New inbox rules should cut spam

Nigel Miller: Nigerian scams will ignore the EU rules, but legitimate businesses should take note and consider their use of email promotions.

My inbox receives an almost daily temptation to share in the spoils of some unfortunate venture in Nigeria, involving $20m or more. The email informs me that I have been well recommended to the sender. The treasure is somehow frozen. All I need to do to release it is to fax my bank account details. For this, my share will be 20 percent. I will also have the pleasure of being able to assist my new and happy client to invest the balance in the UK. In the course of that endeavour I will, no doubt, earn further handsome fees.

There is a temptation to respond with the message "do you think I'm stupid?" or similar, but this would be folly. It would simply confirm that the sender had a valid email address and perhaps provide an opportunity for fraudulent use of a genuine reply. The sender is invariably a subscriber to a free Web email service such as Yahoo! or Hotmail. A complaint to the service provider that its service is being used for fraudulent purposes may lead to the account being closed, but my time would be wasted as the customer no doubt cannot be traced and other accounts can be set up in minutes.

My inbox yields other temptations as the day progresses. I could earn $50,000 or more in the next 90 days just by sending a few emails. I could buy Viagra or human growth hormones, or I could view some "free sites".

Many people are concerned about the rapid growth of unsolicited commercial email on the Internet. For the sender, spam is relatively easy and cheap to send. However, for the recipient it can be a nuisance and even give rise to additional costs of download or storage. The sheer volume of spam can give rise to network problems as it uses up Internet bandwidth. Some view spam as an unwelcome invasion of privacy.

I have not yet seen any email contain a statement that it is a "commercial email" or "unsolicited commercial email" as required by The Electronic Commerce (EC Directive) Regulations 2002 which came into force on 21 August, 2002 (SI 2002 No 2013). Under those Regulations, a "service provider" must ensure that any commercial communication provided by him and which constitutes or forms part of an "information society service" must be clearly identifiable as a commercial communication and must clearly identify the person on whose behalf the commercial communication is made. An email promoting the goods, services or image of any business would, save for a couple of exceptions, fall within the definition of a "commercial communication" under the regulations.

The regulations do not prescribe how to meet the requirement for information about commercial communications to be "clearly identifiable". The DTI guidance says that this could be either through a header, before the communication is opened, or in the body of the communication itself. The fact that a commercial communication clearly comes from a business may not of itself be enough. The email will need to contain language such as: "This is a commercial communication from Xyz.com Limited".

Furthermore, a service provider must ensure that any unsolicited commercial communication sent by him by electronic mail (spam) is clearly and unambiguously identifiable as such as soon as it is received. This is, presumably, intended to allow the recipient the opportunity to delete the email without opening it or before downloading it perhaps by using some filtering software. Again, the regulations do not prescribe how the requirement for unsolicited commercial communications sent by email to be "clearly and unambiguously identifiable" should be met.

An email address is "personal data" for the purposes of the Data Protection Act 1998 where it identifies a particular individual, for example, by including any part of the name of the individual or of his or her company. However, even anonymous email addresses may be personal data where, together with information "likely to come into the possession" of the data controller, it allows for an individual to be identified (even if not by name). As such, email addresses must be processed in accordance with the data protection principles. For example, personal data (such as an email address) will not be processed "fairly and lawfully" if the consent of the data subject has not been obtained for that processing (unless one of the other conditions in Schedule 2 of the Act is met). Simply because someone has put his or her email address in the public domain, perhaps on a corporate Web site, does not mean that it can be used for marketing or other purposes.

Unsolicited commercial communications by email will soon be subject to new rules under the Communications Data Protection Directive 2002/58/EC (the Directive on Privacy and Electronic Communications). This was adopted on 12 July, 2002, and requires implementation by 31 October, 2003. It will give rise to regulations supplementing or replacing the Telecommunications (Data Protection and Privacy) Regulations 1999 (SI 1999 No 2093).

One of the main changes in relation to email is the shift to an opt-in regime. Under Article 13 of the Directive, the use of email and SMS (text messages to mobile phones) for direct marketing will only be allowed in respect of subscribers who have given their prior explicit consent. This will put email marketing on the same footing as unsolicited faxing and automated telephone systems.

The Directive makes an exception where there is an existing customer relationship where the supplier has obtained the customer details in the context of a sale of goods or services. In this case, the supplier may use the customer details for the purpose of direct marketing in relation to its own similar goods or services. The customer must be clearly and distinctively given the opportunity to object, free of charge and in an easy manner, to the use of the email address when collected and on the occasion of each message in case the customer has not initially refused such use. This exception leaves open to interpretation whether goods or services advertised are "similar" to those previously purchased. Moreover, it would seem from the wording that the exception only applies where there has been an actual sale, rather than for example an enquiry. It also seems that only the party that obtained the details can use them; so, for example, a manufacturer could not email its "customers" where the email address had been obtained by a retailer.

The Directive also prohibits the practice of sending direct marketing email disguising or concealing the identity of the sender or without a valid address to which the recipient may send a request that such communications cease.

This new legislation demands changes in the systems and practices of e-commerce businesses and marketeers. For reputable businesses, it is unlikely to be a problem as there is growing acceptance that opt-in permission marketing is in any event more effective than spam. However, it is unlikely to prevent my Nigerian emails or many of the others that regularly intrude on my iInbox. The senders are likely to be out of the reach of European legislation. If they consult opt-out registers, it will be for the purpose of gathering valid email addresses to spam. The problem is likely to be with us for some time.

Nigel Miller is a Commerce and Technology partner at City law firm Fox Williams. He is also joint-chair of the Society for Computers & Law. Nigel can be contacted at nmiller@foxwilliams.com.

To have your say online click on TalkBack and go to the ZDNet UK forums.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All