Can the spam

Technology lawyer John Halton looks at staying within the law while marketing by email.

 'Have you got anything without SPAM?'

'Well, there’s SPAM egg sausage and SPAM, that’s not got much SPAM in it.'  Monty Python’s SPAM sketch. 

At times there seems little escape from the ever-increasing levels of what the marketing industry likes to call 'unsolicited marketing emails', but which most of the rest of us know simply as spam.  

Not even Bill Gates can escape - the Microsoft boss is reported to receive an average of 4 million emails a day, the vast majority of which are spam.

An office of 12 people deals with these emails, weeding out the spam, hate mail and begging letters to select those privileged messages that will finally make it into Gates' personal inbox - around 12 of the original 4 million. 

A number of weapons have been developed to combat spam, including filtering systems and blacklists. Lawmakers have also contributed to the fight, with legislation such as the US's CAN-SPAM Act in 2003, and the European Union's Directive on Privacy and Electronic Communications in 2002. 

The UK implemented the Privacy Directive in 2003, with the Privacy and Electronic Communications Regulations (the 'Regulations').

The Regulations cover a number of issues, including the use of cookies, and direct marketing by telephone and fax, but this article focuses on the provisions relating to unsolicited marketing emails. 

What does the law say? 

The Regulations prohibit the 'the transmission of unsolicited communications by means of electronic mail to individual subscribers', unless the recipient is an existing customer of the sender (see below).

Note that the definition of 'electronic mail' is broad and includes mobile phone text messages as well as conventional email. 

1. 'Individual subscriber' 

Rather than distinguishing between different types of marketing (for example, allowing business to business marketing but prohibiting business to consumer marketing, as is the position for marketing by fax), the Regulations focus on the subscriber to the account.

An individual's personal email address will clearly be covered by this definition. However, for business email addresses the situation is more complex: a sole trader will constitute an 'individual subscriber', as will a (conventional) partnership.

However, a limited company or limited liability partnership will not be 'individual subscribers', as each is a corporate entity. 

This leads to some apparent contradictions. If Jane works for AN Company Limited then a marketing email sent to jane@ancompany.co.uk2 will not be covered by the regulations, even if it relates to personal consumer goods or services rather than being business to business.

On the other hand, the same email sent to Sarah, an employee of the partnership Wilkes Booth, will be covered by the regulations, even if it is sent for business rather than consumer purposes. 

2. Existing customers 

An important exception to the general prohibition on sending unsolicited marketing emails is the exception for existing customers.

This applies in relation to individuals who have previously purchased goods or services from a seller, or who have at least been in negotiations with the seller for goods or services. (Negotiations here include asking for a quote or making a specific enquiry for goods or services, but not merely general queries such as 'What are your shipping charges?') 

Where an individual gives their contact details to a seller in the course of buying (or negotiating to buy) goods or services, then the seller can send that individual marketing emails that relate exclusively to similar goods or services to those that the individual bought (or negotiated for) previously.

However, the seller must provide a simple means of opting out of receiving future marketing emails, such as an 'unsubscribe' link or reply option. 

3. Content of marketing emails 

The Regulations prohibit the sending of marketing emails where the sender's identity has been concealed, or which lack a return address to which recipients can send opt-out requests.  

Other regulations impose additional requirements where marketing emails are sent to consumers.

The email must be immediately recognizable as an unsolicited commercial communication (i.e. from the subject heading, so that it can be deleted without having to be opened).

It must also clearly identify the sender, and the terms of any promotional offers contained in the message. 

4. Enforcement 

One of the most controversial aspects of the Regulations is their alleged toothlessness. Despite media coverage announcing £5,000 fines for spammers, there is no immediate penalty for breaching the Regulations.

A sender of unsolicited marketing emails will only be subjected to a fine if they continue to do so after receiving an enforcement notice from the Information Commissioner requiring them to cease sending such emails. And in any event, the vast majority of spam continues to be sent from jurisdictions outside Europe, where these regulations do not apply.

Privacy commissioners from across the world, including the UK's information commissioner, called for a UN-backed international privacy system in the September 2005 Montreux Declaration, but it remains to be seen whether an international privacy treaty will become a reality in the foreseeable future. 

What does this mean in practice? 

So where does this leave a UK business that wishes to send marketing emails? 

First, the easiest way to comply with the Regulations is to send marketing emails only to those who have consented to receive them, for example by ticking an 'opt-in' box as part of the registration or ordering process on your website. 

Second, for existing customers (or those who have negotiated with you in the past, for example by asking for a quotation) you can send marketing emails relating to goods or services of a similar nature to those earlier goods or services.

However, you must provide a simple means for people to opt out (which is good practice in any event, even where people have previously consented). 

Finally, if you wish to send marketing emails to those who have neither consented nor fall within the existing customer exemption, care will need to be taken if you wish to stay within the terms of the Regulations - in particular, to ensure that you send emails only to addresses that belong to corporate subscribers rather than individuals or partnerships. And even if you are within the letter of the Regulations, mass-mailing of unsolicited emails may still result in sanctions from your ISP or from an anti-spam blacklist such as Spamhaus. 

Conclusion 

As we have seen, the Regulations have attracted their fair share of criticism. Arguably they make life harder for reputable businesses to send legitimate marketing messages to their customers, while doing little or nothing to penalize those who genuinely abuse the email system by the mass-mailing of unwanted, unloved spam. 

But on the other hand, the Regulations are not as restrictive as they may at first appear. The existing customer provisions mean they fall some way short of the 100 per cent opt-in for which many EU member states were pushing.

It is likely that in most cases you will be able to send appropriate emails to the people you most want to keep in contact with, such as existing customers and serious prospects. 

John Halton is a technology lawyer with Cripps Harries Hall LLP. 

in a nutshell 

  • The Regulations prohibit the 'the transmission of unsolicited communications by means of electronic mail to individual subscribers', unless the recipient is an existing customer of the sender. 
  • The Regulations focus on the subscriber to the email account. 
  • An important exception to the general prohibition on sending unsolicited marketing emails is for existing customers. 
  • The Regulations prohibit the sending of marketing emails where the sender's identity has been concealed.
  • There is no immediate penalty for breaching the Regulations.

January 2006

Blueprint for Cyber Security

Our vision is a world properly protected from cyber threat. This blueprint sets out how we can deliver that solution, starting in health and care.