal offence for a UK company to send an email or an SMS text message to an individual unless:
- There is an existing customer relationship with the individual; or
- The individual has given their permission to receive the material.
Privacy campaigners were disappointed, and business mightily relieved, by the final wording of the 2003 Regulations. Companies are therefore still free to send unsolicited commercial email to each other.
Spam, spam, customers and spam
The DTI line is that the recipient has to agree in advance to being sent marketing emails, except where there is an existing customer relationship, in which case companies may continue to email or text for the purposes of marketing their own similar products on an “opt out” basis.
What is meant by an “existing customer relationship”? First of all, the company must have obtained the customer’s email address in the course of “sale or negotiations for the sale of a product or service to the recipient”. On the face of it this would appear to exclude the provision of data during a website registration process. However, somewhat controversially, the prevailing view of the DTI is that “existing customer relationship” is wide enough to cover pre-contractual communications.
Further, it will be noted that the permission to continue spamming existing customers is restricted to “similar products and services only”. Accordingly, as the UK Online For Business website puts it: “if the existing relationship is in reference to widgets you can continue to communicate on that subject, but you shouldn’t if you now wish to market holidays or another product that is not similar. So for example, buying a washing machine from an online retailer would permit the retailer to send you spam in relation to other white goods, but not in relation to insurance services.
Finally, the customer must always be given a straightforward method of suppressing the use of his personal data for the purposes of direct marketing, at the time the information is originally collected.
The Information Commissioner has issued guidance in relation to all of the above matters which is to be found at www.dataprotection.gov.uk
Existing mailing lists
According to the letter of the new Regulations, any existing mailing list that is a combination of business and personal email addresses – or which has not been checked to establish which is which – may place directors of the company at considerable risk, if a spam message is sent to an individual who has not consented or with whom there is no customer relationship. Offenders face a fine of £5,000 for every breach. The DTI was lobbied heavily during the consultation process on these regulations but they had no choice than to implement the clear wording of the Directive. The Information Commissioner and DTI have indicated that discretion will be applied, and it is understood that so long as companies can demonstrate they adhered to the principles of the Data Protection Act 1998 when they collected data prior to the coming into force of these regulations liability is likely to be avoided.
Cookies crumbled
Regulation 6 requires greater transparency in relation to cookies, bugs, and other forms of spyware. Cookies are now banned unless web consumers are told unequivocally that they are going to be used and are given the chance to refuse their use. Unhelpfully the regulations do not bother to explain how this might be done. It is understood that the DTI will issue further guidance. There is a limited exception for cookies that are only used to enable transmission of content, but most businesses will want to review their procedure for cookies generally.
The bits that bite
Regulation 30 creates a new civil right to damages with the claim lying against a person who contravenes any requirement in the regulations. Bear in mind that only a few of the requirements have been mentioned in this article. Reasonable care will be a defence.
Regulation 31 effectively bolts on the enforcement regime of the Data Protection Act 1998 to the new Regulations. The Information Commissioner can also serve an enforcement notice. Failure to comply with the notice will result in conviction and a fine not exceeding £5,000 – and there is the possibility of an unlimited fine.
Finally – will any of the worst overseas spammers care about the above?
Humbug!
In this issue
- Staying awake, actually
- Keep sane, if not sober
- Obituary – Sheriff Frank Middleton
- Money matters
- Clear and present danger
- For love or money
- Setting off abroad
- Legacy giving
- Marking out the pitch
- A merry spam-free Christmas
- Opening up the bench
- Victims find a voice
- Round the houses
- Allowing sexual questioning
- Scottish Solicitors’ Discipline Tribunal
- Discrimination: widening the net
- New rights for farm tenants
- Protection sans frontieres
- Football’s financial red card
- Website reviews
- Book reviews
- Asbestos safety
- Housing Improvement Task Force
- SDLT: registration requirements
Additional
