Email marketing in the EUptI

By Ruth Boardman



This paper considers whether the Directive on Privacy and Electronic communications (2002/58/EC) has led to a harmonised approach to e-mail marketing in seven EEA countries:

· UK

· France

· Belgium

· The Netherlands

· Sweden

· Germany

· Italy

This is the first part of a three part paper. Here we look at the UK and France. In Part II we look at Belgium and Germany and in Part III we look at Italy, The Netherlands and Sweden.

Article 13 (1) of the Directive provides that e-mail may only be used for direct marketing “in respect of [natural] subscribers who have given their prior consent”. (The same rule also applies to direct marketing by fax and automatic calling machines). In line with the general Data Protection Directive, “consent” requires an individual to take steps to signify agreement, which must be specific and informed. As this is often achieved by ticking an opt-in box, the Directive is said to introduce an “opt-in” requirement for individuals.

There is an exception to the opt-in requirement:

“where a natural or legal person obtains from its customers their electronic contact details for electronic mail, in the context of the sale of a product or a service, in accordance with Directive 95/46/EC, the same natural or legal person may use these electronic contact details for direct marketing of its own similar products or services provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details when they are collected and on the occasion of each message in case the customer has not initially refused such use”.

Article 13 (5) provides that Member States have a choice as to whether to extend the opt-in rule to corporate subscribers.

Article 13 (4) prohibits spam where the sender is disguised and requires that an unsubscribe option is included in each e-mail.

By 31 October 2003, all EU Member States, together with Norway, Iceland and Liechtenstein should have implemented the Directive on Privacy and Electronic Communications (2002/58/EC). In December 2003 the EC issued a press release concerning its proceedings against those states which had not notified transposition measures by 31 October 2003. The nine Member States concerned were Belgium, Germany, Greece, France, Luxemburg, The Netherlands, Portugal, Finland and Sweden. On 1 April 2004 the EC commenced second stage infringement proceedings against all of these countries (except Sweden, which had notified transposition by then). In some cases though, the states have now implemented, as described below.

Already the Article 29 Working Party has acknowledged that despite harmonisation some concepts in the Directive on unsolicited communications appear to be the subject of differences of interpretation.[1] For example, this Opinion shows that the Working Party takes a harder line on the use of legacy lists than the UK Information Commissioner (see below). The Working Party makes it clear that lists which have not been established according to prior consent requirements may not be used any more under the opt-in regime. This contrasts with the position of the Information Commissioner in the UK who has opted to permit continued use of legacy lists which were compiled lawfully under the old regime and which have been used fairly recently. The Working Party Opinion looks at the following concepts:

· the concept of electronic mail (i.e. what is within the definition)

· the concept of prior consent (i.e. how consent may validly be obtained)

· the concept of direct marketing (i.e. what is included within this definition)

· communication to legal persons (i.e. how in practice the Community should deal with different rules applying in different countries and how senders can determine whether a recipient is a legal person or not)

· the exception to similar products and services, i.e. emphasising the restrictive nature of this exception)

The sections below consider how the Directive has been implemented and is being applied in seven states. In particular, the sections look at the differing approaches of Member States to:

· protection for corporate subscribers

· obtaining valid consent

· legacy data

· territorial application

· enforcement

United Kingdom (Ruth Boardman and David Clark - [email protected], [email protected]).


The Directive was implemented by The Privacy and Electronic Communications (EC Directive) Regulations 2003 S.I. 2003/2426 which came into force on 11 December 2003. The Information Commissioner, the UK’s data protection authority, issued authoritative guidance on the new Regulations in November 2003 which is available at

Individual subscribers

The Regulations have introduced an opt-in regime for individual subscribers; direct marketing material may not be sent by e-mail to individual subscribers unless recipients have previously notified their consent.

