PSR16_WebBanner_300x250-wCopy
OneTrust_Webcon_BB_300x250_ad_04.25.2016.v5-01
DPC16_Banner_300x250-COPY

By Jay Cline, CIPP

U.S.-based corporations sending direct-marketing messages outside the States face a maze of regulations that could ground marketing campaigns before they get started. In these situations, a carefully planned privacy-consent strategy can help maximize the available returns on marketing expenditures.

Companies with headquarters in the U.S. often target Canada as their first non-U.S. destination for expansion because of its proximity and common language. But despite Canada's proximity, its requirements for the level of consumer consent needed to send direct marketing can differ substantially.

"Unfortunately, there are no simple and fast rules as to when opt-in consent is required and an opt-out approach is acceptable," Kris Klein, CIPP/C, head of the Ottawa-based Law Office of Kris Klein, told Inside 1to1: Privacy.

"For example, an individual's workplace fax number is not personal information and can be used for marketing purposes without consent," Klein explained. "However, workplace e-mail addresses are considered personal information."

For telemarketing to Canadian residents, U.S. companies should consult Canada's do-not-call registry launched in 2008.

U.S.-based firms deciding to expand into Europe often choose the UK as a beachhead because of its shared language. With a foothold in the UK, U.S. firms typically next turn their attention to the largest EU markets: France, Germany, Spain, and Italy. But despite their shared membership in the EU, these countries have taken varied approaches to regulating direct marketing.

"The difference between UK and Spanish law in this area highlights the lack of harmonization across the EU," reported Eduardo Ustaran, partner at London-based Field Fisher Waterhouse. "In the UK, it's possible to have obtained e-mail addresses in the course of mere negotiations for the sale of a product in order to operate on an opt-out basis. In Spain, an existing and proven contractual relationship will be required."

"When you look at things like viral marketing," he added, "the Spanish approach is even more severe. The Spanish authorities have actively clamped down on the use of refer-a-friend facilities."

Rocco Panetta, a Rome-based attorney with Panetta & Associates, told Inside 1to1: Privacy that Italy takes a strict line on telecommunications-based direct marketing. Automatic marketing communications sent via SMS and fax "are allowed in the case of express previous consent of the interested person only," he said. Telemarketing calls to residential phones require opt-in consent, while calls to business numbers are allowed to be made on an opt-out basis.

"Telephone direct marketing is the less appreciated way to do marketing in Italy," Panetta explained. "Culturally, the postal mail is more accepted."

For its part, France has a reputation for stringent privacy regulations. Pascale Gelly, head of Paris-based Cabinet Gelly, generally concurs with that sentiment. "Most businesses know that France is an opt-in country when it comes to direct marketing by e-mail," she reported. "However, they may not be aware of the good and the bad news around this rule."

"Beginning with the bad news: The potential sanction is 750 Euros per e-mail sent in violation of this rule," she explained. "The good news is that the CNIL [France's data protection authority] interprets the opt-in rule as not applying to e-mails sent to professionals on topics related to their work," she added, "which shows a certain degree of flexibility."

Dr. Sachiko Scheuing, the Frankfurt-based European Privacy Officer for Acxiom, told Inside 1to1: Privacy that "German privacy requirements for direct marketing are characterised by the strong interplay among different laws:  the data protection law, anti-competition law, and the telemedia law."

"For instance, telemarketing requires an opt-in in Germany," Scheuing explained. "This requirement is set out in the anti-competition law [Gesetz gegen unlauteren Wettbewerb] rather than the data protection law."

Scheuing noted that, because of privacy scandals, the German data protection law was recently amended to require direct marketers to gain opt-in consent in more situations.

American companies entering the more exotic Asia-Pacific region for the first time tend to begin in Australia, which is a bit more familiar. But while Australia is often considered by U.S. companies to be more business-friendly in the area of privacy regulation, the country maintains a multi-pronged direct-marketing regime.

"Direct marketing in Australia is directly covered by three pieces of federal legislation," observed Malcolm Crompton, head of privacy consultancy Information Integrity Solutions. "Each gives individuals the right to opt out after the first contact," he explained.

"In certain circumstances, however, opt-in consent is also required," he added. During his term as Privacy Commissioner of Australia, Crompton was instrumental in developing this framework.

"The Privacy Act 1988 allows direct marketing without opt-in consent only if beforehand 'it is impracticable for the organisation to seek the individual's consent'," he said.  "The Spam Act 2003 requires commercial electronic messages--including e-mail, instant messaging, SMS, and MMS--to be sent with the prior consent of the recipient, unless there is an established business relationship."

Australia, like Canada and the U.S., also maintains a do-not-call registry.

