Your email marketing and anti-spam law

If you use email marketing, make sure you're up to speed on anti-spam law. This factsheet is designed to make it quick and easy to understand

What anti-spam law does

Anti-spam law restricts the sending of unsolicited marketing emails (‘spam’) to individual subscribers. Unsolicited emails can still be sent to corporate subscribers if they are relevant to their work.

Anti-spam law is enforced by the Information Commissioner and breaches can lead to a fine of up to £5,000. There is also civil liability to anyone who suffers damage as a result of the breach. The rules are in the Privacy and Electronic Communications (EC Directive) Regulations.

‘Solicited’ and ‘unsolicited’ are not defined, but solicited emails are probably emails that recipients specifically ask you to send them. A recipient can solicit an email from you via a third party such as a reseller or another company within the same group as yours. An unsolicited email is any other email.

A ‘marketing’ email is not defined by the law either, but must include any email promoting your goods and services. For not-for-profit bodies like charities it includes promotion of your ideals.

Individual subscribers v corporate subscribers

The restrictions on spamming individual subscribers apply not just to consumers, but also to sole traders and partners in business partnerships in England & Wales (Scottish partnerships are different - see below) because they are still individuals, even though they are in business and even if you email them in their business capacity.

A ‘corporate subscriber’ will usually be a limited company or Limited Liability Partnership (or a Scottish partnership) but can also include schools, hospitals, government departments or agencies and other public bodies.

The rules for corporate subscribers

You can ‘cold email’ an unsolicited, direct marketing email to a corporate subscriber, but be careful. The fact an email address ends in .co.uk does not mean it belongs to a limited company. Anyone can register a .co.uk domain name (the only UK domain names that tell you for certain that you are dealing with a UK limited company are the .ltd.uk and .plc.uk domains, but these are rare).

An email to sales@abcwidgets.co.uk or helpdesk@abcwidgets.co.uk is clearly to the corporate subscriber. But what if you are emailing 'Pauline Manager', an employee at a limited company, at a work address such as pmanager@abcwidgets.co.uk? The email will be opened by Pauline, who is an individual.

This is permitted if the email is work-related (eg promoting office furniture to a facilities manager) but not if it is personal (eg promoting family holidays to the sales team at a recruitment company).

This view is bolstered by the legal argument that the law defines a ‘subscriber’ as "a person who is a party to a contract with a provider of public electronic communications services for the supply of such services". Since it is ABC Widgets that is the party to the contract with the telecoms provider providing the work email address, not the employee, the argument is that the email is being sent to the company - the ‘corporate subscriber’ - and no restrictions apply. It doesn’t matter that the email can only be accessed by the individual employee.

The rules for individual subscribers

Individuals who specifically consent (‘opt-in’) to receiving emails

You can send direct marketing emails to individual subscribers if they have ‘previously notified the sender’ of their specific consent (ie they have ‘opted in’) to receiving such emails from you.

Specific consent requires some positive action by the subscriber. If an individual omits to deselect an opt-in box you have pre-ticked on (eg an order or enquiry form), that is not a specific consent. If they specifically tick the opt-in box or you make it clear that by entering his email address in a field they are opting in, these are positive acts for this purpose.

The opt-in must be ‘clear and distinct’ so individuals can see that they are opting in and see what they are opting into when they tick a box or provide their email address.

The family opt-in

When emailing a family address (eg smithfamily@isp.co.uk), you must have reasonable grounds for believing you have the consent of a person who is speaking on behalf of the family. Given the inclusion of the word ‘subscriber’ in the definition of an ‘individual subscriber’ this probably means you need the consent of the family member(s) who is a party to the contract with the telecoms provider providing the family email facility.

Opt-in is temporary

If an individual subscriber does opt-in, his or her consent is only given ‘for the time being’. You are entitled, however, to assume the individual’s consent remains valid until there is a good reason for you to consider otherwise.

Third party advertising consent

If you are going to let third parties advertise in your emails, you should obtain the consent of any individual subscribers on your emailing list before you do so. Without it, your emails might be construed as unsolicited direct marketing emails from your advertisers to your subscribers.

What your opt-in request should say

Applying the above rules, the ’opt-in’ request of a limited company within a group might ask for an individual’s consent to receiving emails:

  • from you about the products and services that you want to market to them
  • from other companies in your group about the products and services they offer
  • from you, or other companies in your group, about other brands you each offer
  • from you, or other companies in your group, about other activities such as seminars, competitions, promotions, etc
  • from you that include third party advertisements
  • from third parties offering specified products and services (to allow you to pass details to those third parties).

