Thursday, October 7, 2010

International Spam Laws Simplified

Since the institution of the US CAN-SPAM act in 2003, many countries around the world have adopted anti-SPAM laws to give governments the tools to combat and prosecute those who take to spam. All these laws apply to the same things; but describe them in different ways, have different restrictions and penalties; and in some cases are written in completely different languages.

This article attempts to make sense of the various different International laws that relate to SPAM and provide a general set of guidelines for all Email Marketing practices that should result in compliance with most if not all of these laws.

For the most part, these laws can be reduced to rules within 3 basic categories:

1. Consent
2. Identification
3. Opt-out

Where they primarily differ is in matters related to consent. As the US CAN-SPAM act was the first such national law, I will outline this particular law in detail, then move on to how laws in other parts of the world differ from this.

The US CAN-SPAM Act is officially called “Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003” and was signed into law on December 8, 2003. The task of enforcing this law falls under the Federal Trade Commission, which further defines regulations based on this law.
What is a Marketing Email?

What makes an email a “Marketing Email” and not just a communication between friends? The law itself states that it only applies to emails that it terms as a “commercial electronic mail message.” For an email to be deemed such, it must be that “the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose).” Which sounds like pretty much any email a company might send if there is a link to a website in it.

However, the act spells out another class of emails that a company might send whereby the law does not apply. These it calls “Transactional” emails and gives examples of things like bank account statements, job offers, product recalls and warranty information among others. The act also uses the term “Relationship” message which is used interchangeably with “Transactional” and provides the vague definition of an email related to an “ongoing commercial relationship involving the ongoing purchase or use by the recipient of products or services offered by the sender.” This exception has led many to believe that the law does not apply to say Newsletters or Market Research. Tough to call.

One criterion that is intentionally left out of the law is the matter of bulk. The quantity of mail sent is not a factor in determining if an email is spam or not. If you send one email that violates the law, that is one violation, if you send half a million, that is half a million violations. As mentioned, this was intentionally left out since one of the main driving factors for having a US Federal law on spam in the first place was to override state laws that included bulk as a criterion. It was felt that such rules put too much restriction on legitimate marketers and list owners (go lobbyists!).

It should also be noted, that since these emails are being classed as “Marketing” or “Advertising” any laws related to False Advertising therefore also apply.

Consent is the question “did an individual consent to receiving an email marketing communication prior to receiving it?” The CAN-SPAM act is somewhat weak on this question which is one of the main reasons why the law is sometimes called the “Yes you” CAN-SPAM Act. It gives very little information as to what qualifies as consent, but the most telling phrase is “affirmative consent” which is defined as:

the recipient expressly consented to receive the message, either in response to a clear and conspicuous request for such consent or at the recipient’s own initiative

There is no other definition of consent than this apart from further stating that an email address cannot be passed on to a third party without prior “affirmative consent.” The phrase “affirmative consent” sounds like it is disqualifying the practice of “negative opt-in” whereby someone needs to “uncheck” a box in order to not receive email.

The intent of this phrase seems to more or less be that there should be no unsolicited marketing email of any kind. However, the act is pretty vague on what consent really means and there is the loophole of the “Transactional” or “Relationship” email that brings into question what emails this law actually applies to; the concept of Consent is a little fuzzy. For example, is it OK to just ask for someone’s email address and start mailing them until they tell you to stop? Is that enough of a prior relationship to warrant mailing? The law leaves the door open to some degree on this, how wide is unsure. The law has not been tested many times in the courts.

The main purpose of rules related to identification is to prevent the practice of phishing, whereby a spammer masquerades as some recognizable entity in order to gain someone’s trust (for example a spammer will send an email claiming to be from a bank, and asking for account information). The law outlines some rules around this that most legitimate marketers would likely never be caught doing, for example hijacking someone else’s computer to install a spambot to blast the Internet, and hide the true source of the email.

But some rules around identification do apply, such as the “From” line must not be “materially false or misleading.” This is obviously intended to curb phishing, but has also raised the question as to the legitimacy of having a person’s email address on a bulk mailing that isn’t really from that person. Also, it brings into question the fairly common practice of placing one’s own return address on a mailing being delivered from a third part vendor to a third party list.

The law also pinpoints the subject line and states that it is illegal “that a subject heading of the message would be likely to mislead a recipient, acting reasonably under the circumstances, about a material fact regarding the contents or subject matter of the message.” The subject line can’t be selling one thing, then the body of the message selling something else.

Another important rule of identification is the necessity of including a valid “physical postal address” of the company within the copy of the email. The term “physical” meaning “not virtual,” but also commonly interpreted to mean not a PO Box, but the actual address where the business is located.

Messages must also contain “clear and conspicuous” identification that the email is an advertisement or solicitation. There is question as to what exactly “clear and conspicuous” means here. Do you actually need to include a phrase like “this email is an advertisement” or is the fact that the email contains a big “Buy Now” button “clear and conspicuous” enough?

There must exist some kind of electronic mechanism to unsubscribe from future mailings. This can be via a reply to the message or by clicking on a web link; but it must be electronic and it must be conspicuous. The law also explicitly states that it is fine to have an unsubscribe mechanism whereby a recipient can unsubscribe from various message streams, provided there also exists a mechanism to unsubscribe from all future mailings.

