If you use email marketing, make sure you're up to speed on anti-spam law. This factsheet is designed to make it quick and easy to understand
Anti-spam law restricts the sending of unsolicited marketing emails (‘spam’) to individual subscribers. Unsolicited emails can still be sent to corporate subscribers if they are relevant to their work.
Anti-spam law is enforced by the Information Commissioner and breaches can lead to a fine of up to £5,000. There is also civil liability to anyone who suffers damage as a result of the breach. The rules are in the Privacy and Electronic Communications (EC Directive) Regulations.
‘Solicited’ and ‘unsolicited’ are not defined, but solicited emails are probably emails that recipients specifically ask you to send them. A recipient can solicit an email from you via a third party such as a reseller or another company within the same group as yours. An unsolicited email is any other email.
A ‘marketing’ email is not defined by the law either, but must include any email promoting your goods and services. For not-for-profit bodies like charities it includes promotion of your ideals.
The restrictions on spamming individual subscribers apply not just to consumers, but also to sole traders and partners in business partnerships in England & Wales (Scottish partnerships are different - see below) because they are still individuals, even though they are in business and even if you email them in their business capacity.
A ‘corporate subscriber’ will usually be a limited company or Limited Liability Partnership (or a Scottish partnership) but can also include schools, hospitals, government departments or agencies and other public bodies.
You can ‘cold email’ an unsolicited, direct marketing email to a corporate subscriber, but be careful. The fact an email address ends in .co.uk does not mean it belongs to a limited company. Anyone can register a .co.uk domain name (the only UK domain names that tell you for certain that you are dealing with a UK limited company are the .ltd.uk and .plc.uk domains, but these are rare).
An email to firstname.lastname@example.org or email@example.com is clearly to the corporate subscriber. But what if you are emailing 'Pauline Manager', an employee at a limited company, at a work address such as firstname.lastname@example.org? The email will be opened by Pauline, who is an individual.
This is permitted if the email is work-related (eg promoting office furniture to a facilities manager) but not if it is personal (eg promoting family holidays to the sales team at a recruitment company).
This view is bolstered by the legal argument that the law defines a ‘subscriber’ as "a person who is a party to a contract with a provider of public electronic communications services for the supply of such services". Since it is ABC Widgets that is the party to the contract with the telecoms provider providing the work email address, not the employee, the argument is that the email is being sent to the company - the ‘corporate subscriber’ - and no restrictions apply. It doesn’t matter that the email can only be accessed by the individual employee.
Individuals who specifically consent (‘opt-in’) to receiving emails
You can send direct marketing emails to individual subscribers if they have ‘previously notified the sender’ of their specific consent (ie they have ‘opted in’) to receiving such emails from you.
Specific consent requires some positive action by the subscriber. If an individual omits to deselect an opt-in box you have pre-ticked on (eg an order or enquiry form), that is not a specific consent. If they specifically tick the opt-in box or you make it clear that by entering his email address in a field they are opting in, these are positive acts for this purpose.
The opt-in must be ‘clear and distinct’ so individuals can see that they are opting in and see what they are opting into when they tick a box or provide their email address.
The family opt-in
When emailing a family address (eg email@example.com), you must have reasonable grounds for believing you have the consent of a person who is speaking on behalf of the family. Given the inclusion of the word ‘subscriber’ in the definition of an ‘individual subscriber’ this probably means you need the consent of the family member(s) who is a party to the contract with the telecoms provider providing the family email facility.
Opt-in is temporary
If an individual subscriber does opt-in, his or her consent is only given ‘for the time being’. You are entitled, however, to assume the individual’s consent remains valid until there is a good reason for you to consider otherwise.
Third party advertising consent
If you are going to let third parties advertise in your emails, you should obtain the consent of any individual subscribers on your emailing list before you do so. Without it, your emails might be construed as unsolicited direct marketing emails from your advertisers to your subscribers.
