Twitter Logo Youtube Circle Icon LinkedIn Icon

Ireland

The Legal 500 Hall of Fame Icon The Legal 500 Hall of Fame highlights individuals who have received constant praise by their clients for continued excellence. The Hall of Fame highlights, to clients, the law firm partners who are at the pinnacle of the profession. In Europe, Middle East and Africa, the criteria for entry is to have been recognised by The Legal 500 as one of the elite leading lawyers for seven consecutive years. These partners are highlighted below and throughout the editorial.
Click here for more details

Ireland > Legal Developments > Law firm and leading lawyer rankings

Editorial

New rules on e-mail marketing and data protection

On 6 November 2003, it became illegal in Ireland to send unsolicited direct-marketing e-mails or SMS messages to individuals without prior consent. Fines of up to ?3,000 will be applicable for every illegal e-mail or SMS message sent.

The European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 regulate the use of personal information on electronic communications. Of particular note are the rules on e-mail and SMS direct marketing. Under the Regulations, opt-in consent is required before sending unsolicited direct marketing e-mails/SMS messages to individuals. Opt-out consent is required when sending unsolicited direct-marketing/SMS messages to companies.

Opt-in consent for individuals
The Regulations provide that opt-in consent is required before unsolicited direct marketing e-mails can be sent to individual subscribers.

An example of 'opt-in' consent would be as follows:

'If you would like to receive information about our goods and services - Tick here: ?'

This should be contrasted with opt-out consent wording:

'From time to time we would like to send you information about special offers and great products. If you do not want to receive such information, then please tick here: ?'

The exemption from opt-in consent

  • Exemptions to the prior consent rules for individuals will apply. For further detail, see the 'Exemptions to opt-in' box below.
  • The opt-in rules only apply in respect of individual subscribers. That is, the person who has the contract with the e-mail, ISP, or telecommunications provider of the e-mail address. Therefore, the opt-in rules will generally not apply to e-mails sent to employees of companies, as those employees are unlikely to be the party entering into a contract with their employers' e-mail provider in respect of e-mail services. Therefore, e-mail addresses of company employees (such as joe.bloggs@abclimited.ie) will not be subject to the opt-in rules. The Regulations do make it clear however, that data protection legislation applies to such e-mails.
  • The opt-in rules will apply to partnerships and sole traders, in respect of each of the partners or the sole trader.
  • The exemptions are cumulative, that is, all of them must be present to avail of the exemption. Therefore, opt-in consent is required before a direct marketing e-mail can be sent, for example, to an individual supplier, contact or industry colleague (as they are unlikely to be 'customers'), even though data-protection rules have been complied with when collecting these details.
  • The new rules only apply to unsolicited direct-marketing communications, and so an unsolicited request for information is not included.
  • Charities will find it difficult to avail of the exemption, as they generally will not be collecting e-mail/SMS information from customers in the context of a sale.
  • The exemption only applies to marketing e-mails of 'similar' products. Is a DVD a similar product to a CD? Are drink products similar to food products?
  • The e-mail/SMS must be sent by the organisation that collected the details originally. Therefore, unless guidance issued by the Data Protection Commissioner indicates otherwise, a parent company cannot use e-mail addresses collected by a subsidiary.
Exemption to the 'opt-in' rules
E-mail and mobile phone numbers can be used for direct marketing to individuals on an 'opt-out' basis, where the following conditions are met:
  • Customers are clearly and distinctly given the opportunity to object to being contacted by e-mail or SMS when their electronic contact details are collected.
  • The e-mail address or mobile phone number was obtained from a customer of a business in compliance with general data-protection principles.
  • The e-mail or mobile phone number was obtained in the context of a sale of a product or service of that business.
  • The direct marketing e-mail or SMS must only relate to that business's own similar products or services provided to that customer.
  • On each and every e-mail or SMS, customers are clearly and distinctly given the opportunity to object free of charge and in an easy manner to such use of electronic contact details.

Opt-out consent for companies
The Regulations now provide that an opt-out regime applies in respect of sending e-mails or SMS messages to a company. A company has the right to object to e-mails sent to addresses such as info@abclimited.ie and also to individuals at a particular company. What is not clear is whether an employer's refusal will apply in respect of all their employees, or alternatively, whether an individual employee can provide consent, where their employer has refused consent.

Other points to note

E-mails or SMS messages sent for the purposes of direct marketing should not conceal the identity of the sender and must have a valid replying address.

The Regulations provide that unsolicited commercial communications must include the sender's name and valid address where such person may be contacted.

Those who offer their services online will also have to include, on the subject line of unsolicited direct marketing e-mails or SMS, the term 'UCE' (unsolicited commercial e-mail) or 'ADV' (advertisement).

How are the Regulations enforced?
Failure to comply with the provisions of the Regulation will render a person or company liable to fines of up to €3,000 for each e-mail/SMS message sent. Also, the Data Protection Commissioner can make such investigations (either on its own initiative or following a compliant) of a person or company with regard to sending e-mails and SMS messages as it considers appropriate. If the Commissioner is of the opinion that a contravention of the Regulations have occurred, then he can serve an enforcement notice and the steps set out in that enforcement notice must be complied with. Similarly, a person must supply such information as the Commissioner may request in an information notice. Failure to do so will render that person liable to a fine of up to €3,000. A right to appeal to the Circuit Court exists in respect of any enforcement or information notice.

Additional powers are also given to the Commissioner for Communications Regulation (Comreg). Comreg can monitor compliance with the Regulations and give directions requiring a person to comply with the Regulations. However, the Data Protection Commissioner has indicated that Comreg's role will generally apply to enforcement of certain technical aspects of the new Regulations, such as caller ID rules, establishment of an 'opt-out' register for direct marketing and the security responsibilities of telecom companies.

What steps should you take?
The following steps should be considered:

Existing e-mail/mobile phone lists should be reviewed. Best practice would indicate that opt-in consent, in almost all cases, should be obtained and that reliance on the exemptions should be at a minimum.

As of yet, no directions are given as to the form of the consent and there is no prohibition on oral consent. A written record should be kept of the consent, its extent and the date the consent was supplied. It appears that consent cannot be granted on behalf of a person, as the Regulations state that the particular subscriber must provide consent. However, the Data Protection Commissioner may provide guidance on this issue in the future.

Update existing collection methods to ensure that 'opt-in' mechanisms are included.

Inform colleagues and employees of the new rules. Companies can be fined for the actions of their employees.

Update company e-mail/mobile phone usage policies, particularly if a company will be regularly refusing consent in respect of direct marketing by SMS/e-mail.

If you require further advice or assistance please contact Colm Kelly (colm.j.kelly@ie.landwellglobal.com, (01) 662 6655) at Landwell solicitors.

International Law Firm Networks

The Legal 500 Events

International Law Firm Networks