Thursday, 15 January 2015

Meta spam

FFS, just got junk mail trying to sell me a course on junk mailing people, with things like "What the legal implications really are" as the first key point in the agenda!

I think this one will get a notice in the post as well as email this time.

The same bunch sent emails before so have had the standard email reply from me - that zaps any excuse of having taken reasonable measures to avoid breaking the law as they actually knew my email address was that of an individual subscriber when they sent this one. In fact they have emailed 9 times since July 2013 and had my standard reply each time. I hope they agree to settle, as I'll then use that as basis for claims for the previous 8 times.

Update: Grrr. Letter sent but it is a mailing address in London and nothing on the email or web site actually says who they are as a legal entity. So, for now, reported to trading standards for that.

Update: Arrrg, Trading Standards web site says the trading standards email address for Westminster, but the email address does not work and bounces. So I have ended up writing to trading standards. This means I have spent an hour today, two letters with attachments, one of which is recorded delivery, two emails. Is it any wonder I am asking for £200 for this spam in the first place?!

Update: I did think of registering for the course, and then cancelling for a refund. They say they allow a refund up to 14 days before the course. That would allow me to follow the money to work out who they are. But, of course, none of the courses they list are for which I can book are more than 14 days in the future! It is tempting to book someone on a course and send with hidden camera though.


  1. Go for it. I'd pay good money to watch that footage. Bonus points if you wear a comedy fake beard and wig to disguise yourself :). And Spam sandwiches in your packed lunch.

  2. Agree 100% with Simon - send someone on the course! Not sure about filming it, as it's probably hard to do secretly unless you're an expert, and you might get thrown out if discovered - they might reasonably (hah!) claim breach of copyright etc. A secret audio recording would be easier to perform, but even a verbal report on what was said would be better than nothing. And having a copy of any course materials could be illuminating...

  3. Can you claim the costs back of investigations pursuant to claiming?

    1. I would hope so, why not - it is costs resulting from the breach. If no spam, not investigation would have been done.

    2. I guess you can claim back lawyers fees, and a lawyer could charge you to investigate

    3. I don't think that legal fees are recoverable in a small claims proceeding?

  4. I have one chap at present who's acknowledge they sent me an email, then offered me a "generous" £1 per keystroke for dealing with the emails, (so £2). Sadly, he won't come up on this offer, and has done himself no favours by admitting they sent the email, and making an offer to settle without using the words "without prejudice".
    The other lot, the first ones to be taken to court, have now started talking, and are now claiming they didn't send the emails, even though their details are all over them. An affiliate sent them apparently. This has me in somewhat of a quandry, their affiliate supposedly wasn't supposed to send the emails, but has, but as a result of this sending, surely they will benefit, and as a result be liable perhaps? I'm unsure...

    1. It might be hard to prove a breach of regulation 22 if the email should not have been sent, although, if the email was sent at the "instigation" of the named party, even though not, as a matter of technology, by the named party, the named party would likely still be on the hook.

      However, you might also look at regulation 23. If the email was not sent at the instigation of the named party, and no-one else is named, the you might be able to argue that the person on whose behalf the email was sent (not the named party, as the named party denies this) concealed their name, breached regulation 23. But it sounds like a stretch to me.

      Not legal advice etc.

    2. At £1 per key stroke I would charge for the number of keystrokes required to ssh into my mail server and remove the mail from the mbox file using vim :)

      I would think you could demand that they hand over details of the affiliate and take the affiliate to court directly. There may be data protection things to look at too since they presumably supplied your details to the affiliate.

    3. > There may be data protection things to look at too since they presumably supplied your details to the affiliate.

      Perhaps worth a look, especially to check if the formalities for appointing a data processor have been met (Data Protection Act 1998, Schedule 1, Part II, paragraphs 11 and 12).

    4. They have identified the affiliate to me, and the affiliate is known to me (as they are identified on other emails) and is in the process of being dragged through this process. I think you're right that 22/23 are a bit of a stretch in these circumstances though.

  5. Depending on how it's pitched, you may have reasons for a valid chargeback. For example, if they've pitched the course saying "Why tell you how it is legal to spam people" and, under UK legislation, it's obviously not - then they haven't provided the service you paid for: so a chargeback will be possible. You'll then not only have details of who they are, what the course is full of, but you'd also "hurt" their merchant account.

  6. Count the number of keystokes in the letter of complaint that you sent. That should add up quite nicely.

    1. Yep, well, he kinda missed that. Said I should have gone through the "Normal channels" and sent an unsubscribe. Why should I though!

