Most companies now use some form of direct marketing to find new customers, and to keep in touch with existing customers. The advent of email revolutionised the direct marketing industry, making the process cheaper, more wide-reaching and in some circumstances more effective. Unfortunately all of the advantages of email marketing are also exploited by spammers.
As a result we have witnessed an increasing volume of spam, which frustrates recipients and devalues the power of email marketing. To help control the increased use of email for direct marketing, and in part to deal with the risk of spam the EU issued in 2002 a directive on privacy and electronic communications.
The directive was brought into force in the UK by the Privacy and Electronic Communications ( EC Directive) Regulations 2003. The regulations apply to all organisations that send out marketing by telephone, fax, automated calling system, email, SMS , MMS or using any other form of electronic communication.
Despite the regulations having been in force since December 2003, there is still a great deal of confusion over what organisations must do to comply, relating in particular to the use of opt-in and opt-out when collecting marketing details. This part of the paper sets out some basic rules which companies should follow to help comply with their legal obligations.
Individual and corporate subscribers
The regulations make a distinction between individual subscribers (e.g. firstname.lastname@example.org) and corporate subscribers (e.g. email@example.com). This paper will concentrate on individual subscribers, as it is here that the Regulations have the most significant impact.
Save for some notable exceptions relating to existing customers, the Regulations provide that organisations cannot send unsolicited marketing communications by email to individual subscribers unless the recipient has given his prior consent.
Understanding the meaning of "prior consent" is the key to understanding what procedures are necessary when collecting personal data in order to be able to send email marketing.
Consent by definition requires some sort of positive action on behalf of the recipient. However, it is a widely held misconception in data protection terms that consent requires that the user "opts-in" to their data being used. Prior consent does not mean the same thing as "opt-in".
An "opt-in" generally refers to a tick box which, if filled in by the user, indicates positively that they would like to be contacted by a particular form of communication. Unless the user ticks the box then the organisation cannot use their details for the form of marketing listed. This is in contrast with an "opt-out", where the default position is that the user will be contacted by that form of marketing, unless they tick the box to indicate that they would prefer not to be. The benefits of opt-out over opt-in are clear – where the default position presumes the right to market, and requires no further action by the recipient, average collection rates are considerably higher, meaning more emails can be sent to more people.
"Prior consent", however, does not specify any particular means of assessing the user's intention. The main thing to consider is whether the user fully appreciates that they are consenting and what they are consenting to. Therefore, while opt-in is one way of demonstrating a user's consent, it is not the only way.
Another equally acceptable practice would be to collect the customer's details, at the same time presenting them with a data protection notice which is drafted to state that by providing their details the user consents to the receipt of unsolicited marketing emails. Key to this is the way in which the consent statement is drafted. It must be a positive statement, the effect of which is to be considered as positive consent by the user.
At the same time the user must be provided with an opportunity to opt-out of their details being used for this method. The best way of achieving this is to include an opt-out tick box as a part of the data protection notice. Failing to opt-out alone is unlikely to constitute valid consent, however, in context, it can indicate that consent has been given if a clear prominent message is provided, in the data protection notice or otherwise, such as, 'By submitting your details, you are indicating your consent to receiving marketing emails from us, unless you have ticked the box below to indicate your objection to receiving these messages'.
Points to remember
Confusion still reigns about the use of opt-in and opt-out for email marketing purposes. The confusion centres around a misunderstanding of what is required to fulfil the obligation to obtain a user's "prior consent".
Prior consent is not the same as opt-in, and it is possible to use a properly drafted consent statement in the data protection notice along with an opt-out box, and still comply with the Privacy and Electronic Communications Regulations.
Include a short statement at the point at which the user submits their email or telephone address to the effect that these may be used for marketing communications unless the user expressly requests that they are not.
Make sure that the data protection notice is properly drafted, and includes a statement to the effect that by providing email and telephone numbers the user consents to their being marketed to by these methods. The drafting of this is very important, as it must be written in such a way as to be considered active consent of the user. It should be provided before the point at which the user clicks to proceed with the registration/transaction (for example before the "submit" button).
Following this, include an opt-out box, which allows the user to select to opt-out of email marketing communications.
Ensure that all marketing emails provide an easy and free means by which the user can opt-out of future marketing, and make sure that if they use this opt-out their request is adhered to in all future marketing.