10 things you should know about ... email marketing

posted by Alasdair Taylor on Tue, 10/04/2012 - 13:53

This article highlights some of the key features of the law governing the use of email for marketing purposes.  It considers only the position under English law. Although much of the UK legislation relating to email marketing is EU-inspired, the laws across the EU are not properly harmonized. The position under US law is also quite different from the position under English law.

(1) What is a marketing email?

English law does not have a core conception of a marketing email. Different sets of rules regulate different kinds of email.

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (the "Privacy Regulations"), the most important piece of legislation in this field, regulate the transmission of "communications for the purposes of direct marketing by means of electronic mail". The courts can be expected to place a broad interpretation upon these words. However, the key provisions on email marketing apply only to "unsolicited" communications to "individual subscribers".

The Data Protection Act 1998 regulates emails which contain personal data (e.g. individuals' names - fred.bloggs@company.ltd.uk).

Voluntary codes (such as the Direct Marketing Association's Code of Practice) and the contractual terms of hosting companies tend to cover a wide range of communications. Some hosting terms, for example, cover all unsolicited commercial emails.

(2) Aren't all unsolicited marketing emails illegal?

No.

Emails sent to corporate subscribers which do not contain any personal information (e.g. admin@company.ltd.uk) are not specifically regulated under English law - save that the emails must contain certain information (see below).

"Corporate subscribers" in this context includes limited companies, PLCs and LLPs; it does not include sole traders or general partnerships.

In all other cases, unsolicited emails sent for direct marketing purposes will be unlawful unless the recipient has in some way consented to receive the email.

(3) Opt-outs, opt-ins and soft opt-ins

Opt-outs, opt-ins and soft opt-ins are three different ways of obtaining consent to send marketing emails.

  • An opt-out is where the email recipient has been given, at the point at which the contact information was submitted, the opportunity to opt-out from receiving the emails, and has not done so (e.g. by not ticking a box in an HTML form).
  • An opt-in is where the email recipient has specifically indicated a desire to receive the emails at the point at which the contact information was submitted (e.g. by ticking a box in an HTML form).
  • There is also a special form of consent under the Privacy Regulations called the "soft opt-in". This applies where (i) an email address was obtained in the course of the sale or negotiations for the sale of a product or service to that recipient, (ii) the direct marketing is in respect of similar products and services, and (iii) the recipient was given the opportunity to "opt out" when the details were collected and with subsequent communication.

(4) What sort of consent do I need?

There is a good deal of confusion about what kind of consent is required for sending marketing emails.

The position under the Data Protection Act 1998 is that opt-out (or similar) consent is generally thought to be sufficient in the case of marketing emails involving non-sensitive personal data. However, express or opt-in consent would be required for any direct marketing communications which involve the processing of sensitive personal data, such as data relating to ethnicity, politics or medical conditions.

Opt-in or equivalent consent is required under the Privacy Regulations for marketing emails sent to individual subscribers, unless the soft opt-in provisions apply (see above).  (NB the Privacy Regulations do not use the terms "opt-in" and "opt-out".)

You should also check the requirements of your email service provider's terms and conditions. These often required a more stringent standard of consent than the general law.

You must comply with each applicable rule set.

(5) Information to be provided before consent is given

If you are collecting contact information which includes or may include personal data, certain information must be notified to the data subject:

  • the identity of the data controller;
  • the purpose(s) for which the data are intended to be processed; and
  • any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.

The information should in general be given to data subjects or made readily available to them at the point of collection.

The most common way to meet these requirements in the website context is through the use of fair processing notices and privacy policies.

(6) Information to be provided in all marketing emails

Regulation 23 of the Privacy Regulations says:

"A person shall neither transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail - (a) where the identity of the person on whose behalf the communication has been sent has been disguised or concealed; (b) where a valid address to which the recipient of the communication may send a request that such communications cease has not been provided; (c) where that electronic mail would contravene regulation 7 of the Electronic Commerce (EC Directive) Regulations 2002(1); or (d) where that electronic mail encourages recipients to visit websites which contravene that regulation".

Regulation 7 of the Electronic Commerce Regulations says:

"A service provider shall ensure that any commercial communication provided by him and which constitutes or forms part of an information society service shall— (a) be clearly identifiable as a commercial communication; (b) clearly identify the person on whose behalf the commercial communication is made; (c) clearly identify as such any promotional offer (including any discount, premium or gift) and ensure that any conditions which must be met to qualify for it are easily accessible, and presented clearly and unambiguously; and (d) clearly identify as such any promotional competition or game and ensure that any conditions for participation are easily accessible and presented clearly and unambiguously."

In addition, the Companies Act requires all business emails sent by a corporation to include the following information:

  • company name;
  • company registration number;
  • place of registration; and
  • registered office address.