    2. I would not as I never subscribed in the first place, so I could not unsubscribe, it would make no sense.

    3. Your Notice Before Action email specifically says you've had no business dealings with the spammer, which is the clearest cut case. What do you do about people who you have had business dealings with, who decide to spam you (and presumably you would have opted out/not opted in if an option were available)?

      Is the onus on them to prove you didn't opt out, or on you to prove that you did (or were never given the option)? Proving you were never given the option is going to be hard...

    4. I am going for the easy targets to start with. A few cases of "had business dealings" I'll try the "unsubscribe" anyway. Yes, they are just as valid targets, but less annoying as at least I have dealt with them before - they mainly just make sure I never deal with them again!

    5. (Thoughts on how I would approach it; not legal advice etc.)

      Making my case:

      Generally speaking, the onus is on the person bringing the case to prove that they have a case and, in a civil context such as this, to prove their case on the balance of probabilities..

      Here, I would be looking to prove that [x] breached regulation 22 and that, by virtue of [x]'s non-compliance with regulation 22, I had suffered damage.

      Breaking down regulation 22, I would need to prove that:

      [x] transmitted, or instigated the transmission
      of unsolicited communications
      to me
      for the purposes of direct marketing
      by means of electronic mail
      and I had not consented to this.

      The issue of consent:

      It would, as you say, be difficult for me to prove that I had not consented. I might try to adduce broader evidence of my general position / behaviour (e.g. blog posts about your hatred of spam), even though this would not go as far as proving this particular case.

      I suspect that I would make the case in my submission that it is very difficult to prove that, in the past, I had not done something, whereas it would be relatively trivial for a responsible sender of direct marketing to be able to show that I had, in fact, consented, and be able to demonstrate the point at which my consent was obtained.

      I would probably refer to the ICO's guidance on direct marketing, paragraphs 94 and 95, which set out the ICO's position:

      "94. If someone claims that they did not consent to receive an organisation’s marketing messages, that organisation may be at risk of enforcement action unless it can demonstrate that the person did give valid consent.

      95. Organisations should therefore make sure that they keep clear records of exactly what someone has consented to. In particular, they should record the date of consent, the method of consent, who obtained consent, and exactly what information was provided to the person consenting. They should not rely on a bought-in list unless the seller or list broker can provide these details. Organisations may be asked to produce their records as evidence to demonstrate compliance in the event of a complaint."

      I might, if pushed, make the point that regulation 30 envisages the ability for an individual to take action for breach of the regulations, and that this would be inconsistent with an interpretation of regulation 22 which effectively precluded any ability to bring action since, as a matter of reality, it is, to all intents and purposes, impossible for someone to prove that they had not consented to receive such messages. As such, a consistent interpretation would be for the claimant to make a statement that they had not consented, and leave it to the sending party to prove otherwise.

      [x]'s defence:

      It would be a defence for [x] to prove either:

      a.) that I, as the recipient of the email, had previously notified [x] that I consent to receive such email; or
      b.) [x] had obtained my contact details
      in the course of sale to me, or negotiations with me, of a product or service;
      that the the direct marketing contained in the email was about [x]'s products and services;
      that those products and services were similar to the ones [x] had sold to me or in respect of which [x] and I had had negotiations;
      that I had been given a simple, free of charge means of "opting-out" of direct marketing at the point of collection of your details
      and in each subsequent communication.

      Alternatively, if [x] can prove that he had taken "such case as in all the circumstances was reasonably required to comply with [regulation 22]", he has a complete defence (regulation 30(2)). I am not aware of any case law on this point, and Revk's perspective is that the only action which could have amounted to the taking of such reasonable case in respect of regulation 22 relating to someone with whom he has had no business relationship was not to send the email in the first place.

    6. Elegantly put Neil, thanks for that :) It sums up what I had already figured out, but I like the bit about regulation 30 allowing for action. Very well written :)

    7. Just please do bear in mind that I may be wrong!

      If anyone here does end up taking action, I'd be very interested to see what is being filed / listening in to a public hearing.

    8. Of course. It tallies with my own reading of the legislation, Mr £1 per keystroke will be getting an action filed against him shortly, I've got a few more whose 14 days runs out soon too...

  7. A further twist to the tale (and appologies for slightly hijacking this post Rev) another response from a company, who claimed to have used affiliates.
    This time however, they've admitted to creating the materials used by the affiliate, which I think goes a ways to proving that they instigated the email campaign. They approved a email to be sent, knowing that it could not be sent legally as they hadn't provided a list of email addresses that were legal to send. They even sent a list of email addresses that should be supressed! Not impressed with this lot, and on further investigation, the "affiliate" is another company, based in the same building with the same directors!