Issues raised by spam
The sending of spam raises a multiplicity of issues, which include the following:
*Invasion of privacy
• Harvesting email addresses and data can amount to an invasion of privacy
• Overloading mailboxes with unwanted material can be a nuisance and an invasion of privacy
*Cost of managing spam
• ISPs that have to cope with traffic
• Businesses whose information systems and employees waste resources and time deleting spam or buying and installing filtering mechanisms
• Individuals who waste time deleting spam
• Spam can be used to spread computer viruses
*Loss of reputation to individuals and businesses
• If email address is spoofed
• If email is identified as spam and blocked by ISP or businesses
*Danger to internet
• Spamming campaigns can act as a form of denial of service and slow internet connections
• Offensive content
• Promoting illegal products
Regulation of spam
Spam may be regulated in various ways as listed below:
A. Legislation which may follow various models –
1. Opt-out: a recipient can ask not to receive email. Any further email is illegal.
2. Opt-in: a recipient must have agreed to receive email or sending email is illegal.
3. Prohibiting sale and distribution of spam ware.
4. Enforcing ISPs’ anti-spam policies.
B. Blacklisting by industry blacklisting organisations: for example in South Africa the Internet Service Providers’ Association (ISPA) publishes an annual spam culprit list, known as the ISPA Hall of Shame. Such activities raise issues about the legal status of blacklisting organisations and in some cases lead to defamation claims by blacklisted persons. For example, following the publication of the 2012 ISPA Hall of Shame, it was reported that one of the listed culprits had brought a damages claim against ISPA (see Bonnie Tubbs ‘ISPA sued for defamation’ ITWeb, 19 June 2012).
C. Common law –: civil claims for nuisance or the invasion of privacy may be brought by spam recipients.
The following section takes a closer look at South African legislative provisions.
ECTA: Regulation of spam
Section 45 of ECTA provides for an opt-out scheme. This section places the following obligations on senders of unsolicited commercial communications:
“(1) Any person who sends unsolicited commercial communications to consumers, must provide the consumer-
(a) with the option to cancel his or her subscription to the mailing list of that person;
(b) with the identifying particulars of the source from which that person obtained the consumer’s personal information, on request of the consumer.”
A number of inadequacies of this section have been pointed out (see L Michalson ‘The Law vs the Scourge of Spam’). Just two of these issues are canvassed here. First, section 45(1) provides for an opt-out scheme which is unsatisfactory because it requires a consumer to take action to terminate the continued despatch of unsolicited communication. Second, the definition of consumer in section of the Act negatives the protection intended to be given by s 45 by limiting it severely. Section 1 defines a consumer as “any natural person who enters or intends entering into an electronic transaction with a supplier as the end user of the goods or services offered by that supplier” (emphasis added). This narrow definition of consumer excludes those who do not enter, or intend to enter, into an electronic transaction with the sender. It leaves a huge section of the public unprotected.
Section 45(1) is bolstered by sections 45(3) and 45(4). Section 45 (3) provides that “any person who fails to comply with or contravenes subsection (1) is guilty of an offence and liable, on conviction, to the penalties prescribed in section 89 (1)”. This means that criminal prosecution and conviction may follow if a sender of spam does not provide an opt-out mechanism for recipients or does not provide details of the source of the recipient’s personal information at the request of the consumer.
Section 45 (4) provides that “any person who sends unsolicited commercial communications to a person who has advised the sender that such communications are unwelcome, is guilty of an offence and liable, on conviction, to the penalties prescribed in section 89 (1)”. Therefore spam senders who ignore or refuse to act on the opt-out instructions issued by a spam recipient may face criminal sanctions.
The penalty provided for by section 89(1) is “a fine or imprisonment for a period not exceeding 12 months”.
Section 45(2) provides that “no agreement is concluded where a consumer has failed to respond to an unsolicited communication” thus ensuring that consumers are not forced into contracts simply because they failed to respond to spam.
Sections 11 – 12 of the CPA are applicable to spam. Section 11(1) provides that every person’s right to privacy includes the right to refuse to accept, require the cessation of further communication, and to pre-emptively block communication for the purposes of direct marketing. Section 11(2) provides that recipients of direct marketing communications may issue opt-out instructions and section 11(4) provides that the senders of direct marketing communications must provide opt-out mechanisms for the recipients of their direct marketing communications. Section 11(3) provides for the establishment of registry for pre-emptive blocks. However, as at 4 August 2012 this registry has not yet been established.
Section 12 provides that consumers may not be contacted at home during prescribed periods. These times have been provided for by a notice under the Consumer Protection Regulations. They are:
- Sundays or public holidays contemplated in the Public Holidays Act, 1994 (Act No. 36 of 1994);
- Saturdays before 09h00 and after 13h00; and
- all other days between the hours of 20h00 and 08h00 the following day,
except to the extent that the consumer has expressly or implicitly requested or agreed otherwise.
The notice also provides that “direct marketing may not be timed to be delivered to the consumer during the prohibited times referred to in item 1 above unless expressly, in writing, agreed to by the consumer”.
Industry Bodies’ Approach
Some industry bodies provide guidance to their members through Codes of Conduct. These codes do not have force of law and must comply with the CPA and ECTA. The Direct Marketing Association of SA (DMA) established National opt-out register which enables anyone to pre-emptively block spam in 2007 (https://www.nationaloptout.co.za/ ). The ISPA addresses spam in clauses 14 -15 of its Code of Conduct (http://ispa.org.za/code-of-conduct/) and is in favour of opt-in provisions (http://ispa.org.za/press-release/ispa-urges-opt-in-approach/ ). The Wireless Application Service Providers’ Association’s Code of Conduct addresses spam in clause 5 and uses an opt-out approach (/sites/default/files/image_tool/images/264/Lectures/lecture5/waspa_coc_6.1.pdf).
Reform: Protection of Personal Information Bill, 2009
The Protection of Personal Information Bill, 2009 provides for an opt-in scheme.
Section 66 (1) provides that: “
The processing of personal information of a data subject for the purpose of direct marketing by means of automatic calling machines, facsimile machines, SMSs or electronic mail is prohibited unless the data subject—
(a) has given his, her or its consent to the processing; or
(b) is, subject to subsection (2), a customer of the responsible party.”
Further, section 66 (3) provides for an unsubscribe option for recipients as follows:
“Any communication for the purpose of direct marketing must contain—
(a) details of the identity of the sender or the person on whose behalf the communication has been sent; and
(b) an address or other contact details to which the recipient may send a request that such communications cease”.
Some legislation from other jurisdictions
US: Can-Spam Act of 2003
Directive on Privacy and Electronic Communications (2002/58/EC); Article 13(1) requires prior consent for direct marketing email-opt-in
E-Privacy Directive: Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, 2002 O.J. (L 201) 37
E-Commerce Directive: Directive 2000/31/EC on Certain Legal Aspects of Information Society Services, in Particular Electronic Commerce, in the Internal Market, 2000 O.J. (L 178) 1
Distance Contracts Directive: Directive 97/7/EC on the Protection of Consumers in Respect of Distance Contracts, 1997 O.J. (L 144) 19
Data Protection Directive: Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31
Australian Spam Act 2003
For a useful overview see: L-Soft ‘Opt-In Laws in the USA and EU’ available at < http://www.lsoft.com/resources/optinlaws.asp> (accessed 4 August 2012)