Businesses operating websites and/or sending electronic communications to customers must comply with a new EU directive, or face falling foul of the law. Since October 2003, opting-in has been compulsory for marketing emails, and the use of website cookies will be more stringently regulated.
Critically, an EU-wide ‘opt-in’ approach has been adopted for SPAM, meaning that businesses are only permitted to send marketing emails and SMS messages to individuals who have previously consented to the use of their details in this way.
Existing customers may be targeted, provided certain conditions are met, although there is still some uncertainty about the precise scope of mailing existing database contacts.
The directive represents a change of emphasis rather than a change in the substance of data protection obligations, but could have serious consequences for any business not getting up to speed on the new laws. Businesses need to address the changes now, both to ensure that their channels to market are compliant, and to ensure that previously valuable customer databases are still useable for future marketing campaigns.
As well as new email marketing laws affecting all who send emails for marketing purposes, website operators also need to tighten up on how they collect and use customer data. Web operators must provide users with “clear and comprehensive information” about devices such as cookies used to collect their data, including the purpose of any processing.
The opt-in approach in more detail:
The opt-in approach is slightly softened by a provision that allows companies to target customers who have bought products or services from them in the past, subject to the following provisos:
- The customer’s details must have been collected in the context of a ‘sale’. On a strict interpretation, this could rule out the use of contact details or potential customers who have merely registered an interest in a service or product.
- The customer must have been told about the possible use of his or her data for future marketing at the time it was collected, ie; at the time of the initial purchase, and have been given the chance to object.
- The opportunity to opt-out must be given with each subsequent marketing message.
- The customer’s details may only be used by the same entity to whom they were originally given. This has implications for transfers of customer lists between group companies and trading partners (although these restrictions already apply under the UK’s existing data protection laws).
- The marketing must be for a ‘similar product’ in relation to that which the customer’s details were originally gathered, but it is unclear just how similar the new product advertised needs to be to avoid breach of the legislation.
The strong interest and the exponential growth of inboxes in Europe support the potential of email marketing. However, the market is split on how to shield users from a potentially invasive marketing mechanism. National legislators in Europe are doing their best to confuse marketers and users: Several EU countries approved specific legislation to protect their citizens’ privacy online, while the European Parliament tried to regulate part of the field at the EU level. The result is a confusing legal position across Europe.
The majority favour opt-out. Ten EU member states, including France and the UK, and the European Parliament remain happy with a simple approach to email marketing, they only allow for users to opt-out if they do not want to receive marketing emails. This approach is similar to the one adopted in the US.
Five countries favour an opt-in approach. A handful of EU countries, Sweden, Denmark, Austria, Germany, and Italy, have adopted specific national legislation demanding the consent of users before email marketing. Privacy concerns together with steady lobbying from ISPs like Wannadoo and online advertisers like 24/7Media motivated this approach.
Faced with an uneven legislative landscape, marketers are not presenting a common front when it comes to email marketing practices. Some of them, like 24/7 Media, Yoptin, and MessageMedia, favour the more managed, opt-in approach, while other, more aggressive marketers consider opt-out enough of a protection for online consumers.
Communications Data Protection Directive is a DTI Directive to be aware of for Unsolicited Commercial Email (UCE). This exists in a draft form at the moment and is currently being discussed by Member States and the European Commission. The proposed implementation date for this directive in the UK has been moved forward to January 2003. The current draft contains a requirement for Member States to adopt an opt-in approach for UCE to natural persons (my understanding is that in the UK this means private individuals and sole traders anywhere in the UK, and Partnerships in England, Wales and Northern Ireland). For legal persons (e.g. limited COs and plc’s), the Directive leaves it up to Member States to adopt whatever measures are felt necessary.
Google will launch an email agent service by 2005 delivering to users a flexible stream of newsletters and promotional emails according to a very specific query and finding email lists that users want to subscribe to. Surfers will have their global opt-in profile hosted by Google and will be able to update their preferences at any time.
Coupled with this, Dot-EU addresses will not be available for marketing activities. In 2002, the European Union, facing a surge of complaints from consumer advocates and ISPs on the exploding volumes of unsolicited promotional email, will forbid any form of promotional activity addressed to a name@company.eu email address.