(7) Right to object

Under the Data Protection Act 1998, individuals may object at any time to the processing of their personal data for the purposes of direct marketing. Similarly, the Privacy Regulations have the effect of prohibiting the sending of marketing emails to individual subscribers who have notified the sender that they do not wish to receive such emails.

(8) What is good practice?

The Information Commissioner has stated that, notwithstanding the legal requirements, good practice requires that marketers follow the guidelines set out below.

  • Try to go for opt-in-based marketing as much as possible.
  • Provide a statement of use when you collect details.
  • Make sure you clearly explain what individuals' details will be used for.
  • Do not have consent boxes already ticked.
  • Provide a simple and quick method for customers to opt out of marketing messages at no cost other than that of sending the message.
  • Promptly comply with opt-out requests from everyone, not just those from individuals.
  • Have a system in place to deal with complaints about unwanted marketing.
  • When you receive an opt-out request, suppress the individual or company details rather than deleting them. (This way you will have a record of who not to contact.)

(9) Is buying lists allowed?

There is nothing in the legislation which expressly prohibits the purchasing of email lists. However, if you are thinking of using such a list, you should only purchase it from a reputable company and you should ask for a warranty that the list has been lawfully collected and may be used as intended.  Even then, you should think twice.

(10) Other risks

The terms of service of most ISPs and email marketing service providers prohibit spamming. However, different sets of terms will define spam in different ways. If you are considering sending unsolicited commercial emails, you should ensure that you do not breach the terms of your contract with your ISP or email marketing service provider.

This is an adapted version of an article originally published on www.website-law.co.uk in March 2007.

Legal area: 
marketing law
internet law
data protection law

Comments

posted by Ginger on Fri, 05/10/2012 - 14:07.

If you opt out and they to not stop, who do you report them to ?

posted by Alasdair Taylor on Sat, 06/10/2012 - 06:06.

The UK Information Commissioner's Office is responsible for enforcement of the relevant legislation.

posted by Phil on Sat, 09/02/2013 - 14:57.

First time buyers from the site can't opt out of email marketing when their address is collected. After they have registered by supplying an email address and password they must to go to the My Account section and  select a checkbox to change from " Send me notifications from the following categories" where all categories are already checked. I thought that under the soft opt-in rule a customer had to be given the ability to opt out of email marketing at the point at which the information was collected. The Amazon.co.uk system appears to be after collection. Thanks.

posted by Alasdair Taylor on Mon, 11/02/2013 - 05:05.

Regulation 22(3) of the Privacy and Electronic Communications (EC Diretive) Regulations 2003, which sets out the UK implementation of the soft top-in, says:

A person may send or instigate the sending of electronic mail for the purposes of direct marketing where — (a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; (b) the direct marketing is in respect of that person’s similar products and services only; and (c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

Assuming the Amazon.co.uk login process is as you describe, Amazon may argue that going to the "My Account" section to manage email marketing options isn't especially onerous, and constitutes a "simple means of refusing" that is given "at the time that the details were initially collected". However, I think that would be stretching the meaning of the words "at the time" - and I would be surprised if a court agreed with that sort of argument. TBH, it's not that obvious where to find the relevant page either.

Also, if all the categories are pre-checked, it's hard to see how the requirements of 22(3)(b) would met: looking at my Amazon account, the categories listed cover a very wide range of different goods and services, everything from "baby" to "Kindle books" to "groceries".

The Amazon privacy policy doesn't help much here either. It simply says:
If you do not want to receive e-mail or other mail from us, please adjust your Customer Communication Preferences.
A question to raise with Amazon, perhaps?

posted by Anonymous on Tue, 26/02/2013 - 16:53.

Can I ask why someone opted out from my email with standard questions such as:

- I am not the right contact, and

- I am not interested in the content?

posted by Alasdair Taylor on Tue, 26/02/2013 - 17:07.

You can ask these questions, but you shouldn't make unsubscribes conditional upon the provision of an answer. If you did, the data would likely be devalued anyway.

posted by sonia on Tue, 02/04/2013 - 15:08.

So, just to clarify, if I have an email list from an unknown source which is not opt-in and I then email this list, is that still illiegal even if the email includes an unsubscribe option, a sender reply email and a physical address? Thanks.

posted by Alasdair Taylor on Tue, 02/04/2013 - 16:00.

In practical terms, this mailing would almost certainly be prohibited by the Data Protection Act and/or the Privacy and Electronic Communications Regs.

posted by Guen Innes on Mon, 15/04/2013 - 15:31.

Is there a specified timeframe within which a site operator must action an unsubscribe request? I have submitted the same request several times over the last 3 weeks - received an initial acknowledgement which said to bear with them for a few days.  I keep getting the marketing messages though and it's getting very irritating.  Surely a few days shouldn't extend to weeks?!  Thanks

posted by Alasdair Taylor on Tue, 16/04/2013 - 08:24.

There are no specified time limits, either in the original Directive of the implementing Regulations. However, for the legislation - specifically Regs 22(3)(c) and 23(b) - to make sense you must imply a some kind of time limitation.

