A Note on Dutch "Tell-A-Friend" Regulation

Remember how I mentioned SPAM-L the other day? Sometimes you learn useful stuff there. After reading a recent discussion there about "forward to a friend" functionality and whether or not it might be legal in different jurisdictions, I saw Vincent Schönau offer up some useful advice. Vincent is a former postmaster who helps ISPs build anti-abuse platforms for an anti-spam vendor. I've asked him to clarify his thoughts for a post here on Spam Resource, and he as graciously agreed to do so. Keep in mind that neither he nor I are lawyers, and this is not legal advice -- just a smart person's interpretation. And now, Vincent Schönau: 

In a recent discussion on spam-l about 'Tell-A-Friend' systems, Martijn Grooten brought up the Dutch anti-spam regulation, which (I think, uniquely) has rules about such systems.

One of the interesting side-effects of anti-spam legislation having been enacted and active in many countries is that implementation details of these laws reveal the subtle differences in the definition of spam (this is not new!), and other relevant concepts. So, here's some background on the specifics of Dutch anti-spam "law."

In The Netherlands, what is commonly referred to as "the anti-spam law" is actually an article in the law that regulates the Telecommunications industry. Article 11.7 of the 'Telecommunicatiewet' regulates the sending of unsolicited e-mail for "commercial, ideological or charitative" purposes (see footnote), allowing it only if the sender can show that the recipient has given him permission. As of October 2009, this rule applies to those sending to both private and business addresses. There is an exception to this rule for what amounts to an existing business relationship.

Notable points about this article are that it does not require 'bulk', so a single message can be prohibited unsolicited e-mail under the law. It also does not define the concept of 'sender', or specify how permission should be obtained or proven. This has led to objections and questions about the law from those who operate in areas that can be considered 'grey'. For example, both some in the PR-industry have objected that the sending of press-releases to some recipients should be allowed - and editors of some on- and offline publications have agreed.

OPTA, the Dutch telecommunications regulator, has been charged with enforcing the anti-spam regulation. It has broad powers of investigation, and may issue warnings and fines to offenders. Because of the broad coverage of the law, OPTA is often asked to clarify it's position on some of the implications of the law. Some general answers are found on OPTA's website on the spam law, http://www.spamklacht.nl (Dutch). Because sending e-mail that is regulated by Article 11.7 almost always also involves the processing of privacy-sensitive information, the Dutch Privacy Authority (CBP) also has some jurisdiction in these issues, and so OPTA and CBP cooperate where applicable. (Indeed, the guiding documentation on the topic of TaF was published as a joint ruling by the two groups.)

Back to Tell-A-Friend (TaF) systems. Many websites operate web-forms that allow visitors to send a message to people they know, for example to notify them of a news article, interesting video, or fun game that they just found. These systems have been the source of some controversy. There is little standardization in this area - and a wide range of uses that range from perfectly acceptable to most recipients, to outright spam. Some systems send e-mail with the address of the visitor who is using it as the sender address, others send as originating from the site itself. Some allow the visitor to input some text to add to the message, some only allow the sending of a message pre-defined by the site. In some cases, the messages that TaF systems send are laden with large amounts of advertising or commercial content, in others, they are nothing more than a brief message with the link. In some cases, websites require visitors to provide e-mail addresses for several people before allowing access to some desired content.

It was that last category that was problematic in The Netherlands - and to such a scale that OPTA and CBP felt it necessary to make a ruling regulating the e-mail sending TaF and the data-collection practices surrounding them.

As Martijn mentioned on spam-l, the ruling attempts to define when a message sent by a TaF-system is legal under the law. They do this by saying that for such a message to be legal, it has to be possible to consider it a personal message, not a commercial, ideological or charitative message. This leads to the following rules for TaF systems under the Telecoms law:
  1. Messages are sent "entirely at the Internet user's own initiative". The operator of the website may not promise reward or other advantage to the sender or recipient for use of the TaF feature.
  2. It must be clear to the recipient who the initiating Internet user is. This enables the Internet user to directly address any issue with the message to the initiating user directly.
  3. The Internet user must be presented with the full message that is sent in her name before she decides to send it, such that she can take responsibility for the content of the message.
    The Law on the Protection of Personal Data ("Wet Bescherming Persoonsgegevens") adds the following requirement:
  4. The operator of the website (TaF system) may not collect addresses of recipients of messages through the TaF systems for any purpose.
Finally, the ruling says that operators are responsible for ensuring that their systems are not abuseable by third parties - for such purposes as the sending of spam.

Some will still consider TaF messages that meet these rules spam, because they can still be considered 'Unsolicited Bulk Email'. Even though the law does not require 'bulk' for prohibited messages, this ruling discourages it in TaF systems, which I would say is generally a good thing. The ruling also manages to avoid the concept of "sender" altogether, placing responsibility with both the originating Internet user and the site operator.

The ruling is important because it clarifies the situation for TaF-type systems in The Netherlands, and has actually removed a lot of shady implementations from the ecosystem. The ruling, however, is not law. Operators of TaF systems that comply can rest easy - OPTA and CBP will leave them alone. However, if OPTA does go after TaF systems that don't, a Dutch judge may still find that the ruling does not follow the spirit or letter of the law, and such overrule it.

Note: The Dutch term 'charitatief' doesn't translate well into English. Here, because the law is specific to unsolicited communication, it appears to be intended to cover at least "marketing" or "fundraising" messages by charities.

2 comments:

  1. Nice post, Al/Vincent! I like the Dutch TAF "law" because it makes sense to me. All four points could (and should) be part of TAF best practises.

    (Credit where credit's due: I learned about said law at this, Dutch, blog.)

    ReplyDelete

Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.