Spam and data protection: know the law and take precautions

The new EU privacy directive aimed at tackling the rising tide of spam emails comes into force on 11 December. Jo Best looks at the implications of the new 'opt-in' laws for legitimate marketers and gets advice on how to make sure your data doesn't fall into the wrong hands...

Even the most tech-shy British citizen can't avoid leaving a digital footprint of themselves on a day to day basis – scattering personal details that legitimate marketers and spammers alike would dearly love to get hold of all over the net.

While the 1998 Data Protection Act aimed to safeguard everyone's personal data, the pace of technological evolution soon outstripped that of legislation. Now the EC is aiming to tackle the problem with a directive designed to put control of digital identity back into the individual's hands.

The Privacy in Electronic Communications directive will come into force from the 11 December and should give marketers across the European Union a clear code of practice when it comes to dealing with consumers' data – and, more importantly, draws a line in the sand between spam and legitimate marketing.

The directive enshrines consumers' rights to privacy in a legal framework and forces marketers to provide an opt-out mechanism every time they contact an individual with a marketing message – even in a 160 character SMS.

The directive applies across the whole spectrum of electronic communications - from phone and fax to email and SMS - but just how much of the new law will keep the spammers at bay and how much is designed to convince consumers that Europe is sorting the tech world's least favourite bugbear?

The new regulations put the issue of consent at the heart of digital data protection. Now instead of using opt-out mechanisms – 'tick this box if you do not wish to receive marketing material from us' - companies will have to show that the people on their mailing lists chose to opt-in – 'tick this box if you do want to receive marketing material from us'.

Excluded from the opt-in clause will be mailing lists compiled before 11 December, business email addresses - these can be spammed quite legitimately - and any consumers where a company can show it has a 'prior relationship'. Quite what a prior relationship entails, however, is a subject of debate.

Is that having bought products from a company previously or asking for a brochure in the past? Maybe. No-one's quite sure.

The fuzzy wording in the directive is, at least in part, deliberate. The writers of the legislation took into account that the rate at which technology evolves and, rather than legislate for all existing IT and watch a new tech being manufactured that escaped the laws, leave descriptions sufficiently open to encompass whatever future developers might throw at them.

Travers Symons, a lawyer in commercial IP and IT for law firm Stephenson Harwood, said that the vague language is nothing to be scared of. "With any legislation, however well-drafted, there are issues of interpretation - people interpret it to their clients' best interests," he said.

"There are gaps and slightly grey areas [in this law] - in this as much as in any piece of legislation. This has just been better publicised, because it's more wide-ranging - it has an impact on everyone with email and every major business," he told silicon.com.

In any case, the penalties for any company actually caught breaking the directive aren't exactly harsh – a £5,000 fine plus damages – but it's the question of actually getting a spammer into court that could prove the directive's undoing.

It's precisely the worst offenders - the Vicodin and penis enlargement peddlers sending out millions of emails and incurring the wrath of victims - that look like they'll continue slipping through the net.

It's a problem that Elizabeth Dunn, compliance manager at the Information Commissioner's Office, recognises: "A lot of the worst spammers are in Florida, outside our jurisdiction," she said.

Neil Morris, deputy managing director at the Institute of Direct Marketing told silicon.com: "In the UK, 99.5 per cent of marketing organisations are doing things properly, with the right intentions and they're careful with people's data – and there are a few cowboys making it awful for everyone else. The regulations are hampering everyone in order to control a few cowboys."

But Wendy Grossman of Privacy International believes that the laws do have some value. "If you don't reign in companies, they will bother you. It's valuable in that small percentage of cases," she told silicon.com.

Despite the ICO's keenness to see spammers brought to justice, in practice, only the very serious cases will come under the legal microscope. "We won't investigate for one-offs," Dunn said. "Our powers aren't best suited to that."

Both Dunn and Morris agree that the legislation might actually have more of an effect on consumers than on the spammers themselves. "It will serve to raise their expectations," said Morris.

And while the directive is putting the onus on businesses and their marketers to make sure that the people they try to sell are happy to get the marketing message, the ICO is taking to steps to get consumers to take control of their own data. "We're encouraging people to be aware - know what happens to your data when you hand it over", said Dunn.

Grossman said that there are measures that consumers can take to help avoid falling into the hands of the spammers. "Don't put your email address on the web, don't post it in chat rooms or have two email addresses - use one as a throw-away. Obviously, there's a social cost to doing those things - it's harder for people to contact you," she said.

There are other things you can do, however. "Some ISPs are really targets for spammers - hotmail is one. You could try and put the spammers off by using a longer email address, say, something over 20 characters. It makes it harder for them to get you using a dictionary attack," Grossman explained.

Legislation, technical developments and consumer awareness are all very well, but there's surely only way to put spammers off for good - stop buying from them. A survey carried out by the Direct Marketing Association and Experian shows click-through response rates of 75 per cent for email marketing campaigns, while research from SurfControl has shown that one in 10 UK workers would be happy to buy a product advertised by spam email - providing spammers with the commercial rationale to carry on spamming.

So next time you get an email and you’re toying with the idea of treating yourself to a new colon cleanser or a few extra inches to your manhood, think twice...