There is a limited exception to this (referred to as a “soft opt-in”), which allows the continued use of an opt-out provided that the direct marketing is:

· only applied to marketing contacts with whom there has already been a sale or a negotiation for a sale (as opposed to pure contacts)

· carried out by the same legal entity that obtained the individual’s details

· limited to similar products and services

· to an individual who was offered an opt-out when their details were first obtained.

Third party, bought-in lists cannot be used on the basis of the soft opt-in.

Direct marketers should note that the opt-in rule is not limited to “consumers”. It applies to all non-corporates, i.e. partnerships and sole traders have the same rights as private individuals. Accordingly, the Regulations do apply to B2B marketing.

The opt-in rule applies to “unsolicited” communications and calls. There is, therefore, scope to side-step the Regulations if marketing material can be classified as “solicited”, i.e. if the individual has actively invited the contact. Direct marketing statements can sometimes be worded so as to fall into this category and, hence, to fall outside the opt-in rule.


Unless a direct marketer can rely on the soft opt-in, then he may only send unsolicited marketing by e-mail where the recipient “has previously notified the sender that he consents”. Consent is not defined by the Regulations, but the Information Commissioner’s Office will apply the definition of consent in the general Data Protection Directive, namely it must be a freely given, specific, informed indication of wishes.

The Commissioner’s guidance gives a number of examples of methods of obtaining consent:

· ticking a box to show agreement

· clicking an icon

· sending an e-mail

· subscribing to a service

In the Carphone Warehouse case, the Advertising Standards Authority recently considered what would produce valid consent in an adjudication under the C.A.P. Code. (This code restates the consent requirement found in the Regulations). On 17 March 2004 the ASA reversed a decision against Carphone Warehouse. Carphone Warehouse had sent marketing messages by SMS. A consumer objected, arguing, amongst other matters, that he had not given consent to the message (as required by Rule 43.4 of the CAP Code).

In October 2003, the complaint was upheld. However, in March 2004, the ASA accepted Carphone Warehouse’s argument that the individual had given consent. The individual had provided his phone number in a survey conducted by a third party. Provision of the number was optional and the survey made clear that “reputable companies” may send offers to respondents via their mobiles. The ASA accepted that respondents would have been aware that, by providing their phone numbers they would be likely to receive marketing and that this would amount to consent.

Corporate subscribers

The opt-in rule does not apply to corporate subscribers. These include companies, corporations and Scottish partnerships (not English partnerships) or other entities that have no separate legal existence to their members.

However, where the sending of marketing material to the employee of a company includes the processing of personal data (as it would where the direct marketer addresses material to a named individual [email protected], not [email protected]), then that individual has a right under general data protection legislation to request that the marketer cease sending him marketing material.

E-mail opt –out registers

The Electronic Commerce Directive (2000/31/EC) allowed for a possible “opt-out” register for unsolicited commercial e-mails. The UK Government considers that industry opt-out schemes are sufficient and so did not include the “opt-out” register in the Regulations transposing the E-Commerce Directive, the Electronic Commerce (EC Directive) Regulations 2002 (SI 2002/213), or in these new Regulations. In any event, most spam originates outside the EEA and EEA e-mail registers are peripheral to that traffic (and possibly even counter-productive since unscrupulous spammers may harvest the registers for active e-mail addresses).

The Direct Marketing Association provides a link on its web site to the E-mail Preference Service operated by the American DMA which allows individuals to register their e-mail address so as not to receive unsolicited sales and marketing email messages (

No concealed identities

Marketers must not conceal their identity when they send or instigate the sending of marketing e-mails – whether to corporates or individuals. Marketers must also always provide a valid address to which the recipient can send an opt-out message.

Historic data

The Regulations apply equally to new data collected after 11 December 2003 and e-mail data collected before that date i.e. to historic or “legacy” data. Organisations may only continue to use such legacy data for direct marketing to individual subscribers if they fall within the provisions of the soft-opt in exemption. If they cannot rely on the soft opt-in then, strictly speaking, such organisations would need to re-approach these legacy contacts to obtain opt-in consent with the risk of getting very few positive returns. However, the Commissioner has taken a relaxed approach to this in his guidance. His view is that provided such legacy data was obtained in accordance with privacy legislation in force prior to 11 December 2003, and has been used recently, organisations may continue to use it on an opt-out basis.

