New Rules for Inboxes

April 30, 1998

My Inbox receives an almost daily temptation to share in the spoils of some unfortunate venture in Nigeria, involving $20 million or more. The e-mail informs me that I have been well recommended to the sender. The treasure is somehow frozen. All I need to do to release it is to fax my bank account details. For this, my share will be 20 per cent. I will also have the pleasure of being able to assist my new and happy client to invest the balance in the UK. In the course of that endeavour I will, no doubt, earn further handsome fees. There is a temptation to respond with the message “do you think I’m stupid?” or similar; but this would be folly. It would simply confirm that the sender had a valid e-mail address and perhaps provide an opportunity for fraudulent use of a genuine reply. The sender is invariably a subscriber to a free Web e-mail service such as Yahoo! or Hotmail. A complaint to the service provider that its service is being used for fraudulent purposes may lead to the account being closed, but my time would be wasted as the customer no doubt cannot be traced and other accounts can be set up in minutes.

My Inbox yields other temptations as the day progresses. I could earn $50,000 or more in the next 90 days just by sending a few e-mails. I could buy Viagra or human growth hormones, or I could view some “free sites”.

Many people are concerned about the rapid growth of unsolicited commercial e-mail on the Internet. For the sender, spam is relatively easy and cheap to send. However, for the recipient it can be a nuisance and even give rise to additional costs of download or storage. The sheer volume of spam can give rise to network problems as it uses up Internet bandwidth. Some view spam as an unwelcome invasion of privacy.

I have not yet seen any e-mail contain a statement that it is a “commercial e-mail” or “unsolicited commercial e-mail” as required by The Electronic Commerce (EC Directive) Regulations 2002 which came into force on 21st August 2002 (SI 2002 No 2013). Under those Regulations, a “service provider” must ensure that any commercial communication provided by him and which constitutes or forms part of an “information society service” must be clearly identifiable as a commercial communication and must clearly identify the person on whose behalf the commercial communication is made. An e-mail promoting the goods, services or image of any business would, save for a couple of exceptions, fall within the definition of a “commercial communication” under the Regulations.

The Regulations do not prescribe how to meet the requirement for information about commercial communications to be “clearly identifiable”. The DTI Guidance says that this could be either through a header, before the communication is opened, or in the body of the communication itself. However, the fact that a commercial communication comes from a business may not of itself be enough. The e-mail will need to contain language such as “This is a commercial communication from Xyz.com Limited”.

Furthermore, a service provider must ensure that any unsolicited commercial communication sent by him by electronic mail (spam) is clearly and unambiguously identifiable as such as soon as it is received. This is, presumably, intended to allow the recipient the opportunity to delete the e-mail without opening it or before downloading it perhaps by using some filtering software. Again, the Regulations do not prescribe how the requirement for unsolicited commercial communications sent by e-mail to be “clearly and unambiguously identifiable” should be met.

An e-mail address is “personal data” for the purposes of the Data Protection Act 1998 where it identifies a particular individual, for example, by including any part of the name of the individual or of his or her company. However, even anonymous e-mail addresses may be personal data where, together with information “likely to come into the possession” of the data controller, it allows for an individual to be identified (even if not by name). As such, e-mail addresses must be processed in accordance with the data protection principles. For example, personal data (such as an e-mail address) will not be processed “fairly and lawfully” if the consent of the data subject has not been obtained for that processing (unless one of the other conditions in Schedule 2 of the Act is met). Simply because someone has put his or her e-mail address in the public domain, perhaps on a corporate web site, does not mean that it can be used for marketing or other purposes.

Unsolicited commercial communications by e-mail will soon be subject to new rules under the Communications Data Protection Directive 2002/58/EC (the Directive on Privacy and Electronic Communications). This was adopted on 12 July 2002 and requires implementation by 31 October 2003. It will give rise to Regulations supplementing or replacing the Telecommunications (Data Protection and Privacy) Regulations 1999 (SI 1999 No 2093).

One of the main changes in relation to e-mail is the shift to an opt-in regime. Under Article 13 of the Directive, the use of e-mail and SMS (text message to mobile phones) for direct marketing will only be allowed in respect of subscribers who have given their prior explicit consent. This will put e-mail marketing on the same footing as unsolicited faxing and automated telephone systems.

The Directive makes an exception where there is an existing customer relationship where the supplier has obtained the customer details in the context of a sale of goods or services. In this case, the supplier may use the customer details for the purpose of direct marketing in relation to its own similar goods or services. The customer must be clearly and distinctively given the opportunity to object, free of charge and in an easy manner, to the use of the e-mail address when collected and on the occasion of each message in case the customer has not initially refused such use. This exception leaves open to interpretation whether goods or services advertised are “similar” to those previously purchased. Moreover, it would seem from the wording that the exception only applies where there has been an actual sale, rather than for example an enquiry. It also seems that only the party that obtained the details can use them; so, for example, a manufacturer could not e-mail its “customers” where the e-mail address had been obtained by a retailer.

The Directive also prohibits the practice of sending direct marketing e-mail disguising or concealing the identity of the sender or without a valid address to which the recipient may send a request that such communications cease.

This new legislation demands changes in the systems and practices of e-commerce businesses and marketeers. For reputable businesses, it is unlikely to be a problem as there is growing acceptance that opt-in permission marketing is in any event more effective than spam. However, it is unlikely to prevent my Nigerian e-mails or many of the others that regularly intrude on my Inbox. The senders are likely to be out of the reach of European legislation. If they consult opt-out registers, it will be for the purpose of gathering valid e-mail addresses to spam. The problem is likely to be with us for some time.

Nigel Miller is a Commerce and Technology partner at City law firm Fox Williams. He is also Joint-Chair of the Society for Computers & Law. Nigel can be contacted at nmiller@foxwilliams.com.

© Fox Williams 2002