Despite its proximity to the U.S., Latin America's less-developed markets can mean it is the last stop for U.S. companies going global. But its emerging-market status will nonetheless continue to attract direct-marketing campaigns from the U.S. According to Luis Salazar, CIPP, a Miami-based partner at Greenberg Traurig, those campaigns will require a country-by-country approach.

"Latin America lacks a consistent approach to direct marketing," Salazar noted, "and, even where regulations do exist, enforcement is uneven."

"In countries with more developed laws in this area--like Mexico's Ley Federal de Protecion de Consumidores," Salazar added, "it's easier to plan good, compliant marketing campaigns."

"But in countries that just rely on often amorphous habeas data rights, one inappropriate piece of direct marketing can lead to significant penalties."

Salazar explained that Latin Americans used to be put off by impersonal direct marketing. "The massive proliferation of the mobile phone in Latin American has dramatically changed that. Consumers are more receptive to direct marketing and savvier about it, too."

With all of these national and regional variations, what are some proven strategies for maximizing a return on marketing dollars? Perhaps one of the most common inclinations of companies first encountering this area is to adopt a corporate policy that applies globally the most restrictive regulations found in any one jurisdiction. This "high-road" or "conservative" approach can be a mistake, however. Adopting an opt-in approach to an e-mail marketing campaign, for example, when an opt-out approach is allowable and culturally acceptable within a certain country can make the difference between a positive or negative return-on-investment for the campaign.

What do more experienced companies do in these situations? Adopt a global policy that says the company will obtain appropriate consent for direct-marketing communications, and supplement it with country policies that define how consent is obtained in each locale.

"That approach provides the most flexibility while maintaining compliance with relevant law in each jurisdiction where the company targets consumers," said D. Reed Freeman, partner at Kelley Drye & Warren. "But flexibility is not free. It comes with the obligation to know the law in each relevant jurisdiction, as well as the enforcers' views on the application of the law to specific marketing programs, and an obligation to keep track of the consents received on a per-consumer, per-country basis."

E-mail marketing consent requirements
The table below indicates what level of consent a U.S.-based company is likely to need to obtain in order to send marketing messages about its products or services to the different types of e-mail addresses indicated in the table. Because circumstances of a particular campaign can alter these requirements, however, companies should consult an attorney.

Country

Direct marketing
sent to a
consumers
e-mail
address obtained
in the course of
negotiating the
sale of a product
or service to that
consumer

Direct marketing
sent to a
consumer's
e-mail
address obtained
during the
conclusion of a sale
of a similar product
or service to that
consumer

Direct marketing
sent to personal
e-mail addresses
obtained from
third parties,
online sources,
or refer-a-
friend

Direct marketing
sent to workplace
e-mail addresses
obtained from
third parties,
online sources,
or refer-a-
friend

USA

Opt-out

Opt-out

Opt-out

Opt-out

Canada

Opt-out

Opt-out

Opt-in

Opt-in

Mexico

Opt-out

Opt-out

Opt-out

Opt-out

UK

Opt-out

Opt-out

Opt-in

Opt-out

France

Opt-in

Opt-out

Opt-in

Opt-out

Belgium

Opt-in

Opt-out

Opt-in

Opt-out

Germany

Opt-in

Opt-out

Opt-in

Opt-in

Spain

Opt-in

Opt-out

Opt-in

Opt-in

Italy

Opt-in

Opt-out

Opt-in

Opt-in

Australia

Opt-out

Opt-out

Opt-in

Opt-out

Source: USA - Jay Cline; Canada - Kris Klein; Mexico - Luis Salazar; UK - Eduardo Ustaran; France - Pascale Gelly; Belgium - Jan Dhont, Lorenz Law; Germany - Sachiko Scheuing; Spain - Eduardo Ustaran; Italy - Rocco Panetta; Australia - Malcolm Crompton

Jay Cline is president of Minnesota Privacy Consultants

Comments

If you want to comment on this post, you need to login.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

NEW! FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Schooled in Privacy

Looking to get some higher-ed in privacy? Check out these schools that include data privacy courses in their curricula.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

The Industry of Privacy

Take stock, compare your practices to those of other organizations, and get budget with these studies on the industry of privacy.

More Resources »

P.S.R.—One Powerhouse Program

The program is too good to miss. The speakers are world-renowned. P.S.R. brings you the best of the best in privacy and security. Don't wait: Register now!

Speak at the Intensive!

The call for proposals for our London event, the Data Protection Intensive, is now open! Submit your session idea today.

Time to Get to Work at the Congress

Thought leadership, a thriving community and unrivaled education...the Congress prepares you for the challenges ahead. Register today.

GDPR Comprehensive London: Last Chance!

The IAPP GDPR Comprehensive heads to London this fall. This is your last chance at this popular program this year!

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»