Spam a friend... To recommend or not to send
These options are marketing tools used by online service providers whereby they can obtain email and other details for their existing users' friends and family.
On the face of it, this appears to be an effective way for online service providers to generate access to a wider customer base by leveraging off of their existing customer base. As this is in effect a form of direct marketing, it is however important to evaluate the permutations of these options from a data protection and consumer protection perspective.
The German Federal Court recently adopted a conservative approach in finding that the 'send-to-a-friend' option constitutes illegal spam unless the recipient of the email expressly consents thereto.
Onus on the online service provider
In the matter before the court, the recipient of the emails had, despite objecting thereto, been flooded with emails. Although it is the friend of the recipient who initiates sending an email by making use of the 'send-to-a-friend' functionality, the email is ostensibly generated and sent by the online service provider. As a result, the court found that the onus is on the online service provider to obtain the recipient's consent. The basis for this decision lies in the specific requirements under German law for a consumer to expressly opt-in for the purposes of direct marketing.
From a South African perspective, one would need to evaluate the provisions applicable to direct marketing under the Consumer Protection Act, No 68 of 2008 (CPA) and the Protection of Personal Information Act, No 4 of 2013 (PPI). (It is important to note that whilst PPI has been enacted, it is yet to come into force). The CPA provides a consumer with the right to opt out of direct marketing or the right to pre-emptively block the receipt of certain forms of direct marketing. The PPI contemplates that only existing customers can be approached for the purposes of direct marketing and must be given the option to opt out. By implication, under PPI, an online service provider would not be entitled to directly market to data subjects (being natural or juristic persons, as defined under PPI) who are not existing customers without obtaining their consent.
However, it is yet to be determined whether the South African Information Regulator under the PPI or the courts will construe the 'send-to-a-friend' functionality as an email initiated by the friend or the online service provider. In the interim, it is prudent for online service providers to consider the following in order to mitigate the risks associated with the 'send-to-a-friend' emails:
- clearly stating to website users that they should only make use of the 'send-to- a-friend' function if they have reason to believe that the recipient would consent to receiving an email from the online service provider;
- identifying the website user as the sender of the email;
- not sending emails to recipients who have previously opted-out from receiving direct marketing communications; and
- placing a limit on the number of emails that the online service provider is allowed to send.