Does 'Can Spam' Travel?
By Nick Martin
Companies that do business around the globe tend to focus most on the legislative framework of their home countries, and embed local best practice and laws into company policy.
The trouble with this approach is that underlying law differs markedly from one region to another. When organizations then try to apply rules from one region to another, unforeseen consequences occur that prevent them from performing to their potential. A set of fixed concepts applied uniformly will inhibit the effectiveness of direct marketing in other regions.
Thinking global, but acting local is key to gaining and retaining the trust of your prospective customers around the world. In this article, we'll look at the respective thinking behind European and U.S. electronic legislation and review which pieces of each approach can help you create company policies for global implementation.
Underlying the differences in approach between Can Spam and European Data Privacy legislation are two very different approaches to law-making on either side of the Atlantic. In Europe, Brussels passes privacy directives and regulations that represent minimum standards that each member state must pass into law. It is for each member state to interpret broad principles in a way that fits in with their societal and political values. The scope of legislation tends to be rather broad so that e-mail regulations are part of a wider regulation on all forms of electronic communication.
It's no surprise that countries that once suffered under the yoke of totalitarian regimes have chosen to interpret European Union (EU) legislation rather more literally and restrictively than countries with a strongly democratic history such as the United Kingdom. The breadth of each piece of legislation and relative lack of specifically mandated prescriptive steps means there is huge scope for widely differing local implementations across the European Economic Area.
When it comes to electronic communication, the differences in implementation by country are marked. In the United Kingdom and France, for example, legislation is targeted at consumers, not people within incorporated companies. This means e-mail marketing to individuals within companies is permissible if they have given a 'soft opt-in', which allows for the marketing of similar goods and services to those they have already expressed an interest in, or if they have received full notification of all the purposes intended by e-mail marketing at the point of data collection and given clear and unambiguous opt-out mechanisms.
Each member state also has the opportunity to 'gold plate' legislation, exemplified by the UK last year when it passed legislation on electronic communications and tagged on to the Bill the creation of a business-to-business do-not-call list.
The U.S. government, by contrast, takes a minimalist approach to business, preferring that it self-regulates and protects key interests through best practice. Where this isn't possible, a strong sector approach to law-making means that laws are rather specific, relate to clearly defined issues--such as advertising via e-mail--and is full of required practical steps to be taken to conform to the law.
The main piece of European legislation on privacy, The Data Protection Directive 1998, comprises eight principles covering the holding and use of personal data. Note the word 'principles', not 'steps'. These eight principles underpin all other legislation in this area, including the recent Privacy and Electronic Communications Regulations that govern, inter alia, e-mail marketing. The eight principles require that:
• Personal data be obtained fairly and lawfully;
• Data be held only for specific and lawful purposes and not processed in any matter incompatible with those purposes;
• Requests for personal data be relevant, adequate and not excessive for those purposes;
• Data collected must be accurate and where necessary kept up to date;
• Data not kept longer than necessary;
• Data be processed in accordance with the data subjects' rights;
• Data be secure;
• Data are not transferred outside the European Economic Area to countries that do not have adequate levels of data protection without the consent of the data subject.
At the heart of those principles stands the twin pillars of notification and fair processing. Notification means that when collecting personal information you must explain why you are doing so and how you plan to use it. You must clearly identify who you are and how you can be easily contacted. Each purpose must be covered, as well as the types of third parties you intend to pass any information on to.
Fair processing requires that an opt-out mechanism exists in each communication sent to the subject, either from you or third parties that may be using the data. Consent can be withdrawn at any time.
These twin pillars underpin everything else. Other mechanisms or steps taken to collect personal information and subsequent electronic marketing, will not be sufficient if the twin pillars are not properly interpreted.
Can Spam in a Global Environment
Trying to enforce Can Spam mechanisms can cause unforeseen consequences. For example, insisting on using a header that identifies the source owner of the data in preference to the third-party sender means that any un-subscribes would require the source owner to stop communicating with the recipient, rather than opting out from future third-party communications. Rather, the desired outcome can achieved by detailing the reasons why the recipient was e-mailed in an link to a Permission Marketing Policy alongside the unsubscribe lin--provided the appropriate degree of consent was been obtained during data collection. So, using headers to mask a lack of consent for use by third parties is no substitute for obtaining personal data with due reference to these twin pillars of European legislation. US CAN SPAM:
• bans false or misleading header information.
• prohibits deceptive subject lines.
• requires that e-mail give recipients an opt-out method.
• requires commercial e-mail be identified as an advertisement and include the sender's valid physical postal address
On the other hand, the European e-communications privacy legislative framework is based on:
• the twin pillars of Notification and Fair Processing.
• the 8 principles of the Data Protection Directive
• Consent is key
• Unless you have an existing two-way relationship with a customer or a prospective customer, you must have explicit prior permission to communicate with all consumers via e-mail (with the exception of France and UK this includes business-to-business communication).
E-mail headers are commonly used in the United States to show that the e-mail is from the data supplier, even though it includes third-party content. In Europe, specific consent must be obtained at point of collection for third-party use. It is preferable to show that the e-mail is from a third-party, but with a privacy link that explains the source of the data.
However, US companies sometimes insist on the data owner using a branded header of the data owner. This is no good for Europeans, because if people then opt out, they are in effect opting out of receiving e-mails from the data owner, even if they have a business relationship with the data owner. Therefore, in insisting on this, US companies are trying to bring CAN SPAM specifics into the mix, rather than paying heed to the European principles, and he need to gain consent upfront for every type of use.
The Impact of the Data Protection Directive
It's hard on the face of it to imagine how the eight principles of The 1998 Data Protection Directive can make a difference when embedded into corporate privacy policies.
The value of the eight principles lies as guiding 'commandments' that create an environment of best practice within companies. The principles force us to choose a practical path based on them, giving due consideration to the nature of the business and the data it collects and holds, together with a clear justification for doing so.
Data security is a good example. Recent history has not been kind to the U.S. track record in safeguarding personal data. There have been a series of high profile thefts culminating in the disclosure that 40 million credit card accounts were stolen from an Atlanta data processing firm. Even Citigroup, the biggest bank in the world, 'lost' information on 3.9 million customers when tapes that were not encrypted went missing during shipment by UPS. We appear to see less high-profile data theft in the EU, and the conclusion that data protection legislation has created an environment where these issues are treated more seriously is hard to dodge.
The seventh principle of The Data Protection Directive states that data must be held securely. Less prescriptive you could not get if you tried! But it works.
If I had to define measures for my business that would represent security for the personal data we control and process, these would include inter alia:
• Technological measures, such as firewalls and safe FTP sites
• Encrypted back-ups to ensure they are protected during transit
• Installation of the latest security updates.
Likewise, it is not too difficult to define, giving due consideration to a company's business, what 'secure' actually means in terms of practical steps that can be taken.
Blend the Best of Both Models
Don't rely just on CAN SPAM and assume that headers and subject lines will cover your use of generally notified data. The issue of notification and consent in Europe runs much deeper in fundamental law.
Nick Martin is general manager of Mardev, an international organization specializing in business and professional data, related applications and services. Mardev is part of Reed Elsevier, a Fortune 500 company. Martin can be reached at Nick.Martin@mardev.com.