Thursday, 10 October 2013

Defence for spam case

Well, to my shock, the guy from Deane has suddenly started sending more reasonable emails. Up until now almost every email has been somewhat stroppy, in my opinion, and even threatening, but this morning he was being reasonable!

What he has done is raise the very interesting question of section 30(2): "In proceedings brought against a person by virtue of this regulation it shall be a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the relevant requirement."

I have said that I would still want a judge to decide, so not withdrawing the case. It would be a shame if he settled now and avoided court on this really.

The wording is interesting. If I was sending an unsolicited marketing email, what steps could I take to comply with section 22 I wonder?

There is basically no way to tell who is the party to the contract for the communications service. Even an email address that is obviously a work email address or quoted as a work contact could have an individual as the subscriber. So, in my opinion, the only reasonable step one can take in order to comply is not to send any unsolicited marketing emails.

It will be interesting to see what a judge says. What would be worrying is if a judge says that "buying from a list broker that assures you they are business contacts" is a reasonable step, then the regulation becomes pointless. If the judge agrees with me that there is no step you can take then that makes the regulations much more useful. Hopefully we'll see, one way or the other.

P.S. I have emailed the ICO asking what steps someone can take to ensure compliance with section 22.

13 comments:

  1. My understanding of the communications between you and Deane is that you have given him every opportunity to explain to you why he was not in breach of the regulations. Instead of saying, for example,

    "Thank you for your mail and invoice. I must, I am afraid, dispute the invoice as we believe that with regard to section 30(2) of the legislation, we have undertaken every care that would reasonably be required. This included X, Y and Z." (where X, Y and Z would be the actions he took).

    Instead, he chose to say "Ha ha ha. This'll cost you. You're an idiot." etc. etc. (my words, but I think a fair summary from what you have posted). I can't imagine that any judge would look favourably at that behaviour.

    One has to assume that if buying from a list broker was a good excuse, then the list broker would be liable if the addresses weren't properly checked. Hypothetically, in this case, I would have thought that the judge would let your claim go through and then tell Deane that if what he says about the list broker is true, he should seek to recover his losses from that list broker.

    But then IANAL and strange things happen in court.

    ReplyDelete
  2. If he does use the "buying from a list broker that assures you they are business contacts" defence, ask for evidence of this (just in case he's lost the payment receipt or something) and ask how he knew that they were telling the truth (or does he believe everything he reads on the internet?). The Data Protection Act should also kick in if he agrees he purchased these email addresses from a third party.

    ReplyDelete
    Replies
    1. To be clear, I don't think that he is saying "I bought from a list broker", yet. Maybe he would like to post and comment on this. The DPA comes in if the individual is identifiable, which is a different set of rules.

      Delete
  3. If it does become a dispute on this point, I would suggest — if you have not already done so — you familiarise yourself with the ICO's guidance on direct marketing, and be prepared to cite aspects of this in support of your position:

    http://www.ico.org.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/direct-marketing-guidance.pdf

    In particular, the section on lead generation stresses the care that a sender needs to exhibit when buying in a marketing list.

    To prove that he has "taken such care as in all the circumstances was reasonably required" is not an easy threshold, in my view — you could ask to see the risk assessment that he made when buying the list, and the steps he took to ensure that he was only marketing with consent (see, for example, paragraphs 163 - 166 of the ICO's guidance). What changes has he made since receiving your correspondence — if he had previously thought everything was fine, clearly it was not, so presumably, to continue to rely on a s30 defence, he has undertaken a revised risk assessment, and, potentially, made changes following reassessment of his position?

    ReplyDelete
  4. I wonder if you would need to be slightly cautious at trying to persuade a judge that "the only reasonable step one can take in order to comply is not to send any unsolicited marketing emails.", given that it appears that the obvious intention / belief of the person that drafted this legislation was that there was, in at least some circumstances, reasonable steps could be taken that would allow the sending of some unsolicited marketing emails. The points Neil makes are very good.

    On potential step he might say he's taken may be that he only sends to .co.uk addresses - I wonder if there are any stats on the number of .co.uk domains that contain personal addresses, so that you could show this wasn't a reasonable step.

    ReplyDelete
  5. I'm not even convinced that there should be a distinction between personal and business email accounts. If you send an unsolicited email, it's spam.

