Toothless against spam?

Despite the legislative efforts of the likes of the European Union and the United States, spam (or unsolicited commercial email) is very much part of our electronic everyday life.

Prior to the introduction of the UK Privacy and Electronic Communications (EC Directive) Regulations in December 2003, many surveys in the UK showed that marketing companies were either blissfully unaware of the new regulations or were undeterred from continuing in their use of email for marketing. With headline-grabbing statements such as “95% of email is junk” (BBC news online, 27 July 2006), we are now in a situation some four years later where little has improved, with the exception of the ever necessary anti-spam software and firewalls. Indeed this electronic calamity is mirrored worldwide: the situation in the USA is no better, with most email marketing failing to be compliant with the federal CAN-SPAM Act 2003 (as reported on www. marketingtoday.com/emarketing).

Hence the reason why, against this backdrop of apparent hopelessness, the recent case of Gordon Dick raises interest amongst (some) lawyers and those in the marketing and advertising world. In what is thought to be only the second case of its kind in the UK (and the first time a court has awarded damages), a British company was ordered to pay a total of £1,386.66 in damages and costs plus interest, after sending two junk email, or spam, messages to one man’s private email account.

Biting back

Transcom Internet Services (“Transcom”) sent the offending emails to Gordon Dick’s personal account in February 2006. Mr Dick decided to write to Transcom and made enquiries on a number of counts including asking Transcom, by sending him the emails, on what basis they had not breached the Data Protection Act 1998 (“DPA”) and the Privacy and Electronic Communications Regulations, and asked them to remove any personal data they held about him. It would appear that Transcom’s responses to such enquiries were not satisfactory, and Mr Dick proceeded to raise a small claim action in the sheriff court against Transcom for the sending of unsolicited commercial email in breach of the DPA and the Privacy and Electronic Communications Regulations. Whilst Transcom deny sending spam, decree was granted in Mr Dick’s favour after Transcom did not turn up at the January hearing.

Following the success of his action, Mr Dick has now set up his own website, www.scotchspam.org.uk, to provide advice to others in their pursuit of the senders of unsolicited email, and to “make the spammers pay for their actions”, as it is put on his home page. His site contains a full and detailed account of his own case with Transcom and provides the reader with useful information about data protection and the regulations generally. Along with this the site provides template letters to get the reader on their way should they want to pursue the matter further. I suspect that Mr Dick expects more traffic on his website as others take on board his comments.

The limits of legislation

But we have to ask why it has taken four years for the rules governing the sending of commercial junk email to individuals finally to bear fruit in the UK courts? At the time the regulations were introduced, they were viewed as lacking sufficient bite; worse still the UK Information Commissioner, the regulations’ enforcer, said that the permitted fine was not big enough to deter dedicated spammers.

The biggest issue facing the application of the regulations (and therefore their effectiveness) is the fact that they fall considerably short of what is required. They have no worldwide scope (and of course never could). If marketers wish to send emails to different EU member states, they must comply with each country’s legislation, but with the majority of spam today coming from the USA, China and Russia (the UK is only the tenth biggest source of junk emails worldwide), the regulations are powerless to assist.

The astonishing growth in the number of junk emails has stimulated calls for harsher penalties for offenders, and perhaps we are starting to see a trickle of movement abroad on this front. Heavy fines have had a massive deterrent effect in Australia, resulting in the practical eradication of Australian junk emails (BBC news online, 21 April 2005). In 2006 an Australian firm and its director were fined a total of £2.2 million for sending over 230 million spam emails over a two year period in contravention of Australia’s Spam Act 2003. With fines of up to $200,000 (AUS) a day for the sending of junk emails, this certainly makes the UK’s maximum fine of £5,000 seem like a drop in the ocean.

Unwelcome publicity?

Whilst the Transcom case clearly demonstrates the Scottish courts’ willingness to find against spammers, one has to wonder if the level of the award serves as any real deterrent or whether, as with breaches of data protection legislation, it is the adverse publicity which is more feared than anything else. The Gordon Dick case has certainly served as a gentle reminder of this, given that the level of discussion about the case well outstrips the award by the Scottish courts. 

Perhaps only when we see hefty worldwide financial and criminal penalties enshrined in law will we see any improvement in this area. Until then we will all have to continue to rely on ever more sophisticated technological fixes such as anti-spam software and firewalls, and take the risk of genuine emails being accidentally filtered out. The greatest deterrent however is probably the adverse publicity of findings against UK companies.

So how can your clients avoid any adverse publicity – what are the essential dos and don’ts?

Opt-in or opt-out

Provide the recipient with a (free) way of refusing future communications (i.e. tell the recipient where they can write so they can opt out), and never conceal your identity.

When sending unsolicited emails to individuals the recipient should previously have consented to receiving such communications – this is known as the “opt-in”

This “opt-in” rule can be overcome where:

• the sender has obtained an individual’s contact details through the course of a sale or negotiation of a product or service;
• the unsolicited marketing emails relate to the promotion of a similar product or service; and
• the individual has been given the opportunity to refuse the use of their email address for marketing purposes. If the individual did not refuse initially, each subsequent email must also give the recipient the opportunity to refuse future marketing emails (at no extra charge).

The crucial aspect of the regulations, for email marketers, is that where the “opt-in” rule exception does not apply, the recipient must have given his or her prior consent to receiving the email.

Prior consent can take many forms and may include a subscription, or ticking a box. The regulations do not state that the only method of consent is by ticking a box: this is merely an “appropriate method”.

So-called “opt-out” boxes are something of a grey area and are a very confusing element of the regulations. According to the Information Commissioner, opt-out boxes are not likely to indicate consent unless their context requires otherwise – a position that is not helpful to those seeking to use email marketing as one of their tools. However, provided you include a consent statement within your data protection notice or “fair processing” statement accompanying your opt-out box, this is likely to be regulations-compliant. So, for example, where the “opt-out” box is accompanied by a clear explanation, this may be taken as an indication of an individual’s consent.

The Information Commissioner’s Office “Guidance for marketers on the Privacy and Electronic Communications (EC Directive) Regulations 2003” suggests: “By submitting this registration form, you will be indicating your consent to receiving email marketing messages from us unless you have indicated an objection to receiving such messages by ticking the above box.” This may, of course, reduce its effectiveness for the marketer – but equally an opt-out box tucked away in small print at the foot of a page in French will probably mean the recipient has not consented to receiving future marketing emails!

Happy e-marketing.

Valerie Surgenor is an associate with MacRoberts, Glasgow