News

Industries

Companies

Jobs

Events

People

Video

Audio

Galleries

My Biz

Submit content

My Account

Advertise with us

SPAM roundtable

Research shows that spam accounts for 15 to 20% of all email sent to companies. Debating the spam deluge at a recent round table were speakers from online marketing company Acceleration, ISP M-Web and legal expert Lance Michalson. Lance Michalson discusses how practically implementing and policing current laws is fraught with problems.

Summary of current legal position

SPAM per se is not illegal in South Africa. However, if a sender fails to do one of 3 things, he his guilt of an offence (see 1.3 below)

Section 45 of the Act requires the sender to do 3 things:

  • to provide the consumer with an option to cancel his subscription to the mailing list (i.e. instructing the sender not to send any more communications in the future – an opt-out)
  • to furnish the consumer with the identifying particulars of the source from which he obtained the consumer's personal information, if requested by the consumer and
  • not to send a second and further unsolicited commercial communication to the consumer if that consumer has asked the sender not to.

If the sender fails to do so, the sender is guilty of an offence and liable on conviction to an unspecified fine or a maximum of 12 months imprisonment.

A consumer can also lodge a complaint with the Consumer Affairs Committee in respect of any non-compliance by the sender of an unsolicited communication.

Problems with section 45

There are 5 problems with the current spam provisions in the ECT Act which need to be addressed by either making changes to the ECT Act itself, by enacting standalone anti-spam legislation or by dealing with them in the Privacy Act which is currently being drafted by the South African Law Commission.

What constitutes a proper opt-out? Does the sender have to provide an e-mail address or a hyperlink to a website in the 1st email? Will a simple reply-to be OK? This is important as the sometimes innocent acts of senders (e.g. where they simply forget to provide the option in their first email) are now criminalised.

Was it correct to legislate for an opt-out as opposed to an opt-in in section 45? One has to question the effectiveness of the use of an opt-out in the ECT Act because all it often serves to do is validate the existence of an e-mail address being spammed.

It is clear that opt-in is currently the most favoured route by far.

In a survey conducted by us, we noted that of the 37 States in the US which have Spam laws, only 3 contain opt-out provisions. Of the 42 countries in the rest of the world which have spam laws, only 17 contain opt-out provisions.

One has to question whether or not opting-out works with e-mail as well as it does with direct mail and telemarketing where the incremental cost of each communication provides marketers with a sufficient incentive to refrain from communication with persons who have submitted opt-out requests. Bulk e-mail, however, does not involve an analogous incremental cost and spammers lack a similar incentive to respect opt-out requests. Further, e-mail opt-out requests are rarely effective and some spammers reportedly collect and sell e-mail addresses of those who have submitted such requests. Lastly, one cannot loose sight of the fact that one does not frequently receive unsolicited 'snail-mail' from other countries (like one does with e-mail).

No definition of "sender": The consumer must be able to advise the "sender" that the communications are unwelcome. The sender is perfectly entitled to provide false or fictitious information as to his identity. Legislation does not require that the sender provide accurate details of his name, physical and electronic addresses.

No definition of "unsolicited": In general (not in terms of the ECT Act) a communication is considered to be unsolicited if 3 factors are present:

  • if there is no prior relationship between the parties (some countries include a time period – e.g. the preceding 5 year period for purposes of determining whether a message is unsolicited
  • the recipient has not expressly consented to receive that communication
  • the recipient has previously sought to terminate the relationship, usually by instructing the sender not to send any more communications in the future (an "opt-out" request).

Problem: From a technical perspective, it is often difficult to assess whether an e-mail communication is unsolicited. This is particularly so if the prior relationship is comprised of something other than a previous exchange of e-mail messages (e.g. a broad interpretation of "unsolicited" might include all contracts that are not part of a current transaction – e.g. suppose I buy a bottle of Panado at Pick 'n Pay using a credit card and Pick 'n Pay is somehow able to obtain my e-mail address. If Pick 'n Pay subsequently sends me an e-mail advertising a sale on Panados, the communication could be considered unsolicited under some definitions. This scenario is more likely if I am a member of Pick 'n Pay's loyalty programme during the transaction enabling them to link the transaction to personal information about me already on their files. I may have also previously consented to receive subsequent unrelated communications from Pick 'n Pay when I signed up for the loyalty card in which event the communication would probably not be considered unsolicited.

