CDMS, a data and marketing firm, examined compliance with the EU Directive on Privacy and Electronic Communications by the top 200 companies across 13 sectors, including banking, general insurance, retail and mobile telecoms.
The companies were tested to see whether they consistently offered non-customers the opportunity to actively opt-in or otherwise consent to further marketing emails when their details were recorded as the result of a promotion or enquiry. These promotions appeared either on the company's own website, through a partner company's website, in a third party e-newsletter, or as part of an advertising or direct mail campaign.
According to CDMS, 69% of companies studied are compliant with the legislation, a modest improvement of three percentage points since its last survey in 2005.
Ian Hubbard of CDMS said: "Companies who have not complied are putting their carefully built brands at risk, by putting out the message to consumers that they apparently don't care about legislation designed to protect their prospective customers' privacy."
He added: "This effectively puts them in the category of junk emailers, and associating them with a rising tide of spam, and growing consumer concerns over the security of their personal records."
The Regulations that implemented the EU Directive have been in force since December 2003. To date, there have been only two court rulings on their anti-spam provisions. The first was in 2005, when chartered engineer Nigel Roberts won £300 in damages in an undefended action against a Scottish marketing firm. The second was last December, when Microsoft won a summary judgment to stop an individual selling lists of email addresses to spammers.
CDMS noted that non-compliant companies urgently need to put processes in place to limit their current risk. "In addition, there is a major forensic and clean-up job to be done on these companies' marketing databases," said Hubbard.
Struan Robertson, editor of OUT-LAW.COM and a technology lawyer with Pinsent Masons, said: "A lot of confusion continues to surround the rules on email marketing. Compliance is very important, but the rules are not as restrictive as many people think. There is a misconception that they demand opt-in marketing, which most people visualise as ticking a box. That's not what they say."
Robertson continued, "The rules talk about the need for prior consent. One way of getting that is to have a tick box – but that is just one way. Others exist. And if you're emailing existing customers to promote similar products to those they bought before, and these are people whose contact details you obtained when selling or negotiating a sale, prior consent is not needed – provided you identify your company, give an opt-out on collection of the email address and include an unsubscribe option with each email sent."