Unsolicited commercial e-mail is a threat to the availability of networks and information, because of the extent to which it can clog up the arteries of the Internet; it is also the subject of regulation. When it is carrying a payload (virus, spyware, etc) – it can also be a threat to the confidentiality and integrity of that information. Organizations need to take action to defend their organizations against spam and also to ensure that their own electronic marketing is not treated as spam.
One person’s spam is another’s useful e-mail marketing – and most companies are interested in e-mail marketing, at least at the level of regular newsletters and other updates, all of which could fall within the definition of spam. In the Information Age, as more and more marketing becomes digital (and Instant Messaging, Cellphones and Voice over IP become attractive marketing vectors), so more and more organizations will need to address the issue as part of their overall IT governance approach.
The EU Directive on Privacy and Electronic Communications was passed in July 2002, with a deadline for implementation of October 2003. It set out guidelines for how direct marketing should and should not be done. It placed obligations on the senders of unsolicited commercial e-mail, including the requirement that people be required to opt-in to receive unsolicited messages, that false sender identities and false return addresses should be prohibited, and a genuine opt-out option should be provided. Not all EU countries have yet incorporated this directive into their national legislation and, where they have, it has not always been uniform.
For example, these UK regulations came into force on 11 December 2003 and superseded the earlier Telecommunications (Data Protection and Privacy) Regulations 1999. The UK’s Information Commissioner is also responsible for enforcing these regulations.
The regulations cover use, by telecommunication network and service providers, and individuals, of any publicly available electronic communications network for direct marketing purposes, and any unsolicited direct marketing activity by telephone, fax, electronic mail (which includes text/video/picture messaging, SMS and e-mail) and by automated telephone calling systems. The key right conferred both on individuals and corporate entities is the right to register their objection to receiving unsolicited direct marketing material, and it provides a mechanism for doing this.
The detailed law around data protection and privacy is evolving as cases work their way through the courts.
The US CAN-SPAM Act (‘Controlling the Assault of Non-Solicited Pornography and Marketing Act’) of 2003 set national standards in the US for the sending of commercial e-mail and requires the Federal Trade Commission (FTC) to enforce its provisions. This act permits e-mail marketers to send unsolicited commercial e-mail as long as it contains: an opt-out mechanism, a functioning return e-mail address, a valid subject line indicating it is an advertisement, the legitimate physical address of the mailer. The bill includes many other provisions, such as the formation of a national do-not-spam list, and the prohibition of certain email address collection methods. The ‘do-not-spam’ list idea was not a good one.
Many US states have also enacted anti-spam laws, some of which prohibit sending unsolicited commercial e-mail to state residents unless they have specifically opted-in to receive it.
Enforcement of legislation has been, in most jurisdictions, both weak and inconsistent. This is partly because enforcement is technologically difficult and partly because so much spam originates in jurisdictions beyond the control of any individual state. However, where authorities and affected organizations determine to take action, they do get results, as actions by various ISPs, by Microsoft, the jailing of a number of spammers and the April 2005 bankruptcy of the Internet’s third biggest spammer, all demonstrate.
The real anti-spam action, though, is really being taken by individual organizations. The most effective defences against spam are at the ISP level, the individual organization’s Internet gateway, and the individual user’s anti-spam filters. These technological defences – which lead to the creation of ‘black’ and ‘white’ lists of e-mail marketers – are the key barriers now faced by any organization attempting legitimately to use e-mail marketing as part of its marketing mix. And e-mail marketing works, but it only works for reputable companies if they comply with the law and apply best practice. Target customers have to trust you if they are going to put you on their e-mail marketing ‘white list’.