Electronic mail (Regulations 22 and 23)

How do the Regulations apply to marketing by electronic mail?

The Regulations define electronic mail as ‘any text, voice, sound, or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service’ (Regulation 2 ‘Interpretation’ applies).

In other words, email, text, picture and video marketing messages are all considered to be ‘electronic mail’. Marketing transmitted in WAP messages is considered to be ‘electronic mail’. WAP Push allows a sender to send a specially formatted SMS message to a handset which, when received, allows a recipient through a single click to access and view content stored online, through the browser on the handset.

We consider this rule also applies to voicemail and answerphone messages left by marketers making marketing calls that would otherwise be ‘live’. So there are stricter obligations placed on you if you make live calls but then wish to leave messages on a person’s voicemail or answerphone.

Faxes are not considered to be ‘electronic mail’. Fax marketing is covered elsewhere in the Regulations. These regulations also do not cover so-called silent calls or calls where a fax or other electronic signal is transmitted; this is because no marketing material is transmitted during these calls.

What is the difference between a ‘solicited marketing message’ and an ‘unsolicited marketing message that the subscriber consents to receiving’?

A ‘solicited message’ is one the subscriber has actively invited. We accept that this invitation can be given through a third party. An ‘unsolicited marketing message that a subscriber has opted into receiving’ is one they have not invited, but that for the time being they do not object to receiving. If challenged, you would need to demonstrate that the subscriber has positively opted into receiving further information from you.

What would be a ‘valid address’ for the purpose of Regulation 23?

Online, this could be a valid email address. We accept that short code numbers could be used as a ‘valid address’ in text messages, as long as they do not incur costs other than the cost of sending the message (that is, using the short code does not incur premium-rate charges). As good practice, promotional text messages should include a valid website address (where further valid contact details can be found) or a valid PO Box number.

Is there any difference between an individual subscriber and the recipient of marketing material by electronic mail (Regulation 22(2))?

Yes, there is a difference.

The Directive that these Regulations implement says unsolicited marketing should not be sent by electronic mail to an individual subscriber unless the subscriber has given consent. However, this Regulation refers to the recipient’s consent. We consider ‘the recipient’ to mean the intended recipient. If a household member has an individual email address, then the consent of that individual is required unless the soft opt-in criteria are satisfied. If a household has a household email address (for example, familyname@domainname.com) then the consent of someone whom it is reasonable to believe speaks on behalf of the family is sufficient, unless the soft opt-in criteria are satisfied.

What is ‘soft opt-in’ (Regulation 22(3))?

If you satisfy these criteria, you do not need prior consent to send marketing by electronic mail to individual subscribers. If you cannot satisfy these criteria, you must not send marketing by electronic mail to individual subscribers without their prior consent.

How does the ICO interpret ‘in the course of a sale or negotiations for the sale of a product or service’?

A sale does not have to be completed for this to apply. It may be difficult to establish when negotiations begin. However, you may continue to market someone by electronic mail:

• if they have actively expressed an interest in buying your products and services; and
• if they have not opted out of further marketing of that product or service or similar products and services when their details were collected (despite being offered the opportunity to do so); and
• unless and until they opt out of receiving such messages at a later date (despite being offered the opportunity to do so in each communication).

We do not consider that ‘negotiations for the sale of a product or service’ includes the use of cookie technology to identify someone’s area of interest when they are browsing your website. Unless they have expressly communicated their interest to you by, for example, asking for a quote, no ‘negotiations’ can be said to have taken place for the purpose of these Regulations.

As another example, if you are a national retailer and someone emails you asking if you are going to open a branch in their town, the expected response would be ‘yes’ with details, or ‘no’, perhaps with details of your other stores in that area. This query does not do any of the following:

• form part of a negotiation for the sale of a product or service;
• form an invitation to you to send the person further information about your products or services;
• indicate consent to receive further promotional emails from you.

You could send a person emails promoting your products and services if they:

• expressly invited you to;
• consented to your suggestion that you send them promotional emails; or
• did not object to receiving emails during a sale or negotiations for a sale.

How does the ICO interpret ‘similar products and services’?

We believe the intention of Regulation 22 is to ensure someone does not receive promotional material about products and services they would not reasonably expect to receive. For example, someone who has shopped online at a supermarket’s website (and has not objected to receiving further email marketing from that supermarket) would expect at some point to receive further emails promoting other goods available at that supermarket.

A recipient can opt out if they think a company has gone beyond the boundaries of what they would reasonably expect that company to do – something most responsible marketers will be keen to avoid. So for the time being we will focus in particular on failures to comply with opt-out requests. We will continue to monitor how far marketers take account of the reasonable expectations of individual subscribers.

