Viral marketing and the law

This guide is based on UK law. It was last updated in June 2010.

Topics

This guide covers two kinds of viral marketing by email:

'Tell a friend' services, in which a website invites a visitor to enter a friend's email address and the website sends an email to that person; and
Emails sent by marketers that encourage recipients to forward the message to a friend.

There are risks with each approach. This guide explains how to minimise them.

'Tell a friend' viral marketing

A website may invite a visitor to recommend a particular page or product to a friend. Usually the visitor's email address is requested as well as the friend's email address. The friend then receives an email that, on arrival, looks like it was sent by the person making the recommendation – in order that it appears to come from a trusted person. This, in theory, distinguishes the email from unsolicited marketing which is more likely to cause offence or at least more likely to be deleted without being read.

There is an argument that website operators should not do this because arguably they are faking the identity of the actual sender, a practice known as 'email spoofing'. There is also an argument that the operator is sending unsolicited commercial email without prior consent. Strictly speaking, these are unlawful practices.

The general rule, found in the Privacy and Electronic Communications (EC Directive) Regulations 2003, is:

"…a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender."

In practice, 'tell a friend' services are popular and unlikely to cause problems if you follow the Information Commissioner's guidance on viral marketing (32-page / 256KB PDF). Viral marketing is addressed at pages 23-24. This guidance can be summarised as follows:

It is safer not to give visitors any incentive to "tell a friend" because that creates a strong argument that you are the "instigator" of the message – i.e. they wouldn't do it without the promise of a reward from you.
Check that the recipient hasn't already asked you to suppress his details. In practice, this means your website would need to communicate with the database holding your suppression list before sending the email. If it's practical to do this, it must be considered best practice. A counter-argument could be made against the Commissioner's guidance on this point: you are getting the consent of the site visitor, who is saying that, right now, he has the consent of his friend – which surely supersedes any previous suppression request. Legally, this is probably a weak counter-argument.
Someone could use your system and others like it as a puerile trick to annoy one individual with emails from lots of companies. The Commissioner points out that the victim may forever associate your company with that unpleasant experience. In any event, says the Commissioner, "you should ensure rapid suppression of the recipient's contact details to avoid further distress."
Tell your visitor that you will let his friend know how you got his details. There is nothing in the law to prevent you doing this and it is particularly important if you propose to offer an incentive (though see the warning in the first bullet).
You are sending a message to someone who you assume has consented via a third party (i.e. your visitor, who passed on his friend's details to you). So include a statement on your Tell a Friend page – somewhere obvious and above the "Send" button – that says something like: "By hitting the button you confirm that you have the consent of the individual whose details you are supplying."

The last of these points has also been raised by the UK's advertising watchdog, the Advertising Standards Authority (ASA), which administers a rulebook called the CAP Code. Breaking the CAP Code usually results in nothing more than a rebuke and possibly some bad publicity, though sometimes the ASA applies sanctions.

In a ruling in 2009 it criticised a movie promotion website that invited visitors to provide friends' addresses to whom the promoter sent hoax emails. The website did not ask the person who initiated a hoax to confirm that he or she had the friend's consent. This was found to breach rule 43.4c of the CAP Code. The rule requires 'explicit consent' of consumers when sending emails except in limited circumstances. See: ASA bans 'tell a friend' service that lacked friends' consent, OUT-LAW News, 07/05/2009.

We would add the following tips to the Commissioner's guidance:

Make your identity clear in the email that you send. Purporting to be a consumer could result in a prosecution under the Consumer Protection (Unfair Trading) Regulations 2008. Usual requirements of business emails will also apply, so include:
- Your company registration number;
- Your place of registration (e.g. Scotland or England & Wales); and
- Your registered office address.
Avoid using the email addresses provided on the "tell a friend" page for any purpose other than to fulfil the request and do not save the addresses. If you are going to do this, make this clear and provide a means of opt-out. Bear in mind the risk of complaints.
Limit the number of emails that can be sent by one user to avoid misuse or at least be able to recognise and deal with any excessive use.
Send the email to the friend without any marketing information other than what was being recommended – be it a link to a page on your website or the text of an article (i.e. resist the opportunity to promote your services beyond what is being recommended).
Consider writing the subject line in the third person – e.g. "John Smith thought you'd like this…" – and don't imply in the subject line that John Smith is actually sending the email (i.e. avoid saying "I thought you should see this.") Alternatively, allow visitors to choose the subject line.
Offer a simple means of making a complaint in the event that the recipient does not know the sender, e.g. a contact email address.
Do not allow users to leave their own name and email address blank (albeit there is little you can do about fictional details being provided).

Our final point comes from an ASA ruling against a viral promotion that allowed emails to be sent anonymously which was found to breach Rule 3.1 of the CAP Code, which says that before distributing a marketing communication for publication, "marketers must hold documentary evidence to prove all claims, whether direct or implied, that are capable of objective substantiation." See: ASA slams anonymous 'tell a friend' email, OUT-LAW News, 01/02/2006.

Risk management

We cannot guarantee that these steps will eliminate the potential legal risk, but they are better than ignoring the issue. Fortunately, the commercial risk is fairly low: in the event of a complaint or new guidance from the courts, the ASA or the Information Commissioner, a website can change or even abandon its 'tell a friend' services without collateral damage. In contrast, a high risk exists with data collection practices: get these wrong and you build a database that it may be unlawful to use – making it potentially worthless.

Please forward this email

The second type of viral marketing is where a marketer asks a person to forward an email to one or more friends. Generally these emails are harmless, provided the identity of the sender is clear.

Organisations must not seed a viral marketing campaign by asking staff to send emails that purport to come from them as independent consumers. To do so risks prosecution, a fine and a maximum prison sentence of two years under the Consumer Protection (Unfair Trading) Regulations 2008.

These Regulations identify the following commercial practice as unfair, and therefore illegal:

"Falsely claiming or creating the impression that the trader is not acting for purposes relating to his trade, business, craft or profession, or falsely representing oneself as a consumer."

Consequently, as with any business-related email, the identity of the organisation behind the campaign should be clear.

As mentioned above, the usual requirements of business emails will apply, so the email should include:

Your company registration number;
Your place of registration (e.g. Scotland or England & Wales); and
Your registered office address.

See also the OUT-LAW Guide on the Consumer Protection from Unfair Trading Regulations.

Forwarded emails can also fall foul of the CAP Code. In 2006 the ASA published a Help Note on Advertising Virals (2-page / 36KB PDF). It notes that viral messages that are offensive, misleading, unfair or irresponsible or might otherwise bring advertising into disrepute, will break the CAP Code. It also states: "advertising virals are not excepted from the Code merely by having originated on a website or by being forwarded-on by consumers."

Contacts

Advertising and marketing Guides

Latest Advertising and marketing News

£20,000 fine levied for marketing 'likely to result in harm to children' 03 Feb 2012
Ad watchdog investigating celebrities' Twitter chocolate promotions 27 Jan 2012
Revised UK interception of communications laws address EU privacy concerns 26 Jan 2012
Ad campaign launched to educate consumers about online behavioural advertising 23 Jan 2012
CAP to consider prohibiting child brand sponsorship in advertising rules 20 Jan 2012

Find out more