The ICO guidance (which of course is not itself legally enforceable) say that: "... you must comply with any opt-out requests promptly."

http://www.ico.org.uk/for_organisations/guidance_index/~/media/documents...

That seems sensible.

Give that we are talking about updating a database entry - not a major investment of effort - a few weeks is not, in my view, quick enough. 

posted by Beth on Thu, 02/05/2013 - 10:07.

Hi

We are a European-funded, University-run project in Wales offering free 'consulting-type' services.  I'm looking to send our first E-Newsletter, but have really limited data to send it to.  Can I legally send it to publicly available email addresses, such as MP's, Council Chief Execs & Business Clubs, who would 'probably' be interested in our work, but from whom I have not received/collected 'opt-in' consent??  I would obviously give them an option to 'unsubscribe'.  We are not 'selling' anything, as no money changes hands, so the informatoin would largely be generic news, updates, case studies etc. etc.  

Thanks very much.  I'm finding this all very confusing and really want to do the right thing!!

Cheers! 

posted by Alasdair Taylor on Thu, 02/05/2013 - 11:01.

On the basis of the information you have provided, I would advise against sending unsolicited emails to publicly available email addresses. There are three main issues.

  • If an email address (or email content) includes personal data (e.g. joebloggsmp[at]parliament.gov.uk), then you need consent to use that personal data under the DPA.
  • Even if you are not processing personal data, there is a risk that your activities could constitute "marketing" for the purposes of the PECRs - which according to the ICO extends beyond the selling of goods to matters such as charity fundraising. This will create a liabiliy under the PECRs if you are "marketing" to "individual subscribers".
  • Even if a given email is strictly lawful, you are liable to run into practical problems: reputable mass mailing service providers usually require opt-ins; recipients may well become annoyed; the practice could damage the reputation of your organisation; and the email servers you use could end up blacklisted.

If you would like detailed advice on this, please do get in touch. 

posted by Lee Johnson on Fri, 17/05/2013 - 10:45.

So if I am reading this correctly I can send unsolicited emails, offering my services, to addresses such as sales @ mycompany.uk, as long as that company is not a sole trader; without getting the company's consent first. I cannot send the same emails to addresses such as janet @ mycompany.uk as that constitutes an individual.

Basically I am starting my own business and want to advertise my services by email to SMEs in order to get clients but, as I am only just starting out, I do not have any solicited email addresses. There will be no third-party advertisement included.

posted by Alasdair Taylor on Fri, 17/05/2013 - 13:40.

Whilst the legal rules allow this kind of unsolicited emailing, you also need to take account of:

  • you ISP's T&Cs;
  • the possibility of getting yourself blacklisted; and
  • the certainty of irritating potential customers.

posted by Suzanne on Wed, 05/06/2013 - 12:08.

Where you say "Emails sent to corporate subscribers which do not contain any personal information (e.g. admin[@]company.ltd.uk) are not specifically regulated under English law - save that the emails must contain certain information (see below)." - presumably an email to an address such as info[@]cupcakeheaven would not be regulated even if the business was a sole trader business as no personal data is being identified in that email address? So you could in theory send unsolicited marketing emails to that sole trader?

posted by Alasdair Taylor on Wed, 05/06/2013 - 14:13.

The rules on email marketing in the Privacy and Electronic Communications Regs apply irrespective of whether personal data is being processed. Accordingly, you need consent in the case of emails to subscribers who are sole traders, even where there is no personal data involved.

posted by Matthew on Thu, 06/06/2013 - 15:10.

Is it allowable for a firm that I am purchasing from online to give me the option to opt out of electronic marketing material; but insists that I have to write to them to do so?

posted by Alasdair Taylor on Fri, 07/06/2013 - 09:16.

Assuming the electronic marketing would be regulated by the DPA 1998 (i.e. it involves the processing of personal data) or the PECRs (i.e you constitute an "individual subscriber") then this kind of opt-out is unlikely to satisfy the rules.

posted by Anna on Mon, 17/06/2013 - 19:20.

Sorry this is all getting a little confusing, please can you confirm if this is legal or not:?

I mainly cold call companies and introduce myself and ask if it is ok to send them an email with a link to the site,  if they give me their email address I then add them to my campaign list, is this ok?

 

Am I right that you are NOT allowed to add companies email addresses to your campaign list if you have never had contact with them before?

 

Many Thanks

Add new comment

Filtered HTML

Plain text

Contact details

SEQ Legal LLP
Howbery Park, Wallingford
Oxfordshire OX10 8BA, UK
Tel: +44(0)1491 821123

English law

Unless otherwise stated, the information and resources on this website relate to English law.

Web cookies

By using our website, you agree to our use of web cookies. See our privacy policy for details.

Our ecommerce sites

www.template-contracts.co.uk

www.website-contracts.co.uk

Copyright © 2007-2013 SEQ Legal LLP.