What your opt-in request should say
Applying the above rules, the ’opt-in’ request of a limited company within a group might ask for an individual’s consent to receiving emails:
‘Opt-in’ and bought-in lists
Opt-in has to be previously notified to ‘the sender’ of direct marketing emails. If this means consent must be given to you directly, then addresses on any list compiled by a third party (such as a list broker or another company within the same group as yours) after December 2003 (when the anti-spam law came into force), cannot be an ‘opted in’ list for your purposes.
Guidance from the Information Commissioner, however, envisages that a consent can be collected from an individual by a third party on your behalf, provided the third party makes it clear to the individual that it is proposing to pass his or her details to businesses offering the sort of products and services you offer. For example, if you offer American holidays, a third party can ask an individual for consent as follows:
"We would like to pass your details on to specially selected third parties so that they can send you more information about holidays in America. Do you agree to this?”
A positive response, according to the guidance, means ‘it is likely’ the third party can pass those details to you and you can send direct marketing emails to those contacts to promote your American holidays. It does not matter that the individual has never heard of you previously.
There are circumstances in which you can treat an individual subscriber as having consented to receiving emails from you, even though they haven’t specifically done so. This is called ‘soft’ opt-in. You can send direct marketing emails to individual subscribers under the soft opt-in rules if:
1 Their email address was obtained by you in ‘the course of the sale or negotiations for the sale of a product or service’ The Department for Business, Innovation and Skills (BIS) interpretation is that this condition is satisfied if the individual is already a customer or has entered into negotiations with you with a view to a sale or has registered an interest in a product and allowed their email address to be recorded for future marketing use.
An example of a ‘negotiation’ might be a price enquiry or someone checking availability of a product or service. But beware the difference between an email address obtained as the result of an enquiry from your website that asks ‘where’s the nearest store to Tetbury?’ (no interest in a product) and one obtained because an individual asks ‘is there a store near Tetbury where I can buy a new toner cartridge for my printer?’ (interest in a product). It is possible that entry into a competition designed to create awareness/interest in particular goods and services could constitute ‘negotiations with a view to a sale’.
2 The direct marketing is in respect of your ‘similar products and services only’ The BIS interpretation is that the products or services must be ‘similar’ to those the individual was buying or negotiating to buy when their email address was originally captured. This probably extends to any goods and services that the recipient would reasonably expect you to provide. For example, if you are a hotelier, guests would reasonably expect you to offer conference, party and catering facilities as well as rooms, and these could be promoted using direct marketing emails.
3 The recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his or her contact details for the purposes of such direct marketing, at the time that the details were initially collected.
4 The individuals are given the opportunity to opt out in every subsequent email to them Individuals whose email addresses you buy in from a list broker cannot have opted in to receive emails from you under the soft opt-in rules if they have never dealt with you, but only the list broker. Nor can an individual who gives his or her email address to your company be treated as having opted in to receiving direct marketing emails from other companies in the same group as you, unless he or she has specifically consented to this.
It’s also likely that, if you have opt-in from a subscriber to receiving emails from one brand or business name, and you want to promote another brand or business name you own, you can only do so if the recipient would associate the two as being under common ownership.
All direct marketing emails, whether to corporate subscribers or individuals, and whether unsolicited or solicited, must:
By concession, the Information Commissioner has said that he will not apply the law to ‘legacy lists’. This means:
The Information Commissioner will proceed against you first if the rules are breached, as the ‘instigator’ of the email communication.
The anti-spam rules specifically say that they do not affect your obligations in relation to personal data under the Data Protection Act 1988. Under that Act individuals (as opposed to businesses) can prevent you from processing ‘personal data’ (which includes using it to send them unsolicited marketing emails) without their consent.
Personal data is data relating to a living individual (but not companies). So, if you have an email address but cannot tie it to a person’s name or other personal details, it is not personal data. If it is, however:
Always take legal advice.