The impact of the amended e-Privacy Directive on e-mail marketing
This article was first published in Privacy Laws & Business UK Report in February 2011
With all the excitement generated by the new European cookie "consent" requirements, a couple of other important changes to the recently amended e-Privacy Directive1 passed largely unnoticed. These introduce new provisions concerning the sending of direct e-mail marketing communications, and are intended to better arm Member States, businesses and individuals to more effectively fight the 'war on spam'.
There can be no denying that spam messages constitute a significant proportion of global Internet traffic: estimates suggest that, in 2010, 183 billion spam messages are sent every single day2. In environmental terms, the annual power consumption of spam messaging roughly equates to that of about 2.4 million US homes3. If it seemed doubtful at the time, Bill Gates' infamous prediction (in 2004) that "spam will be a thing of the past in two years' time" now seems wholly naïve.
New e-mail marketing provisions
The new provisions on direct e-mail marketing (and other forms of direct digital marketing) have been introduced through amendments to Article 13 of the e-Privacy Directive and establish:
- A new private right of action for individuals and businesses
Arguably the most significant change is the introduction of a new right for individuals and businesses with a "legitimate interest" in the "cessation or prohibition" of spam to bring a private right of action against non-compliant marketers. This right was notably absent from the previous version of the e-Privacy Directive, with the result that individuals and businesses who found themselves the victims of spam were left with little or no direct recourse.
The expectation is that this new right will be of greatest interest to ISPs and companies whose networks are flooded by spam messages (given the expense of legal action, the likelihood of private action by individuals seems low4). Aside from one-off action by a single, inflamed spam victim, it also raises the possibility of 'double jeopardy' - non-compliant marketers run the risk of finding themselves exposed to multiple legal suits by multiple recipients (potentially across multiple territories) for each spam marketing campaign they conduct.
- An extension of e-mail consent requirements to "users"
Before its amendment, the e-Privacy Directive imposed an opt-in requirement for e-mail marketing only on e-mails sent to individual "subscribers" (in simple terms, the individuals who pay the bill for their Internet connection). This left unaddressed the issue of Internet "users" - individuals who use an Internet service, but who are not the bill payer5.
In a household environment, for example, one family member will typically pay for the Internet service (and so be a "subscriber") while other family members will then use that Internet connection (and so be "users"). However, as "users", those family members did not expressly benefit from the e-Privacy Directive's e-mail marketing opt-in requirements.
The recent amendments to the e-Privacy Directive close this loophole by now explicitly extending this benefit to "users" as well as individual "subscribers". This may have an impact on opt-out B2B e-mail marketing campaigns, as further discussed below.
- Enhanced transparency requirements
The amended e-Privacy Directive also imposes stricter transparency requirements on the senders of e-mail marketing communications.
In addition to existing requirements that marketers must not conceal their identity and must disclose a valid opt-out address in each e-mail message, marketers must now also ensure that their e-mail messages clearly identify that they are commercial in nature (i.e. not attempt to disguise marketing communications as a personal communication to the recipient). This might be achieved, for example, by using an appropriately-worded subject line like "Limited offer from XYZ Co."
Where the purpose of the e-mail is to inform the recipient about a promotional offer or competition, this must also be clearly identified in the e-mail along with any qualification conditions that apply to the offer or competition (e.g. eligibility criteria, closing dates etc.)
Increased risk for marketers?
In terms of the content of e-mail marketing communications sent by marketers, the overall effect of these amendments is minimal - most compliant marketers will already satisfy the amended e-Privacy Directive's enhanced transparency requirements as a matter of course (whether for good practice reasons or simply for compliance with national marketing codes).
By far the biggest concern will be the increased risk exposure for marketers that send non-compliant e-mail marketing. Even before these amendments, non-compliant e-mail marketing attracted significant risk - marketers will now be concerned that their risk exposure has further increased. Now they need worry not only about the risk of regulatory action in Member States, but also the possibility of private action from recipient individuals and businesses.
Despite this, the likelihood is that the majority of private actions will be brought by business (rather than private individuals) and will focus on persistent and malicious spam marketers - a one-off, technically non-compliant campaign as a consequence of human oversight or error is unlikely to attract significant risk. However, the potential for this risk to bite will still be there, and businesses would therefore be well-advised to ensure that their e-mail marketing campaigns are fully compliant.
Impact to B2B e-mail marketing?
It is also uncertain what these latest amendments mean for B2B e-mail marketing.
In a corporate environment, employees will generally be "users", rather than "subscribers", of an Internet service (the employing corporate entity will normally be the "subscriber"). Therefore, by extending opt-in rights to "users", the amended e-Privacy Directive potentially introduces an opt-in requirement for B2B marketing e-mails sent to sent to individual employees (although e-mails sent to a corporate subscriber's generic e-mail address, such as "email@example.com", will probably still fall outside the scope of the e-mail opt-in requirements). This could impact territories, like the UK, that currently permit general B2B e-mail marketing on an opt-out basis6.However, at this stage, this is only a possibility and it remains to be seen how this issue will be addressed within national implementations of the amended e-Privacy Directive (if at all).