Regulation 22 does not spell out our obligation to respect an opt-out request from individual subscribers. Does this mean we don’t have to comply with such requests?

In our view, if you can send marketing by electronic mail to individual subscribers only if they have provided prior consent, this implies the option to withdraw that consent at a later stage. We would quote the inclusion of the phrase ‘for the time being’ to support our view. We will take enforcement action against companies in the UK jurisdiction who persistently fail to comply with opt-out requests from individual subscribers.

Surely SMS marketing can’t be subject to the same rules as conventional email – after all, the standard mobile phone screen can only hold 160 characters.

The practical limitations of standard mobile screens do not mean marketers can ignore the rules. You can give information about the marketing you intend to do before actually sending a marketing message or even before you collect the mobile number in question. For example, in an advert, or on a website where the recipient signs up for the service.

Assuming the recipient has clearly consented to receiving messages, each message will have to identify the sender and provide a valid suppression address. Originally, we took the view that only a postal or email address would satisfy this Regulation. We were concerned that ‘pay as you go’ mobile phone users may not have a permanent record of any opt-out message they had sent (as opposed to an itemised bill available for users of contract phones which would, at the very least, be proof that a message of some kind had been sent). Given widespread use of ‘pay as you go’ mobile phones, particularly by children, we were concerned that ‘pay as you go’ users would not be able to present a strong case to us (or to a court if they sought to pursue an action for compensation) due to a lack of evidence showing they had asked the marketer to stop and that request was being ignored.

Many marketers have said that people are less likely to bother writing a formal letter and it would be easier for individuals if they could text an opt-out to a short code number at the bottom of a message. This would be more consistent with our approach regarding valid addresses for emails.

So we are now prepared to allow the use of short codes as a valid address, provided the sender ensures that:

• they clearly identify themselves in the message (for example, ‘PJ Ltd’);
• using the short code does not incur a premium-rate charge; and
• the short code is valid.

If you use a short code as a valid address, we suggest you use the format ‘PJLtd2STOPMSGSTXT’STOP’TO (then add a 5-digit short code)’.

Marketing messages that claim to be from ‘a good friend’ or from ‘someone who fancies you’ and so on, are unlikely to comply with the Regulations if the company whose goods and services are being promoted, for example, the dating agency, does not clearly identify itself at some point in the message.

Do we have to screen against the TPS if we are sending unsolicited marketing by text, picture or video messages?

No. TPS registration indicates a general objection to receiving live marketing calls. Text, picture and video messages are defined as ‘electronic mail’ under the Regulations. They should not be sent without the prior consent of the individual subscribers unless the soft opt-in criteria are satisfied. So you do not have to screen against the TPS because you should already have established prior consent or satisfied the ‘soft opt-in’ criteria.

However, you must make sure you identify yourself in any text, picture or text messages you send and provide a valid address to which recipients can send an opt-out request. If you are sending the message on a soft opt-in basis, you must provide a simple means of refusing further messages that is free of charge except for the cost of transmitting the refusal. You will not satisfy this obligation if you only supply a premium-rate or national-rate number in these circumstances.

We will collect email addresses or mobile phone numbers as part of a competition. Could this be considered as being ‘in the course of negotiations for the sale of a product and service’?

It depends – on the context and on what you tell the person when you collect their details. If a competition is part of an inducement to raise interest in a product or service, it could be argued that this forms part of the negotiations for a sale. However, if you are unclear about what you will do with someone’s email address or mobile phone number when you collect those details, or if you are clear but your reasons are not readily accessible, you are less likely to be able to rely on the ‘soft opt-in’. If you have collected someone’s name with their email address or mobile phone number (or both) and you have not been clear about what you are going to do with that information, you may also breach the first data protection principle.

Third-party electronic mailing lists

Do we always have to obtain any consent or invitation to market by electronic mail directly from the sender? If so, does this mean we can never use bought-in or rented lists?

Despite our view about overriding consent, the Regulations do not expressly rule out obtaining consent through a third party. However, if you are buying or renting a list from a broker, you will need to seek assurances from them about the basis on which the information was collected.

It is difficult to see how third-party lists can be compiled and used legitimately except where the individual subscriber expressly invites (solicits) marketing by electronic mail. This is because you may only send unsolicited marketing to an individual subscriber who has ‘previously notified the sender that they consent for the time being to such communications being sent by, or at the instigation of, the sender.’ (Regulation 22(2) applies). Arguably, you may obtain a person’s consent through a third party, but a lot will depend on the clarity and transparency of the information that third party gave the intended recipient when it collected their contact details.

If we buy in or rent a list, can we use it?

We cannot see how the soft opt-in criteria could be satisfied with bought-in lists, even if you have an existing relationship with the intended recipient. This is because you can only satisfy the soft opt-in criteria if you, not someone else, collected the electronic mail contact details ‘in the course of a sale or negotiations for a sale.’ (Regulation 22 (3) (a) applies). If you didn’t collect that email address or mobile number yourself, then you can’t rely on the relaxation of the strict prior consent rule.
So if you wish to buy in or rent a list from a third party, you may only use it if the intended recipient has actively consented to receiving unsolicited messages by electronic mail from third parties.

The following is a list of scenarios that may apply to a bought-in or rented list. It is not a complete list.

1) List of individual subscribers who have invited contact from third parties on a particular subject

You may send marketing material by electronic mail to contacts on this list provided that:

• this person has not already sent an opt-out request to you;
• you do not conceal your identity when you contact them; and
• you provide a valid contact address for subsequent opt-out requests.

Given individuals’ increased caution over disclosing their contact details to third parties for marketing purposes, you should seek assurances that these are genuine invitations for contact from anyone on a particular subject, as opposed to scenarios 2 or 3 below.

For example, you could use such a bought-in or rented list if the contact details were collected from recipients who had ticked a box next to wording such as:

‘I want to receive emails from other companies that offer gardening products. Please pass my email address to them so they can contact me. 􀂆 ’

2) List of individual subscribers who have invited contact from third parties on unspecified subjects

You may send marketing material by electronic mail to contacts on this list provided that:

• this person has not already sent an opt-out request to you;
• you do not conceal your identity when you contact them; and
• you provide a valid contact address for subsequent opt-out requests.

Given individuals’ increased caution over disclosing their contact details to third parties for marketing purposes, you should seek assurances that these are genuine invitations for contact from anyone on any subject, as opposed to scenario 3 below.

For example, you could use such a bought-in or rented list if the contact details were collected from recipients who had ticked a box next to wording such as:

‘I want to get emails from other companies about their online offers. Please pass my email address to them so they can contact me. 􀂆 ’

3) List of individual subscribers who have consented to receiving unsolicited marketing material by electronic mail from third parties on a particular subject (that is, a list compiled on an opt-in basis)

You may send marketing material by electronic mail to contacts on this list provided that:

• this person has not already sent an opt-out request to you;
• you do not conceal your identity; and
• you provide a valid contact address for subsequent opt-out requests.

Given individuals’ increased caution over disclosing their contact details to third parties for marketing purposes, you should seek assurances on the accuracy of such a list.

For example, you could use such a bought-in or rented list if the contact details were collected from recipients who had ticked a box next to wording such as:

‘If you’d like us to pass your email address onto other organisations working to protect the environment, tick here. 􀂆 ’

4) List of individual subscribers who have consented to receiving unsolicited marketing material by electronic mail from third parties on unspecified subjects (that is, a list compiled on an opt-in basis)

You may send marketing material by electronic mail to contacts on this list provided that:

• this person has not already sent an opt-out request to you;
• you do not conceal your identity; and
• you provide a valid contact address for subsequent opt-out requests.

Given individuals’ increased caution over disclosing their contact details to third parties for marketing purposes, you should seek assurances on the accuracy of such a list.

For example, you could use such a bought-in or rented list if the contact details were collected from recipients who had ticked a box next to wording such as:

‘We’d like to pass your email address to other companies so that they can send you on-line offers too. If you agree to this, tick here. 􀂆 ’

It may be difficult to demonstrate that the intended recipients have ‘notified the sender’ and a lot will depend on the wording of any statement given to individuals when their information was collected.

So, if the recipient has not expressly invited marketing messages, you will need to consider whether any list you use forms a list of notifications of consent to you, the sender. Also, the older the list you buy or rent, the less likely it is that contacts on the list will respond positively to marketing messages. It may even damage the reputation of your business to send poorly targeted unwanted marketing messages. You have a general obligation to ensure the recipient is provided with a valid address for opt-out requests in every message. If you receive an opt-out request, you must ensure you suppress that individual’s details immediately. We will pay particular attention to companies that fail to respect opt-out requests.

Can we advertise the products and services of third parties by electronic mail?

If you are offering a ‘host mailing’ service, you are not disclosing your mailing list to a third party but you are willing, for a fee, to promote their goods and services alongside yours. It is unlikely you could send such messages on a soft opt-in basis because they are not your similar products and services. However, you could send such material on a clear ‘opt-in’ basis, provided you make clear that you and not the third party are the sender.

Can we pass our list of email addresses or mobile numbers on to a third party for them to use for marketing purposes?

If the email addresses or mobile numbers in question are those of individual subscribers, the third party will not be able to use them to send unsolicited marketing material unless the subscriber has consented to receiving it from that third party (that is, ‘the sender’). You must make clear who you are proposing to pass the details to and what sort of products and services they will be offering.

For example, a positive response to a question such as ‘We would like to pass your details to specially selected third parties so they can send you more information about holidays in America. Do you agree to this?’ is likely to be enough to allow third parties to use those contact details for promoting holidays in America by electronic mail.

A phrase such as ‘We will pass your details to third parties unless you write to us and tell us you don’t agree’ will not be enough. You should not use contact lists that have been obtained like this.

Only the individual should decide what happens to their electronic contact details. You must not disclose an individual’s contact details to third parties for their marketing purposes unless that individual actively consents to this.

Group companies and trading names

How do the rules on marketing by electronic mail apply to marketing by different companies within a group of companies?

If you disclosed individual subscribers’ contact information within your group in line with existing data protection rules before 11 December 2003 and those other group companies had already used that information before that date and have continued to use it and not received an opt-out request, then those other group companies may still use that contact information as long as further opt-out opportunities are given with every subsequent message.

After this date and in the future, you must, as a minimum, ask individuals whether they consent to receiving unsolicited marketing by electronic mail from other group companies when you collect their contact details. Online, you could provide a link listing those group companies. You may even want to consider providing separate opt-in opportunities for each company on that list to give the individual greater choice and to target your group’s marketing more efficiently. Another option may be to provide an opportunity for the individual to invite (solicit) contact from other companies in the group.

Our company has a number of different trading names; surely an opt-in for one of the trading names is an opt-in for all because there is only one legal entity?

If you trade under several different names, particularly where those names are strong brands, you should not assume that a customer who agrees to receive mailing from one trading entity is agreeing to receive marketing from your other trading entities. Customers may not even be aware of any connection between different trading names. Under the Data Protection Act, if you are collecting personal data, you will need to ensure the different entities are clearly explained to your customers.

You would need to ensure they know that they will receive unsolicited marketing from all your trading names when they opt in to receiving marketing from you. Similarly, when an individual opts out of receiving unsolicited marketing from one of your trading names, this opt-out applies to all your trading names, unless they make it clear otherwise.

If you are collecting information on a soft opt-in basis, you may have considerable difficulty satisfying the similar products and services criteria if you want to send further unsolicited marketing relating to your full range of trading names. You could avoid this by providing an opportunity for the individual to invite contact from the wide range of trading names within the company.

Business to business

How do the Regulations apply to business-to-business marketing by electronic mail?

Only individual subscribers have an enforceable right of opt-out under these Regulations. This is where that individual withdraws the consent they previously gave to receiving marketing by electronic mail (that consent only being valid for the time being (Regulation 22(2) applies)). Corporate subscribers do not have this right.

Recipients who are corporate subscribers do not have an enforceable opt-out right under the Regulations. But where your sending of marketing material to the employee of a company includes processing their personal data (that is, you know the name of the person you are contacting), then that individual has a fundamental and enforceable right under Section 11 of the Data Protection Act to ask you to stop sending them marketing material.

In our view, it makes no business sense to continue sending marketing material to a business contact who no longer wishes to hear from you. Arguably, by failing to respect a business-to-business opt-out request you may appear indifferent to your commercial reputation.

How do these Regulations apply to unsolicited marketing material sent by electronic mail to individual employees of a corporate subscriber if that material promotes goods and services that are clearly meant for their personal or domestic use?

The ‘Spam’ report of an Inquiry by the All-Party Parliamentary Internet Group (APPIG) recommended that the Information Commissioner set out clear guidance as to how business-to-business communications are to be distinguished from messages intended for individual subscribers. This recommendation was prompted by an observation that an invitation to buy Viagra, sent to the sales address of a shipping company, could only be interpreted as being sent to an individual, since it would be of no business relevance. The problem is that the ‘opt-in’ and soft opt-in rules do not extend to sending marketing emails to corporate subscribers. In the example above the subscriber will be the shipping company, because that is the person who is party to a contract with a provider of public electronic communications systems. So this means that even an email addressed to an individual in the company will not be covered by the Regulations, although that email may be subject to the DPA, and an opt-out request under Section 11 of the DPA could be issued.

For the purposes of the Regulations, it is irrelevant that an email sent to a corporate subscriber’s address is obviously aimed at an individual because it promotes a product that is for personal or domestic use. The Regulations simply do not cover emails sent to a corporate subscriber, except that you must identify yourself and to provide contact details. However, such emails are likely to be covered by the individual’s right to object to direct marketing under the Data Protection Act.

We understand that the Committee of Advertising Practice (CAP) Code restricts the sending of such emails to corporate email addresses. For more on the CAP Code visit their website www.cap.org.uk.

How do the Regulations apply to sending text, picture and video messaging to mobile phones that are supplied to individual employees by corporate subscribers?

The law applies in exactly the same way as it does to sending emails to corporate subscribers.

Electronic mail marketing to partnerships

How do the Regulations apply to sending marketing messages by electronic mail to partnerships?

Under these Regulations, a non-limited liability partnership in England, Wales or Northern Ireland is an individual subscriber. This means that such a partnership (which may consist of several individuals and which may have a large number of employees) is given the same protection under these Regulations as a residential subscriber or a sole trader. This protection is not available to limited liability partnerships, to Scottish partnerships or to corporate subscribers that include small- and medium-sized limited companies.

Strictly speaking, you must get prior consent to send emails to any email address used by an unincorporated partnership, unless the soft opt-in criteria apply. This may be the generic contact email address of the partnership, for example, mail@partnershipname.com or it may be the separate email addresses used by individuals (partners, associates, other employees) working at that partnership.

This issue was debated during the Department of Trade and Industry’s consultation exercise before these Regulations were implemented.

What does this mean in practice?

Strictly speaking, the partnership could be viewed as the commercial equivalent of a large household. Yet we recognise there may be circumstances when the wishes of the subscriber, that is, the unincorporated partnership (which is legally responsible for charges incurred on its lines) might override the wishes of the employee. For example, an employer may insist that an employee keeps in regular contact with conference organisers. The employer’s wishes for unsolicited emails from conference organisers would override the wishes of the employee.

However, if someone working at the partnership consents to receiving unsolicited marketing material from the organiser, this does not mean everyone working at the partnership has consented to it.

Marketers must also remember that where they know the name of the person they want to contact, that person’s contact details must be processed in accordance with the eight data protection principles of the Data Protection Act. For example, where the Act applies, all individuals have a fundamental opt-out right under Section 11.

Who can give consent on behalf of individuals working at a partnership?

If you are targeting an individual working at a partnership, you must make sure you obtain the consent of the individual (or someone who can be reasonably assumed to be entitled to give consent on that individual’s behalf, for example, a secretary or assistant) before sending unsolicited electronic mail to that individual, unless the soft opt-in criteria apply.

Partnerships may wish to make sure their key frontline staff, for example, switchboard operators, receptionists, administrators, secretaries are informed of any office policy regarding the disclosure of employee contact details.

Individuals employed by partnerships must remember that for their work email address and mobile phone, it is ultimately their employer’s consent choices that take precedence.

Who can give consent on behalf of the partnership?

You must make sure you have obtained consent from someone working for that partnership who it is reasonable to assume has the authority to give such consent. Partnerships may wish to make sure their key frontline staff, for example, switchboard operators, receptionists, administrators, secretaries, are informed of any office policy regarding the disclosure of office contact details.

Electronic mail marketing to sole traders

How do the Regulations apply to sending marketing messages by electronic mail to sole traders?

Under the Regulations, sole traders are also individual subscribers.

That said, we have recognised in earlier enforcement that marketers may have difficulty distinguishing sole traders from small limited companies, particularly where a sole trader’s contact details are available in business directories. However, you should do your best to ensure you do not send marketing messages by electronic mail to sole traders, in breach of the Regulations. For example, you can check free of charge on the Companies House website whether or not a trading entity is a limited company.

Charities, political parties and not-for-profit organisations

We are a charity, political party, or not-for profit organisation; can we take advantage of ‘soft opt-in‘?

Only if you are promoting commercial goods and services, for example, those offered by your trading arm. We recognise that this disadvantages you and we raised this point in our response to the consultation by the Department of Trade and Industry in advance of these Regulations. However, the EU Directive from which these Regulations are derived specifies that the soft opt-in rules on marketing by electronic means apply to commercial relationships.

You may wish to look again at the wording of your data protection and privacy statements so that you are asking a person to actively ‘invite’ promotional information from you through electronic mail. As outlined above, there is a difference between someone actively soliciting promotional material by electronic mail and consenting to receiving any promotional material you choose to send them by electronic mail (unsolicited marketing material). One option would be to ask them if they consent to receiving unsolicited marketing material.

You must still identify yourself and provide a valid address for opt-outs in each electronic mailing.