Out-Law News 3 min. read
22 Apr 2009, 10:14 am
'Tell a friend' promotions are a staple of viral marketing and involve one user providing email addresses to a company so that a friend of theirs can receive a message from that company.
Holland's data protection authority and its telecoms regulator have issued a ruling clarifying what companies have to do to make sure that viral marketing does not break data protection and telecoms laws.
The authorities have said that the website cannot offer an incentive to users to pass on friends' details. "The controller of the website [cannot] hold out the prospect of any chance of reward or other advantage, neither to the sender nor to the recipient," the ruling says.
The authorities also say that it must be clear from any message who the friend behind the message is, and that the person who instigates the sending of the communication must have a chance to read the whole message.
"The Internet user must have the opportunity to read the entire message that is sent in his or her name before he or she decides to send it, in such a way that he or she can take responsibility for the personal contents of the message," says the ruling.
The authorities also said that the email address passed on by the original user must not be processed or stored or used more than is necessary for the original usage. This means that reminders and follow up messages cannot be sent to the recommended user.
The ruling echoes guidance issued by the UK's data protection regulator, the Information Commissioner's Office (ICO).
"Where you incentivise [a person to pass on their friend's details], there is a strong argument that you are the ‘instigator’ of the message," said ICO guidance. "They wouldn’t do it without the promise of a reward from you. You are reminded that it is the instigator of the message who is liable for the sending of that message."
The ICO said that companies must make sure that consent for the sending of a message has been received, though not directly by them, if they are to use someone's friend's details.
"You will be sending a message to someone who you assume has consented through a third party (the third party being the friend who passed their details on to you) to receiving messages from you. It is quite clear that under the legislation you are liable for any messages sent to email addresses or mobile numbers obtained," it said.
"As with all third party electronic mailing lists, you cannot use this list unless you are satisfied that the recipient has notified you that they consent to receiving such messages from you. You should therefore ask your customer to confirm that they have the consent of the individuals whose details they are passing on," said the ICO's guidance.
The Dutch advice is similar to that given by the ICO, except that it adds the requirement that the person handing over a friend's details must be given the chance to see the whole message that is to be sent.
Data protection law expert Louise Townsend of Pinsent Masons, the law firm behind OUT-LAW.COM, said that where the Dutch situation differed from that in the UK was the strength of the regulators' opinion.
"It is the enforcement side of this that would be a concern if it were followed across Europe," she said. "The ICO's opinion is just guidance, you can take a risk and stretch it and consider that as a business risk, which is what a lot of people have been doing."
"But the Dutch opinion is a ruling, it says that it interprets the law and is not appealable and is a statement of the law. If the Information Commissioner here issues new guidance, or if the new incoming Commissioner in June wants to be stricter on that particular issue, then there could be a change," she said.
The Dutch ruling could also have influence on the ICO if it is adopted by the Article 29 Working Party, the committee of national data protection regulators. "That would still just be an opinion but it is seen by national regulators as persuasive," said Townsend.
The ruling could also have an effect if the Europe-wide association of direct marketers FEDMA took it on board, meaning that members of the UK's Direct Marketing Association would be bound by the more restrictive practice.
Editor's note, 24/04/2009: The ICO told us today: "In short we won’t be updating our guidance. We feel the existing guidance will ensure that those companies engaging in this type of marketing will be able to do so in compliance with PECR [the Privacy and Electronic Communications Regulations] and although there is a difference in approach/tone, the substance of both our guidance and the [Dutch] ruling are the same. I should also add that this is not an area which causes a great deal of concern since it has been used for some time without generating lots of complaints from the recipients."