The act uses the phrase “clear and conspicuous” to define how the unsubscribe mechanism must appear and presumably work. It makes no mention as to how many clicks or pitches for extra offers there can be before someone actually gets unsubscribed. But it is good practice to always make your unsubscribe mechanism simple, better to have someone click your unsub link than the “This is SPAM” button.

It is required that all unsubscribe requests be honored within 10 business days no matter how they come in (email, phone or regular mail). However, the law does state that if consent is once again given subsequently, then any mailing restrictions related to opt-out no longer apply.
International Comparison

As far as Identification and Opt-out are concerned, most laws outside the US are more or less identical to CAN-SPAM (there are some minor exceptions, for example in Australia you have 5 days to honor an unsubscribe request, not 10). If you follow the CAN-SPAM requirements, you are pretty much good everywhere. Where the laws primarily differ are around matters of Consent and in what types of messages actually apply as marketing.

Below is a brief overview of laws within 3 other countries and how they differ from the US CAN-SPAM act.

The responsibility for spam laws in Europe relies on the individual states of each member of the European Union. There is no one spam law for all of Europe. However, the EU has issued the “Directive on Data Protection” which outlines (among many things) some recommended rules that its member states should adopt related to Email Marketing. Some of these recommendations have been adopted by members, others not.

The UK law entitled “The Privacy and Electronic Communications (EC Directive) Regulations 2003” is not about email specifically like CAN-SPAM, but is about data privacy as relates to direct marketing practices in general, regardless of technology (ex: phone, email, sms).

However as relates to consent, the law is similarly weak as is CAN-SPAM, it does state that no unsolicited email of any kind can be sent, but goes on to make the following exemptions:

22.(3)(a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;

22.(3)(b) the direct marketing is in respect of that person’s similar products and services only;

That is a pretty wide open door as far as consent goes.

Italy is considered to have one of the toughest anti-spam laws in the world; with the tightest restrictions and the harshest penalties. The law is called the “Italian Personal Data Protection Code (Legislative Decree no. 196 of 30 June 2003)” and makes sending spam a Criminal offense, punishable to up to 3 years in jail.

The law is larger than the CAN-SPAM act and encompasses more than just email. The main subject of the law is what is called a “data subject” which refers to an individual who interacts with a company or an organization via personally identifiable information. The law then goes on to provide very detailed rules as to what is and isn’t allowed with that data. For the case of Consent, the law states:

Processing of personal data by private entities or profit-seeking public bodies shall only be allowed if the data subject gives his/her express consent

So essentially this means any kind of email a “profit-seeking” organization might send to a customer (or to anyone) requires prior opt-in, that is if the processing of such email requires the storing of personal information (like an email address). It also puts a burden of proof on the organization as relates to this consent that an individual freely accepted (in some written form) a statement as relates to this consent, and a statement of rights as relates to the storing and processing of the personal information (privacy statement). Further, a data subject has the right to be informed of the source of consent, meaning you must keep a record of the opt-in for as long as is reasonably possible.

The Australian law, simply called “Spam Act 2003” is a fairly strong law. Like the CAN-SPAM act, it too makes a distinction between “Commercial” and “Transactional” emails, what it terms “Factual” emails. However, unlike CAN-SPAM, if an email is determined to be Factual, it still must comply with the law, it is just exempt from Consent. You still need an unsub link and identification. With CAN-SPAM, if an email is considered “Transactional” it is exempt from the entire law.

The definition of “Factual” is such that “the message consists of no more than factual information (with or without directly related comment).” This is opposed to “commercial” information which would otherwise classify the email as a “commercial electronic message.” The idea is to make the distinction as to whether or not the email is selling something or not. So a company can send an email to someone without prior consent, so long as there is no advertising or marketing within the email. A logo of your company and a link to your website do not count (unless that link goes directly to an advertisement). Of course, there are restrictions on how you got that email address in the first place; it must have come willingly from that individual via a previous business relationship.

One thing to note about the Australian law and consent, it appears that viral practices like “refer-a-friend” are likely illegal under this law. The Australian Communications and Media Authority, the government organization responsible for enforcing the act, recommends against running a refer-a-friend on their website. And you would probably want to avoid running one in Italy too.
Best practices

OK, so what can a marketer, doing business (or planning on doing business) all around the world to do to ensure compliance with all these laws? Below is a list of recommendations to ensure your marketing program stays within the bounds of pretty much any anti-spam law you might run into.

Note, these are recommendations only and not a guarantee that you won’t get into trouble. As always, if you think you are doing something illegal, best to consult a lawyer.

* Only mail to users who have explicitly opted in to receive email, preferably with a double opt-in
* Always provide information as to all types of emails someone is expected to receive at every point of opt-in
* Assume that all emails originating from an automated system require prior consent
* Keep a record of all transactions related to opt-in for at least 12 months
* Avoid dubious consent methodologies (such as “refer-a-friend”)


* Include the physical address of where you do business in all your email communications
* Include a line in each email that states why the user is receiving it and whether it is an advertisement or solicitation
* Never use your company’s email address on a third party mailing being delivered from a third party vendor
* Ensure what you are pitching in the subject line is what is being pitched in the message


* Make it conspicuous and make it simple (one click preferred)
* Make it automated as much as possible and ensure it works
* Ensure that all email, phone or regular mail requests to unsubscribe are being monitored and being processed within 5 days of receipt

No comments: