The Government's new anti-spam law comes into effect next Wednesday, September 5, and will have far-reaching implications for anyone who sends commercial, promotional-type messages by email, text or other electronic means.
The Unsolicited Electronic Messages Act 2007 will:
* Prohibit any person (individual, company or organisation) from sending one or more "commercial electronic messages" (as described below) to anyone who has not consented to receiving them. * Require each "commercial electronic message" to clearly and accurately identify the person who has authorised the sending of the message, and include accurate information about how the recipient can readily contact that person.
* Require each "commercial electronic message" to include a working unsubscribe "opt out" option, clearly and conspicuously displayed in each message.
* Prohibit the use of address harvesting software in connection with the sending of "unsolicited commercial electronic messages".
* Allow people to file complaints with the new anti-spam enforcement unit of the Department of Internal Affairs, or issue proceedings in the High Court against the perpetrator.
* Enable financial penalties of up to $200,000 for individuals and $500,000 for companies to be awarded against the perpetrator.
What types of spam are covered?
Although most of us think of spam as being those unwanted sex, drug and other obvious hard-sell junk emails, the new law goes beyond this to apply to the sending of ordinary business database electronic messages, for example, as well as forms of electronic messages beyond email (text messages, for example). Essentially, any business, person or other organisation which sends "commercial electronic messages" needs to carefully consider this new piece of legislation.
What is an "unsolicited commercial electronic message"?
The act essentially sets out three elements before a breach of the primary provisions of the act can be made out:
* There must be an "electronic message". Under the act that means any message sent using a telecommunications service to an electronic address (for example, email, SMS/text, instant messaging, multimedia messages and other mobile phone messaging). Standard voice calls and fax messages are excluded.
* The message must be "commercial" in that it "markets or promotes goods, services, land or a business or investment opportunity".
* The recipient has not consented to receiving the message before it is sent (in other words, it is "unsolicited").
What amounts to recipient consent?
The consent of a recipient (who must be the holder of the relevant recipient electronic address) to receiving a "commercial electronic message" can either be:
* Express - that is, actually communicated by the recipient by written, electronic or verbal means (for example, a signed form, consent via an opt-in function on a website, etc).
* Inferred - from relevant conduct, or from the business or other relationship of the persons concerned (this will vary on a case-by-case basis).
* Deemed - from the conspicuous publication of an electronic address for business purposes without stating that unsolicited messages are not to be sent.
The act places the onus on the sender to prove that it had such prior consent.
What should your organisation do to ensure compliance with the act?
The following is a broad checklist:
* You should assess all the different types of "electronic messages" which are sent by your organisation to determine whether they amount to "commercial electronic messages" under the act.
* For all "commercial electronic messages" which your organisation proposes to send after September 5, will you be able to prove that you have the consent of each recipient to the sending of that message, before the message is sent?
* Key to the above point is that the onus of proof requirement means that your organisation should establish a governance model or system whereby evidence of consent from each recipient for each commercial electronic message sent can be produced if required.
* Review your terms of trade or engagement with customers. Do they contain provisions which ensure your compliance with the act with regard to "commercial electronic messages" sent to those customers and their personnel? If not, they need updating.
* Your terms of trade or engagement are with your customers, and your existing database of contacts may be much broader than this (for example, including prospects who have not agreed to your terms of trade). The relationship with all such contacts needs to be reviewed to ensure that you have the required consent. Remember, the onus will be on the sender to prove this.
* Do your "commercial electronic messages" contain: clear and accurate details of the identity and contact details of the sender; and a functional unsubscribe facility for the recipient to opt out of further emails unless the parties agree otherwise?
* Are you confident that address-harvesting software has not been used to compile your contacts database?
* How can you alter your marketing and third-party engagement processes for the future, so as to best comply with the act? This new law is likely to elevate in your to-do list the need to tidy up your database of contacts.
* Once you have assessed the above you should have your compliance action plan checked by a lawyer.
These are key points only. Remember also that this new law relates closely to the existing privacy-related laws, so any compliance work which you undertake regarding this new law should also factor in a review of the privacy (and other compliance) laws generally in the context of your particular circumstances.
* Sean Lynch is IT/telecommunications partner at law firm Hesketh Henry.