Back to all blog posts

What do you mean you don’t like SPAM?

Recently, I have been researching the laws about electronic and direct marketing communications, also called CEMs (commercial electronic messages).  There are many countries that do not have laws that regulate the use of these marketing techniques, but it is important to understand how those that do work.

Being an Opt-Ortunist

The first thing to know is whether the jurisdiction you are marketing in requires explicit consent, an opt-in, from a subject (the person you send to) or not.  This means they need to check a box, or perform a similar act, allowing you to send this kind of communication.  The box cannot be pre-checked as it must be an explicit action for an opt-in to be valid.

Implicit consent is completely different.  In fact, many countries allow you to send communications to a subject with which you have a “pre-existing business relationship”. For example, having done a business transaction with the recipient or the simple exchange of business cards may show implicit consent to be contacted for marketing purposes.

Once you know whether you have consent, you can start sending messages.

Content and Consequences

First and foremost, if you requested consent to send marketing materials or have a relationship that currently exists, be sure that your messages are relevant to those requests.  Many laws state that you may only send information that is relevant and related to consent given.  Make sure that if you are offering additional products or services that you get consent for that as well.

It should be further noted that some laws have very specific requirements for the subject and other content of a message.  For example, the Controlling the Assault of Non-Solicited Pornography and Marketing Act (or CANSPAM) in the United States forbids you from using a misleading header or subject line.  You might remember a lot of spam in the late 90s had vague subject lines only to be yet another poorly written email for pornography or other products.  So if you are selling life insurance, make sure your subject line says that.  You also need to be sure to include your company’s information, such as physical address, as well.

Another point is to make sure you offer a form of “opt-out.”  This is often as simple as an unsubscribe mechanism.  Of course it has to work as these laws also put the full burden of functionality and compliance on the sender.

The Good News

Luckily for us all as consumers, it was recently reported that spam emails in the U.S. are down 50% for the first time in years.  It is theorized that the legal repercussions for running a botnet, or large group of controlled machines that malicious users can use to send mass emails, are the major deterrent.  Either way, this is great news for consumers.

However, the same reports show a rise in other types of attacks.  Still, spam remains a prominent and successful phishing tool for evil doers.

A List of Laws

Since we have discussed all the laws in a general sense, I thought it would be best to show you a list of real laws in different jurisdictions.  Below you will find a list of laws from many countries.  The links may not be translated.  This information is relevant as of July 23, 2015.

Remember always check the law in the relevant jurisdictions before undertaking an CEM effort.

Country Law / Regulation
Argentina Personal Data Protection Act (2000)
Australia Spam Act 2003
Austria Austrian Telecommunications Act 1997
Belgium Law of March 11 2003 (Loi du 11 mars 2003)
Brazil Currently being reviewed in congress
Canada PIPEDA (Personal Information Protection and Electronic Documents Act 2000)
Fighting Internet and Wireless Spam Act 2010 (formerly bill C-28)
CASL (Canada’s Anti-Spam Legislation 2014)
China Regulations on Internet email Services (Unofficial English translation)
Cyprus Regulation of Electronic Communications and Postal Services Law of 2004
Czech Republic Act No. 480/2004 Coll., on Certain Information Society Services
Denmark Danish marketing practices act
European Union Directive on Privacy and Electronic Communications
Finland Act on Data Protection in Electronic Communications (516/2004)
France Law of June 21 2004 for confidence in the digital economy (Loi du 21 juin 2004 pour la confiance dans l’économie numérique)
Germany Act against unfair competition (Gesetz gegen Unlauteren Wettbewerb (UWG))
Hong Kong Unsolicited Electronic Message Ordinance
Hungary Act CVIII of 2001 on Electronic Commerce
Indonesia Undang-undang Informasi dan Transaksi Elektronic (ITE (Internet Law))
Ireland European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003
Israel Protection of Privacy Law, 5741 – 1981
Italy Data Protection Code (Legislative Decree no. 196/2003)
Japan The Law on Regulation of Transmission of Specified Electronic Mail
Malaysia Communications and Multimedia Act 1998
Malta Data Protection Act (CAP 440)
Mexico FEDERAL LAW ON PROTECTION OF PERSONAL DATA HELD BY PRIVATE PARTIES
Netherlands Dutch Telecommunications Act
New Zealand Unsolicited Electronic Messages Act 2007
Pakistan Prevention of Electronic Crimes Ordinance 2007
Russia Federal Law of the Russian Federation of 27 July 2006 No. 152-FZ on Personal Data (article 15)
Singapore Spam Control Act (chapter 311A)
South Africa Consumer Protection Act, 2008
South Korea Personal Information Protection Act (Article 18, Section 2, part a)
Spain Act 34/2002 of 11 July on Information Society Services and Electronic Commerce (in Spanish)
Sweden Personal Data Act (1998:204) (decline EULA, page will load)
Turkey Regulation Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector
United Kingdom Privacy and Electronic Communications (EC Directive) Regulations 2003
United States of America CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act)
Training for everyone on your team