This article highlights some of the key features of the law governing the use of email for marketing purposes. It considers only the position under English law. Although much of the UK legislation relating to email marketing is EU-inspired, the laws across the EU are not properly harmonized. The position under US law is also quite different from the position under English law.
(1) What is a marketing email?
English law does not have a core conception of a marketing email. Different sets of rules regulate different kinds of email.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (the "Privacy Regulations"), the most important piece of legislation in this field, regulate the transmission of "communications for the purposes of direct marketing by means of electronic mail". The courts can be expected to place a broad interpretation upon these words. However, the key provisions on email marketing apply only to "unsolicited" communications to "individual subscribers".
The Data Protection Act 1998 regulates emails which contain personal data (e.g. individuals' names - email@example.com).
Voluntary codes (such as the Direct Marketing Association's Code of Practice) and the contractual terms of hosting companies tend to cover a wide range of communications. Some hosting terms, for example, cover all unsolicited commercial emails.
(2) Aren't all unsolicited marketing emails illegal?
Emails sent to corporate subscribers which do not contain any personal information (e.g. firstname.lastname@example.org) are not specifically regulated under English law - save that the emails must contain certain information (see below).
"Corporate subscribers" in this context includes limited companies, PLCs and LLPs; it does not include sole traders or general partnerships.
In all other cases, unsolicited emails sent for direct marketing purposes will be unlawful unless the recipient has in some way consented to receive the email.
(3) Opt-outs, opt-ins and soft opt-ins
Opt-outs, opt-ins and soft opt-ins are three different ways of obtaining consent to send marketing emails.
- An opt-out is where the email recipient has been given, at the point at which the contact information was submitted, the opportunity to opt-out from receiving the emails, and has not done so (e.g. by not ticking a box in an HTML form).
- An opt-in is where the email recipient has specifically indicated a desire to receive the emails at the point at which the contact information was submitted (e.g. by ticking a box in an HTML form).
- There is also a special form of consent under the Privacy Regulations called the "soft opt-in". This applies where (i) an email address was obtained in the course of the sale or negotiations for the sale of a product or service to that recipient, (ii) the direct marketing is in respect of similar products and services, and (iii) the recipient was given the opportunity to "opt out" when the details were collected and with subsequent communication.
(4) What sort of consent do I need?
There is a good deal of confusion about what kind of consent is required for sending marketing emails.
The position under the Data Protection Act 1998 is that opt-out (or similar) consent is generally thought to be sufficient in the case of marketing emails involving non-sensitive personal data. However, express or opt-in consent would be required for any direct marketing communications which involve the processing of sensitive personal data, such as data relating to ethnicity, politics or medical conditions.
Opt-in or equivalent consent is required under the Privacy Regulations for marketing emails sent to individual subscribers, unless the soft opt-in provisions apply (see above). (NB the Privacy Regulations do not use the terms "opt-in" and "opt-out".)
You should also check the requirements of your email service provider's terms and conditions. These often required a more stringent standard of consent than the general law.
You must comply with each applicable rule set.
(5) Information to be provided before consent is given
If you are collecting contact information which includes or may include personal data, certain information must be notified to the data subject:
- the identity of the data controller;
- the purpose(s) for which the data are intended to be processed; and
- any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.
The information should in general be given to data subjects or made readily available to them at the point of collection.
The most common way to meet these requirements in the website context is through the use of fair processing notices and privacy policies.
(6) Information to be provided in all marketing emails
Regulation 23 of the Privacy Regulations says:
"A person shall neither transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail - (a) where the identity of the person on whose behalf the communication has been sent has been disguised or concealed; (b) where a valid address to which the recipient of the communication may send a request that such communications cease has not been provided; (c) where that electronic mail would contravene regulation 7 of the Electronic Commerce (EC Directive) Regulations 2002(1); or (d) where that electronic mail encourages recipients to visit websites which contravene that regulation".
Regulation 7 of the Electronic Commerce Regulations says:
"A service provider shall ensure that any commercial communication provided by him and which constitutes or forms part of an information society service shall— (a) be clearly identifiable as a commercial communication; (b) clearly identify the person on whose behalf the commercial communication is made; (c) clearly identify as such any promotional offer (including any discount, premium or gift) and ensure that any conditions which must be met to qualify for it are easily accessible, and presented clearly and unambiguously; and (d) clearly identify as such any promotional competition or game and ensure that any conditions for participation are easily accessible and presented clearly and unambiguously."
In addition, the Companies Act requires all business emails sent by a corporation to include the following information:
- company name;
- company registration number;
- place of registration; and
- registered office address.
(7) Right to object
Under the Data Protection Act 1998, individuals may object at any time to the processing of their personal data for the purposes of direct marketing. Similarly, the Privacy Regulations have the effect of prohibiting the sending of marketing emails to individual subscribers who have notified the sender that they do not wish to receive such emails.
(8) What is good practice?
The Information Commissioner has stated that, notwithstanding the legal requirements, good practice requires that marketers follow the guidelines set out below.
- Try to go for opt-in-based marketing as much as possible.
- Provide a statement of use when you collect details.
- Make sure you clearly explain what individuals' details will be used for.
- Do not have consent boxes already ticked.
- Provide a simple and quick method for customers to opt out of marketing messages at no cost other than that of sending the message.
- Promptly comply with opt-out requests from everyone, not just those from individuals.
- Have a system in place to deal with complaints about unwanted marketing.
- When you receive an opt-out request, suppress the individual or company details rather than deleting them. (This way you will have a record of who not to contact.)
(9) Is buying lists allowed?
There is nothing in the legislation which expressly prohibits the purchasing of email lists. However, if you are thinking of using such a list, you should only purchase it from a reputable company and you should ask for a warranty that the list has been lawfully collected and may be used as intended. Even then, you should think twice.
(10) Other risks
The terms of service of most ISPs and email marketing service providers prohibit spamming. However, different sets of terms will define spam in different ways. If you are considering sending unsolicited commercial emails, you should ensure that you do not breach the terms of your contract with your ISP or email marketing service provider.
This is an adapted version of an article originally published on www.website-law.co.uk in March 2007.