|
It has been approximately six months since the Unsolicited Electronic Messages Act 2007 (Spam Act) came into force on 5 September 2007.
To date the Department of Internal Affairs' Anti-Spam Compliance Unit (Anti-Spam Unit) has reported on two anti-spam investigations. One investigation involved the Anti-Spam Unit working with international enforcement agencies by sharing information and gathering evidence on an international spamming operation. The second investigation highlights the fact that an organisation must ensure that it has obtained the consent of a person before sending promotional messages to that person and be able to establish how that consent was obtained.
Overview of the Spam Act
The Spam Act applies to "commercial electronic messages", which are messages sent to an electronic address (such as an email address or telephone account) that, among other things, market or promote goods, services, land or a business or investment opportunity (or that include a link to a message that promotes or markets such things).
The Spam Act:
- prohibits the sending of commercial electronic messages with a New Zealand link (including by way of email, SMS or instant message), unless the receiver has consented to receiving the message;
- requires any commercial electronic messages sent to include a functional unsubscribe facility (being a facility that allows the recipient to notify the sender that no further commercial electronic messages should be sent to that electronic address);
- requires any commercial electronic messages sent to include information that enables the recipient to accurately identify the person who authorised the sending of the message and to readily contact that person; and
- prohibits the use of address-harvesting software or a harvested-address list in connection with, or with the intention of, sending unsolicited commercial electronic messages.
Under the Spam Act, a person's consent to receiving commercial electronic messages can be express, inferred or deemed. We expand on the issue of consent further below.
The Spam Act also sets up a civil penalty regime where the Anti-Spam Unit or an individual "victim" may take action against another person in respect of a breach of the Spam Act.
The role of the Anti-Spam Unit is to (among other things):
- investigate any spam allegations, and take enforcement action against perpetrators of spam;
- ensure that New Zealand complies with all international agreements and arrangements concerning spam to which New Zealand is a party; and
- consult with, advise, and assist persons overseas, for the purpose of promoting and enforcing international procedures to prevent spam being sent or received.
If there is a breach, the Anti-Spam Unit's powers include issuing a formal warning to the perpetrator or issuing a contravention notice specifying a penalty to be paid (as a fine) by the perpetrator. Orders can also be made for compensation and damages.
Anti-Spam Unit Investigations to Date
Late last year, the Anti-Spam Unit reported on 2 investigations it undertook.
In November 2007, the Department of Internal Affairs (Department) reported that the Anti-Spam Unit had received a complaint about a company who had sent out a promotional email to people on their database. The Anti-Spam Unit discovered that, in 2002, the company ran a promotion to win a pair of earrings. One of the conditions of entering the competition was that "all entries will be added to a database and may receive promotional offers from other businesses in the future". The company also included a contact email address so entrants could request to be removed from the database.
The Anti-Spam Unit concluded that the company had complied with the Spam Act but recommended that, if a similar promotion were to be run in the future, a reference to where they obtained the recipients' email addresses should be included as most people would not remember entering a competition in 2002.
In December 2007, the Department reported that the Anti-Spam Unit had seized 22 computers and boxes of documents in response to claims that a Christchurch business had organised overseas affiliates to send spam on its behalf in relation to the sale of pharmaceutical products and watches. Search warrants were issued and executed and interviews conducted in connection with the investigation.
The Anti-Spam Unit worked with international agencies for 2 months gathering evidence on the international spamming operation. The spam was eventually tracked to a Christchurch address and the Anti-Spam Unit had to act quickly to seize evidence after a news report alerted the alleged spammers to the investigation being undertaken. The Anti-Spam Unit investigators are now assessing the information obtained before deciding what action they will follow.
Consent
In the first investigation, the Anti-Spam Unit concluded that the condition of entering the competition in 2002 amounted to express consent to receiving the promotion in 2007. This investigation highlights the fact that any organisation that wishes to send promotional messages must have the consent of the recipients and be able to show how that consent was obtained.
The Spam Act states that "consent" can be:
- express; or
- inferred from the conduct and the business and other relationships of the persons concerned (eg swapping business cards primarily to develop a relationship between the parties and a sending follow up emails); or
- deemed where:
(i) the recipient's electronic address has been published by a person in a business or official capacity; and
(ii) the publication of the address is not accompanied by a "no spam" statement (similar to a "no circulars" statement on a letter box); and
(iii) the message sent to that address is relevant to the recipient's business, role, functions or duties.
A person who contends that a recipient consented to receiving a commercial electronic message bears the onus of proof. Accordingly, an organisation should be able to demonstrate that its policies and procedures are such that if a spam complaint is made against an organisation, the organisation can confirm:
- how a person appeared on its mailing list;
- where the relevant address or mobile number came from;
- the form of consent obtained (express, inferred or deemed); and
- where the consent is not express, the basis upon which the organisation is relying on the inferred or deemed consent.
Ideally these policies and procedures should be documented.
An organisation should also ensure that it retains other appropriate evidence of consent (in addition to what is actually recorded in the database). For example, in the case of express consent which is given by email, the actual emails should be retained.
Conclusions
While it is still too early to conclude whether the Spam Act has (or will have) any material impact on the level of spam received in New Zealand, the recent investigations by the Anti-Spam Unit indicate that spam allegations are taken seriously.
If you would like specific advice regarding the practical steps an organisation should take following the Spam Act coming into force, please contact one of the key contacts below.
Note: The information provided in this article is intended to provide general information only. This information is not intended to constitute expert or professional advice and should not be relied upon as such. Specialist legal advice should always be sought for your particular circumstances.
|