No definition of "commercial": "Commercial" is generally defined in terms of message content rather than the sender's intention for sending the message. Typically, the message promotes the sale of goods or services (this is also apparent from the heading of section 45).

Examples of the sender's intention are important and show that an unsolicited "commercial" communication is not spam is where:

  • they do not include or promote illegal or offensive content;
  • their purpose is not fraudulent or otherwise deceptive;
  • they do not collect personal information;
  • they are not sent in a manner that disguises the originator;
  • they offer a valid and functional address to which consumers can send messages opting-out of receiving further unsolicited messages.

Act does not define "communication" in the context of Spam: Communication would include unsolicited commercial e-mail (UCE) and unsolicited bulk e-mail (UBE). It would also include unsolicited SMS's and Instant Messages (IM). Section 45 tends to address UCE and not UBE. The Act should deal with and define "bulk e-mail": What qualifies as "bulk e-mail"? A single message sent to a very large number of recipients clearly qualifies as bulk. However, so too does separate but identical copies of a message that are sent to a large number of recipients. The only distinction between the two is the stage at which the message is sent. The main issues lies in how many copies of a message must be sent and within what time period for them to qualify as a bulk transmission.

ISPs

SPAM is a known nuisance and foreseeable. Because of this do ISPs owe their subscribers a "duty of care" to enable them to manage the SPAM problem (e.g. by way of making spam filtering software and blacklists available to them)? If the answer is yes, ISPs could be held liable for negligence for where a subscriber can prove that is has suffered loss which should have been reasonably foreseeable and due to the ISPs negligence. To enable their subscribers to manage the problem themselves is itself not a bad thing for ISPs as they would not have to make a judgment call for their subscriber on what their subscriber might think is spam or not when filtering and would therefore not have to enter into the debate around whether using filtering software would be an unlawful monitoring under our law. Issues of unlawful monitoring aside, do ISPs have a legal obligation to block emails from spammers on a centralised known spammers register?

A holistic solution

Ultimately, we are striving for a situation where "permission is what the consumer says it is": individuals must have the ability to control whether they receive bulk or commercial e-mail messages.

National legislation per se is not a comprehensive answer to the problem because of the difficulties in identifying spammers, lack of jurisdiction over offshore offenders and competing priorities faced by law enforcement agencies in South Africa. Furthermore, many e-mail addresses provide no indication of the sender's physical location and even an e-mail address that does include a geographic identifier, can frequently be used from anywhere in the world.

Technology solutions per se are not a comprehensive answer to the problem. The war between spammers and anti-spammers has frequently been described as an "arms race", with each side constantly developing new weapons. A law that attempts to incorporate these weapons is likely to be obsolete before it takes effect because of the rapid advancement in technology. It is possible to accomplish this with an "opt-in", where by marketers would be permitted to send e-mail only to persons who have expressly opted to receive it.

South Africa should therefore be following a SPAM reduction strategy which balances regulatory, self-regulatory, technical and consumer information elements.

From a self regulatory perspective, the MFSA and ISPA should (i) be seen to be working together towards solving the problem and (ii) ensure that there their codes of conduct contain anti-spam provisions in terms of which their members and subscribers agree that unsolicited communications which they send:

  • are not sent in an untargeted and indiscriminate manner;
  • do not include or promote illegal or offensive content;
  • have a purpose which is not fraudulent or otherwise deceptive;
  • do not collect personal information;
  • are not sent in a manner that disguises the originator;
  • offer a valid and functional address to which consumers can sent messages opting-out of receiving further unsolicited messages.

Amendments to the current ECT or new spam legislation should consider dealing with the following key features:

  • Introducing a definition of an "unsolicited commercial communication";
  • no commercial electronic messaging must be sent without the prior consent of the end user unless there is an existing customer-business relationship;
  • all commercial electronic messaging must contain accurate details of the sender's name and physical and electronic addresses;
  • recognition of appropriate industry codes of conduct;
  • appropriate enforcement sanctions.

Any provisions should also take into account prevailing trends in spam laws in other countries so as to ensure a measure of inter-operability with those laws.

Let's do Biz