M04_CHAF9601_04_SE_C04.QXD:D01_CHAF7409_04_SE_C01.QXD  16/4/09  11:11  Page 218





                218  Part 1 Introduction



                                                                       The approach required by the law has, in
                                      Debate 4.1                     common with many aspects of data protection
                                     How far should opt-in go?       and privacy law, been used by many organiz-
                                                                     ations for some time. In other words, sending
                                     ‘Companies should always use an
                                     “opt-in” privacy policy for     unsolicited e-mails was thought to be unethical
                                     (a) e-mailing prospects and customers  and also not in the best interests of the
                                     (b) monitoring web site visitors using  company because of the risk of annoying
                                        site analysis software
                                     (c) identifying repeat visitors using  customers. In fact, the law conforms to an
                                        cookie.’                     established approach known as ‘permission
               Permission                                            marketing’, a term coined by US commen-
               marketing                                             tator Seth Godin (1999) (see Chapter 9, p. 488).
               Customers agree (opt in)
               to be involved in an  3  Requires an opt-out option in all communications. An opt-out or method of
               organization’s marketing  ‘unsubscribing’ is required so that the recipient does not receive future communi-
               activities, usually as a  cations. In a database this means that a ‘do not e-mail’ field must be created to
               result of an incentive.
                                      avoid e-mailing these customers. The law states that a ‘simple means of refusing’
               Opt-out                future communications is required both when the details were first collected and in
               A customer declines the  each subsequent communication.
               offer to receive further
               information.        4  Does not apply to existing customers when marketing similar products. This
                                      common-sense clause (22(3)(a)) states that previous opt-in is not required if the
                                      contact details were obtained during the course of the sale or negotiations for the
                                      sale of a product or service. This is sometimes known as the ‘soft or implied opt-
                                      in exception’. While this is great news for retailers, it is less clear where this leaves
                                      not-for-profit organizations such as charities or public-sector organizations where
                                      the concept of a sale does not apply. This key soft opt-in caveat is interpreted
                                      differently in different European countries with seven countries, Italy, Denmark,
                                      Germany, Austria, Greece, Finland and Spain not including it. The differences mean
                                      that marketers managing campaigns across Europe need to take the differences in
                                      different countries into account.
                                         Clause 22(3)(b) adds that when marketing to existing customers the marketer
                                      may market ‘similar products and services only’. Case law will help in clarifying this.
                                      For example, for a bank, it is not clear whether a customer with an insurance policy
                                      could be targeted for a loan.
                                   5  Contact details must be provided. It is not sufficient to send an e-mail with a
                                      simple signoff from ‘The marketing team’ or ‘Web team’ with no further contact
                                      details. The law requires a name, address or phone number to whom a recipient
                                      can complain.
                                   6  The ‘from’ identification of the sender must be clear. Spammers aim to disguise
                                      the e-mail originator. The law says that the identity of the person who sends the
               Cookies
                                      communication must not be ‘disguised or concealed’ and that a valid address to
               It is important for
               e-commerce managers    ‘send a request that such communications cease’ should be provided.
               to understand the privacy  7  Applies to direct marketing communications. The communications that the
               implications of using
               cookies to identify    legislation refers to are for ‘direct marketing’. This suggests that other communi-
               returning visitors, so in  cations involved with customer service such as an e-mail about a monthly phone
               Box 4.4 we present more  statement are not covered, so the opt-out choice may not be required here.
               details on the usage of
               cookies. Cookies are  8  Restricts the use of cookies. Some privacy campaigners consider that the user’s
               small text files stored on  privacy is invaded by planting cookies or electronic tags on the end-user’s
               an end-user’s computer
               to enable web sites to  computer. The concept of the cookie and its associated law is not straightforward,
               identify them.         so it warrants separate discussion (see Box 4.4).