    Sales enquiries are not unsolicited, because (presumably) there's something on the website saying "if you wanna buy something, here's an email address you can use".

    ReplyDelete
    Replies
    1. AIUI, the distinction was intended to be a simple practical matter. If it's a personal account, then by definition, no-one but the account holder can grant consent to the sending of unsolicited mails to that account.

      If it's a business account, on the other hand, it gets much more complex; for example, the director in charge of my division is on holiday right now. He's able to grant consent to have e-mails sent to my account, and if (for example) he tells someone he meets on holiday to e-mail me about something, that's not unsolicited mail, but I will think it is - and I can't contact him to check if he gave consent.

      Similarly, what happens when someone leaves a business? I used to get mails that were sent to a deceased colleague - they may have validly consented to those mails, but there's no way to check any more, and the account is still live (I'm dealing with it).

      So, rather than cope with these distinctions, the law exempts business accounts.

      Delete
  6. I have just send a e-mail to Red Star Financial Management Ltd who called me today (Did you take out PPI?). The number they called is on the TPS. I asked for £10 in compensation (as per section 30) for breach of section 21(1)b. as they interrupted my day + the time taken to complain to them. Does this sound like sound case like RevK?

    ReplyDelete
    Replies
    1. There's a couple of people on #A&A-Asterisk who've made a few quid off those kinds of people. Might be worth asking on there.

      Delete
    2. There's a couple of people on #A&A-Asterisk who've made a few quid off those kinds of people. Might be worth asking on there.

      Delete
  7. The distinction between individual and corporate is certainly arbitrary, silly and unworkable - and yes, a blanket ban on unsolicited commercial/bulk email, as implemented by every reputable ISP on earth, makes a lot more sense all round. The law, though, allows sending spam to "corporate" subscribers, which creates extra problems for everyone else.

    It may be useful to point out that university staff and students are in this category, which would defeat any argument of "but then I wouldn't be able to spam anybody!" - when there are addresses which clearly can be spammed without breaking the law, it's easier to argue that confining spammers to contacting only those addresses is reasonable.

    Equally, excluding named recipients makes sense as a precaution: support@example.com could perhaps reasonably be expected to be "corporate", where fred.bloggs@example.com looks like a person - as well as being subject to DPA, since a name is "personally identifiable information".

    ReplyDelete
  8. With respect to the person sending out the spam has taken such care as to comply with the legislation - the judge's opinion may vary on this depending on the defendant's knowledge and skill within the "computer" industry.

    i.e. a local plumber who sends out spam may have used what he thinks is care in sending out the emails, but this skill and care would be at a much lower level than someone involved with running a computer services company, who would have much more knowledge on what spam is and how the law applies to it.

    So for the man at Deane to rely on this with his industry knowledge should (in my mind) be regarded as a poor defence. Let's hope the judge agrees!

    ReplyDelete
    Replies
    1. That's a good point, Bod, and I think you have a good line of attack here.

      Might I also suggest a alternative approach (which, in fact, might be better suited to being deployed first, should the situation arise)?

      Before arguing that the defendant should be held to a higher standard given his industry, I would likely argue that the wording of regulation 30(2) sets out an objective standard of behaviour, not a subjective one, and is not dependent on the knowledge of the user. It requires that a sender takes "such care as in all the circumstances was reasonably required to comply with the relevant requirement".

      What was "reasonable in all the circumstances" depends on the circumstances — the nature of the act and of the harm — not on the knowledge of the defendant. In other words, whether you send this message, I do it, Adrian does it, a plumber does it or anyone else does it, the circumstances are the same: someone sending messages for the purposes of advertising their services. Each person has the same duty of care, and must perform that duty to the same standard: namely, what is reasonable in all the circumstances.

      The policy reason for this approach is clear: the harm against which this regulation protects is the harm of unnecessary disturbance of, and intrusion into the private life of, the recipient. What the sender thinks is immaterial, as the harm is recipient oriented. The only threshold is one of objective reasonableness: what would be reasonable for the average person to take in sending the messages in question.

      If this were not accepted, and the judge indicated that s/he were minded to interpret the requirement as one which depended on the knowledge of the sender, I would then deploy your clever argument.

      Delete