From a UK perspective, it is interesting to note that the Department for Business, Innovation and Skills ("BIS") has not explicitly addressed this possibility within its consultation on implementing the amended e-Privacy Directive. Aside from discussing the need to implement the amended e-Privacy Directive's cookie "consent" and ISP/telco data breach notification requirements, BIS notes simply that "There are other amendments to the Directive which will require either no further implementation (since domestic legislation already makes provision for them) or which will require minor amendments to the previous implementing regulations. These include provisions on the use of personal data for marketing certain services and using automated systems to make unsolicited marketing communications7." Whether this means that BIS is not proposing any change to the current B2B opt-out model in the UK, or whether it means that BIS has simply not turned its attention to this issue, remains to be seen. However, if not carefully addressed and resolved within implementing legislation, this issue may cause further uncertainty for marketers, who are already struggling to understand the new cookie "consent" requirements introduced by the e-Privacy Directive.
What about the cookie "consent" requirements?
No article on the revised e-Privacy Directive would be complete without at least a brief mention about the new cookie "consent" requirements. As readers will no doubt already be familiar, the new Article 5(3) under the revised e-Privacy Directive now requires that businesses must obtain the "consent" from individuals in order to place cookies on their equipment. This sparked much debate about whether the revised Directive really meant "consent" in the sense that privacy professionals use it (namely, consent that is freely given, specific and informed), or whether businesses could maintain the status quo by simply informing individuals how to 'opt out' of cookies (typically, by changing the browser settings) and imply consent for individuals who did not do so.
Unsurprisingly for privacy professionals but of great concern to business, the Article 29 Working Party ("A29 WP") finally weighed in on the matter8 and expressed their view that "consent" meant just that - an informed indication of the individual' wishes. Put another way, the A29 WP said that individuals must affirmatively consent to receiving cookies, before any cookies can be placed on their machines. This caused uproar amongst website publishers, advertising networks and advertisers alike, principally because the A29 WP did not say how businesses should achieve consent, only that "opt in" was more in line with the requirements of the Directive - leading to immediate concerns that they would have to present a flurry of pop-up windows asking for consent from every website visitor.
Even more worrying were concerns that Member States may each choose to implement the cookie "consent" requirement into their national laws differently, leading to a patchwork quilt of cookie consent requirements across Europe - with some Member States choosing to follow the A29 WP's preferred position and require opt in for cookies, and others choosing a more lenient, business-friendly approach and allowing business to rely on user opt outs.
Ultimately, this is still a concern. However, in the UK at least, it looks like hard opt in for cookies is unlikely to be required. In its consultation on how to implement the revised e-Privacy Directive into UK law, BIS noted (in the context of implementing the cookie "consent" requirement) that "Many of the most popular websites and services would be unusable or severely restricted and so it is important that this provision is not implemented in a way which would damage the experience of UK Internet users or place a burden on UK and EU companies that use the web." Separately, in an impact assessment published alongside the consultation, BIS referred to proposals that users should be allowed to express consent to cookies through their browser settings (in other words, opt out) as its "preferred option"9.
BIS did however through a spanner in the works however, by noting that it intended to implement the cookie "consent" requirement "by copying out the relevant wording of the Article, leaving ICO (or any future regulators) the flexibility to adjust to changes in usage and technology". Put another way, the very wording that has caused uncertainty and confusion at an EU level will likely be transcribed word-for-word into UK law. Businesses will therefore be at the mercy of ICO and its interpretation of this requirement, although they can take comfort that ICO has previously demonstrated a pragmatic approach towards cookie use (whether for behavioural advertising or otherwise). On this basis, it seems a safe bet that a business-friendly regime for cookies will continue to apply in the UK - whether this will be the case for other Member States remains to be seen10.
- Directive 2002/58/EC, also known as the Directive on Privacy and Electronic Communications
- Commtouch "Internet Threats Trend Report - Q1 2010" (available at http://www.commtouch.com/download/1679)
- Based on 2008 spam volumes, McAfee: "The Carbon Footprint of Email Spam Report" (available at http://img.en25.com/Web/McAfee/CarbonFootprint_web_final2.pdf)
- Although there have previously been limited examples of private individuals bringing successful claims against spammers in the UK (see Nigel Roberts v Media Logistics  and the Scottish case of Gordon Dick v Transcom Internet Services ), so this possibility should not be ruled out.
- Despite this, the UK Information Commissioner's Office (like regulators in many member states), applies opt-in requirements to all recipients of B2C e-mail marketing, not just individual subscribers.
- See Reg 22(1) Privacy and Electronic Communications (EC Directive) Regulations 2003, implementing Article 13(1) and 13(5) of the e-Privacy Directive. Opt-out B2B e-mail marketing is permitted in the UK on the basis that opt-in requirements apply only to "individual subscribers" (not corporate "subscribers").
- Paragraph 232, page 58 of the Department for Business, Innovation and Skill's consultation "Implementing the revised EU electronic communications framework", available online at http://www.bis.gov.uk/assets/biscore/business-sectors/docs/i/10-1132-implementing-revised-electronic-communications-framework-consultation.pdf
- BIS impact assessment available online at http://goo.gl/3rmvw.
- The amended e-Privacy Directive has to be implemented into Member States' national laws by 25 May 2011.