Territorial application

The Commissioner applies the Regulations to data controllers either established in the UK or to data controllers from outside the EEA who use equipment in the UK. This approach is not spelt out in the Regulations, but is the position under general data protection legislation, which the Commissioner applies, by analogy, to the Regulations.


Individuals may seek compensation from the marketer for breach of the Regulations if they have suffered “damage”. Since this entails proving physical or economic loss for unsolicited direct marketing, it is going to be of limited application. A competitor that has complied with the Regulations may also bring a claim if it can show that it has lost sales to an organisation that has not complied.

The Commissioner may take enforcement action on his own initiative or as a result of a complaint by a person affected or by OFCOM. The Commissioner is seeking stronger enforcement powers, such as “stop-now” orders or powers to levy direct fines. Although such provisions were not incorporated into the Regulations, the UK Government is committed to holding further discussions on the issue of enforcement.

Breach of the Regulations may also mean that an organisation breaches the Advertising Standard Authority’s CAP Code or the Direct Marketing Association’s Code; this could lead to adverse publicity, loss of advertising space and discounts. There have already been a number of ASA adjudications involving unsolicited e-mails. Organisations providing premium rate services are also subject to ICSTIS’s control. ICSTIS has the power to levy fines (and regularly does so – see details of recent adjudications online at

France (Nathalie Lambert, [email protected])


The Directive has been implemented under French law by law No. 2004 – 575 of 21 June 2004 relating to “Confidence in the Digital Economy” (“Loi sur la confiance en l’économie numérique”, the “Law”). The law came into force on 22 June 2004.

Individual subscribers

The Law, which amends the French consumer code and the French telecom code, provides for an opt-in regime for direct marketing by fax, automated calling system and e-mail to individual subscribers. Direct marketing material may not be sent via e-mail to individual subscribers unless recipients have previously expressed their consent.

There is a limited exception to this rule, which allows the use of an opt-out regime provided that the following conditions are satisfied:

· the personal data relating to the individual concerned has been collected directly from him/her in the context of a sale or a service

· the direct marketing is limited to similar products and services provided by the same individual or legal entity that obtained the individual’s details

· the individual was offered an opt-out when his/her details were first obtained and each time a marketing e-mail is sent

Corporate subscribers

The opt-in rule does not apply to corporate subscribers.

No concealed identities

Marketers must not conceal their identity when they send or instigate the sending of marketing e-mails, whether to corporations or to individuals. Marketers must also always provide a valid address to which the recipient can send an opt-out message.

Historic data

Data, including e-mail addresses, obtained in accordance with the French data protection regulation in force prior to the publication of the Law (historic data) may continue to be used during the six months following the publication of the Law in order to obtain the consent for the individual for further direct marketing via e-mail. At the end of the six month period, the e-mails may only continue to be used for direct marketing if the individuals concerned have given their express consent.

Territorial application

The provisions relating to spam will be applied to data controllers established in France, or to data controllers from outside the EEA who use equipment in France. This is not stated in the Law, but this is the rule adopted under the general data protection regulation and the position applied by the French Data Protection Authority.


The French Data Protection Authority will ensure that the provisions relating to spam are respected. In this regard, the Authority may investigate any complaint relating to the infringement of these provisions and then communicate such complaints to the Director of Public Prosecutions, if required.

A recent enforcement decision may be of interest: on 5 May 2004, the Paris Commercial Court sentenced a company to pay €5,000 each to Microsoft and AOL for breach of the anti-spamming clauses in their internet services contracts.

[1] Opinion 5/2004 on unsolicited communications for marketing purposes under Article 13 of Directive 2002/58/EC adopted on 27 February 2004.