‘Opt-in’ and bought-in lists

Opt-in has to be previously notified to ‘the sender’ of direct marketing emails. If this means consent must be given to you directly, then addresses on any list compiled by a third party (such as a list broker or another company within the same group as yours) after December 2003 (when the anti-spam law came into force), cannot be an ‘opted in’ list for your purposes.

Guidance from the Information Commissioner, however, envisages that a consent can be collected from an individual by a third party on your behalf, provided the third party makes it clear to the individual that it is proposing to pass his or her details to businesses offering the sort of products and services you offer. For example, if you offer American holidays, a third party can ask an individual for consent as follows:

"We would like to pass your details on to specially selected third parties so that they can send you more information about holidays in America. Do you agree to this?”

A positive response, according to the guidance, means ‘it is likely’ the third party can pass those details to you and you can send direct marketing emails to those contacts to promote your American holidays. It does not matter that the individual has never heard of you previously.

‘Soft’ opt-in

There are circumstances in which you can treat an individual subscriber as having consented to receiving emails from you, even though they haven’t specifically done so. This is called ‘soft’ opt-in. You can send direct marketing emails to individual subscribers under the soft opt-in rules if:

1 Their email address was obtained by you in ‘the course of the sale or negotiations for the sale of a product or service’ The Department for Business, Innovation and Skills (BIS) interpretation is that this condition is satisfied if the individual is already a customer or has entered into negotiations with you with a view to a sale or has registered an interest in a product and allowed their email address to be recorded for future marketing use.

An example of a ‘negotiation’ might be a price enquiry or someone checking availability of a product or service. But beware the difference between an email address obtained as the result of an enquiry from your website that asks ‘where’s the nearest store to Tetbury?’ (no interest in a product) and one obtained because an individual asks ‘is there a store near Tetbury where I can buy a new toner cartridge for my printer?’ (interest in a product). It is possible that entry into a competition designed to create awareness/interest in particular goods and services could constitute ‘negotiations with a view to a sale’.

2 The direct marketing is in respect of your ‘similar products and services only’ The BIS interpretation is that the products or services must be ‘similar’ to those the individual was buying or negotiating to buy when their email address was originally captured. This probably extends to any goods and services that the recipient would reasonably expect you to provide. For example, if you are a hotelier, guests would reasonably expect you to offer conference, party and catering facilities as well as rooms, and these could be promoted using direct marketing emails.

3 The recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his or her contact details for the purposes of such direct marketing, at the time that the details were initially collected.

4 The individuals are given the opportunity to opt out in every subsequent email to them Individuals whose email addresses you buy in from a list broker cannot have opted in to receive emails from you under the soft opt-in rules if they have never dealt with you, but only the list broker. Nor can an individual who gives his or her email address to your company be treated as having opted in to receiving direct marketing emails from other companies in the same group as you, unless he or she has specifically consented to this.

It’s also likely that, if you have opt-in from a subscriber to receiving emails from one brand or business name, and you want to promote another brand or business name you own, you can only do so if the recipient would associate the two as being under common ownership.

Rules applying to all emails

All direct marketing emails, whether to corporate subscribers or individuals, and whether unsolicited or solicited, must:

  • make the identity of the sender clear (the sender must not be ‘disguised or concealed’)
  • provide a valid address to which ‘unsubscribe’ messages may be sent.

Existing emailing lists?

By concession, the Information Commissioner has said that he will not apply the law to ‘legacy lists’. This means:

  • email addresses you had at 31 October 2003
  • that you have used within the last 12 months
  • that you collected in compliance with the law at the time (at a minimum, you told the people whose addresses you collected that you would be using the addresses for marketing purposes when you collected them)
  • whose owners haven’t told you to stop emailing them

Subcontracting your e-marketing?

The Information Commissioner will proceed against you first if the rules are breached, as the ‘instigator’ of the email communication.

Data Protection Act 1998

The anti-spam rules specifically say that they do not affect your obligations in relation to personal data under the Data Protection Act 1988. Under that Act individuals (as opposed to businesses) can prevent you from processing ‘personal data’ (which includes using it to send them unsolicited marketing emails) without their consent.

Personal data is data relating to a living individual (but not companies). So, if you have an email address but cannot tie it to a person’s name or other personal details, it is not personal data. If it is, however:

  • you should not send unsolicited marketing emails to any person who has not consented to your doing so
  • even if they originally consented, recipients of your direct marketing emails can write and ask you to stop using personal data to send out direct marketing emails at any time afterwards

Always take legal advice.