'Tell a friend' promotions are a staple of viral marketing and
involve one user providing email addresses to a company so that a
friend of theirs can receive a message from that company.
Holland's data protection authority and its telecoms regulator
have issued a ruling clarifying what companies have to do to make
sure that viral marketing does not break data protection and
telecoms laws.
The authorities have said that the website cannot offer an
incentive to users to pass on friends' details. "The controller of
the website [cannot] hold out the prospect of any chance of reward
or other advantage, neither to the sender nor to the recipient,"
the ruling says.
The authorities also say that it must be clear from any message
who the friend behind the message is, and that the person who
instigates the sending of the communication must have a chance to
read the whole message.
"The Internet user must have the opportunity to read the entire
message that is sent in his or her name before he or she decides to
send it, in such a way that he or she can take responsibility for
the personal contents of the message," says the ruling.
The authorities also said that the email address passed on by
the original user must not be processed or stored or used more than
is necessary for the original usage. This means that reminders and
follow up messages cannot be sent to the recommended user.
The ruling echoes guidance issued by the UK's data protection
regulator, the Information Commissioner's Office (ICO).
"Where you incentivise [a person to pass on their friend's
details], there is a strong argument that you are the ‘instigator’
of the message," said ICO guidance. "They wouldn’t do it without
the promise of a reward from you. You are reminded that it is the
instigator of the message who is liable for the sending of that
message."
The ICO said that companies must make sure that consent for the
sending of a message has been received, though not directly by
them, if they are to use someone's friend's details.
"You will be sending a message to someone who you assume has
consented through a third party (the third party being the friend
who passed their details on to you) to receiving messages from you.
It is quite clear that under the legislation you are liable for any
messages sent to email addresses or mobile numbers obtained," it
said.
"As with all third party electronic mailing lists, you cannot
use this list unless you are satisfied that the recipient has
notified you that they consent to receiving such messages from you.
You should therefore ask your customer to confirm that they have
the consent of the individuals whose details they are passing on,"
said the ICO's guidance.
The Dutch advice is similar to that given by the ICO, except
that it adds the requirement that the person handing over a
friend's details must be given the chance to see the whole message
that is to be sent.
Data protection law expert Louise Townsend of Pinsent Masons,
the law firm behind OUT-LAW.COM, said that where the Dutch
situation differed from that in the UK was the strength of the
regulators' opinion.
"It is the enforcement side of this that would be a concern if
it were followed across Europe," she said. "The ICO's opinion is
just guidance, you can take a risk and stretch it and consider that
as a business risk, which is what a lot of people have been
doing."
"But the Dutch opinion is a ruling, it says that it interprets
the law and is not appealable and is a statement of the law. If the
Information Commissioner here issues new guidance, or if the new
incoming Commissioner in June wants to be stricter on that
particular issue, then there could be a change," she said.
The Dutch ruling could also have influence on the ICO if it is
adopted by the Article 29 Working Party, the committee of national
data protection regulators. "That would still just be an opinion
but it is seen by national regulators as persuasive," said
Townsend.
The ruling could also have an effect if the Europe-wide
association of direct marketers FEDMA took it on board, meaning
that members of the UK's Direct Marketing Association would be
bound by the more restrictive practice.
Editor's note,
24/04/2009: The ICO told us today: "In short we won’t be
updating our guidance. We feel the existing guidance will
ensure that those companies engaging in this type of marketing will
be able to do so in compliance with PECR [the Privacy and
Electronic Communications Regulations] and although there is a
difference in approach/tone, the substance of both our guidance and
the [Dutch] ruling are the same. I should also add that this
is not an area which causes a great deal of concern since it has
been used for some time without generating lots of complaints from
the recipients."
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
