Granted, today’s modern e-mail services do an excellent job of filtering the unwanted messages and leaving only the relevant ones in your mailbox. Still, many of us still feel that niggling worry and anger.
The situation is murkier than you might think. Barring the obvious ‘Nigerian Prince’ scams and similar confidence tricks, which are obviously illegal on many levels, simple marketing e-mails are treated much differently in the privacy world. Many privacy experts would use the word ‘iffy’ to describe the regulations. Well, perhaps not really, but this term captures the gist of the situation.
The Situation Across the Pond
Compared with the state of affairs in Europe, the US and Canada have it quite easy, at least if you are an Internet marketer.
The American CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act), adopted in 2003, is a form of the ‘American GDPR’, in that it aimed to streamline and harmonise the privacy regulations across the US.
The law in the US curiously does not prohibit “cold” e-mailing, but the e-mails have to be clear and unambiguous. Deceptive e-mails are not allowed. Consent is not required, but the contact information of the sender must be provided, and with it a chance to unsubscribe instantly from future correspondence.
The Canadian laws are a bit stricter, in that some form of consent is required. However, the law recognises implied consent. Any form of business relationship is enough to prove a tentative link and allow the business to send commercial e-mails. Actively unsubscribing from e-mails is still required.
Commercial E-Mails in the EU
The situation in the European Union is set to be rather strict for marketers. The GDPR and the lesser-known update to the ePrivacy Regulation will severely limit the leeway companies have in contacting their potential customers. These two pieces of legislation are set to be bundled together and enter into force on 25 May 2018.
The GDPR (General Data Protection Regulation) considers e-mail addresses as personal data. And just like with any personal data, consent is generally the safest to use if you want process or use it in any way (though there are other legal grounds for processing).
Just like postal spam will not be allowed, neither will such e-mails. For example, you will not be able to send someone commercial letters (that are addressed to them) without obtaining their consent first. How come stores can fill up your mailbox with promotional flyers then? The answer is simple: they do not contain any personal information.
If you are familiar with the GDPR, you could try to argue legitimate interest as a basis for commercial e-mails. After all, these e-mails could be of great benefit to a company (new customers) while being an insignificant annoyance to some individuals.
This could work to an extent, but it is a slippery slope, pending further guidance from the regulatory bodies and the Article 29 Working Party. It is possible, but unlikely, however, that with careful and occasional e-mail campaigns coupled with exemplary transparency, one would have no issues (but see below). The Recital 47 of the GDPR provides further evidence for this view: direct marketing has been explicitly mentioned as an example of a legitimate interest.
Note that the above does not apply to corporate e-mail addresses: unsolicited marketing e-mails (as long as they are reputable) can be sent to work e-mail inboxes.
The ePrivacy Regulation
The ePrivacy Regulation further complicates the situation. This is a new set of rules aiming to replace the current ePrivacy Directive. As opposed to a Directive, the Regulation should be immediately applied to all EU Member States instead of having to be adopted by each individual parliament.
The European Commission obviously likes this and has pushed for a quick change this year; if all goes to plan, it should see the light of day at the same time as the GDPR. The two are envisioned to complement each other, with the ePrivacy Regulation more slanted towards protecting the individuals’ privacy.
The currently valid ePrivacy Directive distinguishes between several types of marketing – telephone, fax, e-mail etc., and has different provisions for all of them. Currently, for example, unsolicited postal marketing is allowed unless the person explicitly opts out. Phone marketing is also allowed when contacting existing customers.
This is all about to change if the new ePrivacy Regulation gets adopted. It makes no distinction between the various types of direct marketing, and requires direct consent for unsolicited marketing messages. The definition of consent is taken from the GDPR. It must be unambiguous and freely given. There is no concept of implied consent, and silence does not constitute acceptance of marketing messages.
It tops off the draconian limitations with equally enormous fines: up to EUR 10 million or 2 percent of the company’s annual turnover, whichever is greater.
The GDPR and the ePrivacy Regulation, in its current form, result in a highly conflicting and confusing set of rules.
There are generally no issues with contacting previous or existing customers whose personal data the company already has on hand. It is reasonable for a company to send an e-mail or two, especially since the customers have expressed an interest in the services or products beforehand (by purchasing them). This is known as the ‘soft opt-in’ (though you will base your processing on letigimate interest). Bear in mind that it should be easy for said individuals to opt out altogether.
Regarding unsolicited e-mails directed at non-customers, as described in the introduction, the situation is unclear. The Recital 47 of the GDPR allows for processing of data for the purposes of direct marketing. This would imply that reasonable and occasional unsolicited e-mails are fine, as long as they contain clear unsubscribe links and do not have misleading content.
However, upon careful examination, the ePrivacy Regulation stipulates that explicit consent, as described in the GDPR, is required for marketing via e-mail. At best, unsolicited e-mailing is allowed in specific circumstances with high legitimate interest, but it is a very shaky ground to base one’s processing on.
What about existing users in your databases? You are absolutely in the clear if you have obtained (and) documented consent in line with the GDPR. If you have not (which we feel will mostly be the case), you’re unlucky.
See, in that case, you’ll have to contact the people in your mailing list and ask them to pretty please consent to further communication. If your pleas fall on deaf ears, you’re out of luck and must delete that e-mail address from your list. The rest you may keep. This will no doubt decimate your mailing lists, but it’s a Hobson’s choice – either that or full-on deletion of your database, as some have already done.
We are carefully eyeing any future developments from the Article 29 Working Party or the regulators, who have yet to voice themselves on this matter. As it stands, ‘cold e-mailing’ of potential users without obtaining prior consent does not seem to be allowed, but contacting existing customers and users is, as long as it is reasonable to expect such communication.
It all hinges on the regulators’ interpretations of the principle of legitimate interest. But, bearing significant changes in interpretation, consent is king for direct marketing and unsolicited e-mails sent to personal e-mail addresses, such as those allowed in the US, are and will be forbidden in the European Union for the foreseeable future.