M04_CHAF9601_04_SE_C04.QXD:D01_CHAF7409_04_SE_C01.QXD  16/4/09  11:11  Page 216





                216  Part 1 Introduction


                                 8 Not transferred to countries without adequate protection.
                                   In full: ‘Personal data shall not be transferred to a country or territory outside the European
                                   Economic Area, unless that country or territory ensures an adequate level of protection of the
                                   rights and freedoms of data subjects in relation to the processing of personal data.’
                                      Transfer of data beyond Europe is likely for multinational companies. This principle
                                   prevents export of data to countries that do not have sound data processing laws. If the
                                   transfer is required in concluding a sale or contract or if the data subject agrees to it, then
                                   transfer is legal. Data transfer with the US is possible through companies registered through
                                   the Safe Harbor scheme (www.export.gov/safeharbor).
                                 Anti-spam legislation

                                 Laws have been enacted in different countries to protect individual privacy and with the inten-
               Spam              tion of reducing spam or unsolicited commercial e-mail (UCE). Originally, the best-known
               Unsolicited e-mail  ‘spam’ was tinned meat (a contraction of ‘spiced ham’), but a modern version of this acronym
               (usually bulk-mailed and
               untargeted).      is ‘Sending Persistent Annoying e-Mail’. Spammers rely on sending out millions of e-mails in the
                                 hope that even if there is only a 0.01% response they may make some money, if not get rich.
                                   Anti-spam laws do not mean that e-mail cannot be used as a marketing tool. As explained
                                 below, permission-based e-mail marketing based on consent or opt-in by customers and the
                                 option to un-subscribe or opt out is the key to successful e-mail marketing. But if companies
                                 ignore or misinterpret the law, they may regret it. In 2008, clothing brand Timberland had to
                                 pay $7 million to settle an SMS spam lawsuit.
                                   Before starting an e-mail dialogue with customers, according to law in Europe, America
                                 and many countries in the Asia–Pacific region, companies must ask customers to provide
                                 their e-mail address and then give them the option of ‘opting into’ further communications.
                                 E-mail lists can also be purchased where customers have opted in to receive e-mail.
                                   Legal opt-in e-mail addresses and customer profile information are available for purchase
               Cold list         or rental from a database traditionally known by marketers as a ‘cold list’, so-called because
               Data about individuals  the company that purchases the data from a third party does not know you. Your name will
               that are rented or sold by
               a third party.    also potentially be stored on an opt-in house list within companies you have purchased
                                 from where you have given your consent to be contacted by the company or given additional
               House list        consent to be contacted by its partners.
               Data about existing
               customers used to
               market products to  Regulations on privacy and electronic communications
               encourage future
               purchase.         While the Data Protection Directive 95/46 and Data Protection Act afford a reasonable level
                                 of protection for consumers, they were quickly superseded by advances in technology and

                                 the rapid growth in spam. As a result, in 2002 the European Union passed the Act
                                 ‘2002/58/EC Directive on Privacy and Electronic Communications’ to complement previous
                                 data protection law (see Box 4.3). This Act is significant from an information technology
                                 perspective since it applies specifically to electronic communications such as e-mail and the
                                 monitoring of web sites using technologies such as cookies.
                                 Worldwide regulations on privacy and electronic communications

                                 In the USA, there is a privacy initiative aimed at education of consumers and business
                                 (www.ftc.gov/privacy), but legislation is limited other than for e-mail marketing. In the US
                                 in January 2004, a new federal law known as the CAN-SPAM Act (www.ftc.gov/spam) was
                                 introduced to assist in the control of unsolicited e-mail. CAN SPAM stands for ‘Controlling
                                 the Assault of Non-Solicited Pornography and Marketing’ (an ironic juxtaposition between
                                 pornography and marketing). This harmonized separate laws in different US states, but was
                                 less strict than in some states such as California. The Act requires unsolicited commercial
                                 e-mail messages to be labelled (though not by a standard method) and to include opt-out
                                 instructions and the sender’s physical address. It prohibits the use of deceptive subject lines
                                 and false headers in such messages. Anti-spam legislation in other countries can be accessed: