Businesses operating websites and/or sending electronic communications to customers must comply with a new EU directive, or face falling foul of the law. Since October 2003, opting-in has been compulsory when sending marketing emails to consumers, and the use of website cookies will be more stringently regulated.
Critically, an EU-wide ‘opt-in’ approach has been adopted for SPAM, meaning that businesses are only permitted to send marketing emails and SMS messages to individuals/consumers who have previously consented to the use of their details in this way.
Existing customers may be targeted, provided certain conditions are met.
The directive represents a change of emphasis rather than a change in the substance of data protection obligations, but could have serious consequences for any business not getting up to speed on the new laws. Businesses need to address the changes now, both to ensure that their channels to market are compliant, and to ensure that previously valuable customer databases are still useable for future marketing campaigns.
As well as new email marketing laws affecting all who send emails for marketing purposes, website operators also need to tighten up on how they collect and use customer data. Web operators must provide users with “clear and comprehensive information” about devices such as cookies used to collect their data, including the purpose of any processing.
The opt-in approach in more detail:
The opt-in approach is slightly softened by a provision that allows companies to target customers who have bought products or services from them in the past, subject to the following provisos:
- The customer’s details must have been collected in the context of a ‘sale’. On a strict interpretation, this could rule out the use of contact details or potential customers who have merely registered an interest in a service or product.
- The customer must have been told about the possible use of his or her data for future marketing at the time it was collected, ie; at the time of the initial purchase, and have been given the chance to object.
- The opportunity to opt-out must be given with each subsequent marketing message.
- The customer’s details may only be used by the same entity to whom they were originally given. This has implications for transfers of customer lists between group companies and trading partners (although these restrictions already apply under the UK’s existing data protection laws).
- The marketing must be for a ‘similar product’ in relation to that which the customer’s details were originally gathered, but it is unclear just how similar the new product advertised needs to be to avoid breach of the legislation.
The strong interest and the exponential growth of inboxes in Europe support the potential of email marketing. However, the market is split on how to shield users from a potentially invasive marketing mechanism. National legislators in Europe are doing their best to confuse marketers and users: Several EU countries approved specific legislation to protect their citizens’ privacy online, while the European Parliament tried to regulate part of the field at the EU level. The result is a confusing legal position across Europe.
The majority favour opt-out. Ten EU member states, including France and the UK, and the European Parliament remain happy with a simple approach to email marketing, they only allow for users to opt-out if they do not want to receive marketing emails. This approach is similar to the one adopted in the US.
Five countries favour an opt-in approach. A handful of EU countries, Sweden, Denmark, Austria, Germany, and Italy, have adopted specific national legislation demanding the consent of users before email marketing. Privacy concerns together with steady lobbying from ISPs motivated this approach.
Faced with an uneven legislative landscape, marketers are not presenting a common front when it comes to email marketing practices. Some of them favour the more managed, opt-in approach, while other, more aggressive marketers consider opt-out enough of a protection for online consumers.
Communications Data Protection Directive is a DTI Directive to be aware of for Unsolicited Commercial Email (UCE). This exists in a draft form at the moment and is currently being discussed by Member States and the European Commission. The current draft contains a requirement for Member States to adopt an opt-in approach for UCE to natural persons ( this means private individuals and sole traders anywhere in the UK, and Partnerships in England, Wales and Northern Ireland). For legal persons (e.g. limited COs and plc’s), the Directive leaves it up to Member States to adopt whatever measures are felt necessary.