Inside 1to1:Privacy

Opt In Or Opt Out For Global Direct Marketing?

August 1, 2009

By Jay Cline, CIPP

U.S.-based corporations sending direct-marketing messages outside the States face a maze of regulations that could ground marketing campaigns before they get started. In these situations, a carefully planned privacy-consent strategy can help maximize the available returns on marketing expenditures.

Companies with headquarters in the U.S. often target Canada as their first non-U.S. destination for expansion because of its proximity and common language. But despite Canada's proximity, its requirements for the level of consumer consent needed to send direct marketing can differ substantially.

"Unfortunately, there are no simple and fast rules as to when opt-in consent is required and an opt-out approach is acceptable," Kris Klein, CIPP/C, head of the Ottawa-based Law Office of Kris Klein, told Inside 1to1: Privacy.

"For example, an individual's workplace fax number is not personal information and can be used for marketing purposes without consent," Klein explained. "However, workplace e-mail addresses are considered personal information."

For telemarketing to Canadian residents, U.S. companies should consult Canada's do-not-call registry launched in 2008.

U.S.-based firms deciding to expand into Europe often choose the UK as a beachhead because of its shared language. With a foothold in the UK, U.S. firms typically next turn their attention to the largest EU markets: France, Germany, Spain, and Italy. But despite their shared membership in the EU, these countries have taken varied approaches to regulating direct marketing.

"The difference between UK and Spanish law in this area highlights the lack of harmonization across the EU," reported Eduardo Ustaran, partner at London-based Field Fisher Waterhouse. "In the UK, it's possible to have obtained e-mail addresses in the course of mere negotiations for the sale of a product in order to operate on an opt-out basis. In Spain, an existing and proven contractual relationship will be required."

"When you look at things like viral marketing," he added, "the Spanish approach is even more severe. The Spanish authorities have actively clamped down on the use of refer-a-friend facilities."

Rocco Panetta, a Rome-based attorney with Panetta & Associates, told Inside 1to1: Privacy that Italy takes a strict line on telecommunications-based direct marketing. Automatic marketing communications sent via SMS and fax "are allowed in the case of express previous consent of the interested person only," he said. Telemarketing calls to residential phones require opt-in consent, while calls to business numbers are allowed to be made on an opt-out basis.

"Telephone direct marketing is the less appreciated way to do marketing in Italy," Panetta explained. "Culturally, the postal mail is more accepted."

For its part, France has a reputation for stringent privacy regulations. Pascale Gelly, head of Paris-based Cabinet Gelly, generally concurs with that sentiment. "Most businesses know that France is an opt-in country when it comes to direct marketing by e-mail," she reported. "However, they may not be aware of the good and the bad news around this rule."

"Beginning with the bad news: The potential sanction is 750 Euros per e-mail sent in violation of this rule," she explained. "The good news is that the CNIL [France's data protection authority] interprets the opt-in rule as not applying to e-mails sent to professionals on topics related to their work," she added, "which shows a certain degree of flexibility."

Dr. Sachiko Scheuing, the Frankfurt-based European Privacy Officer for Acxiom, told Inside 1to1: Privacy that "German privacy requirements for direct marketing are characterised by the strong interplay among different laws:  the data protection law, anti-competition law, and the telemedia law."

"For instance, telemarketing requires an opt-in in Germany," Scheuing explained. "This requirement is set out in the anti-competition law [Gesetz gegen unlauteren Wettbewerb] rather than the data protection law."

Scheuing noted that, because of privacy scandals, the German data protection law was recently amended to require direct marketers to gain opt-in consent in more situations.

American companies entering the more exotic Asia-Pacific region for the first time tend to begin in Australia, which is a bit more familiar. But while Australia is often considered by U.S. companies to be more business-friendly in the area of privacy regulation, the country maintains a multi-pronged direct-marketing regime.

"Direct marketing in Australia is directly covered by three pieces of federal legislation," observed Malcolm Crompton, head of privacy consultancy Information Integrity Solutions. "Each gives individuals the right to opt out after the first contact," he explained.

"In certain circumstances, however, opt-in consent is also required," he added. During his term as Privacy Commissioner of Australia, Crompton was instrumental in developing this framework.

"The Privacy Act 1988 allows direct marketing without opt-in consent only if beforehand 'it is impracticable for the organisation to seek the individual's consent'," he said.  "The Spam Act 2003 requires commercial electronic messages--including e-mail, instant messaging, SMS, and MMS--to be sent with the prior consent of the recipient, unless there is an established business relationship."

Australia, like Canada and the U.S., also maintains a do-not-call registry.

Despite its proximity to the U.S., Latin America's less-developed markets can mean it is the last stop for U.S. companies going global. But its emerging-market status will nonetheless continue to attract direct-marketing campaigns from the U.S. According to Luis Salazar, CIPP, a Miami-based partner at Greenberg Traurig, those campaigns will require a country-by-country approach.

"Latin America lacks a consistent approach to direct marketing," Salazar noted, "and, even where regulations do exist, enforcement is uneven."

"In countries with more developed laws in this area--like Mexico's Ley Federal de Protecion de Consumidores," Salazar added, "it's easier to plan good, compliant marketing campaigns."

"But in countries that just rely on often amorphous habeas data rights, one inappropriate piece of direct marketing can lead to significant penalties."

Salazar explained that Latin Americans used to be put off by impersonal direct marketing. "The massive proliferation of the mobile phone in Latin American has dramatically changed that. Consumers are more receptive to direct marketing and savvier about it, too."

With all of these national and regional variations, what are some proven strategies for maximizing a return on marketing dollars? Perhaps one of the most common inclinations of companies first encountering this area is to adopt a corporate policy that applies globally the most restrictive regulations found in any one jurisdiction. This "high-road" or "conservative" approach can be a mistake, however. Adopting an opt-in approach to an e-mail marketing campaign, for example, when an opt-out approach is allowable and culturally acceptable within a certain country can make the difference between a positive or negative return-on-investment for the campaign.

What do more experienced companies do in these situations? Adopt a global policy that says the company will obtain appropriate consent for direct-marketing communications, and supplement it with country policies that define how consent is obtained in each locale.

"That approach provides the most flexibility while maintaining compliance with relevant law in each jurisdiction where the company targets consumers," said D. Reed Freeman, partner at Kelley Drye & Warren. "But flexibility is not free. It comes with the obligation to know the law in each relevant jurisdiction, as well as the enforcers' views on the application of the law to specific marketing programs, and an obligation to keep track of the consents received on a per-consumer, per-country basis."

E-mail marketing consent requirements
The table below indicates what level of consent a U.S.-based company is likely to need to obtain in order to send marketing messages about its products or services to the different types of e-mail addresses indicated in the table. Because circumstances of a particular campaign can alter these requirements, however, companies should consult an attorney.

Country

Direct marketing
sent to a
consumers
e-mail
address obtained
in the course of
negotiating the
sale of a product
or service to that
consumer

Direct marketing
sent to a
consumer's
e-mail
address obtained
during the
conclusion of a sale
of a similar product
or service to that
consumer

Direct marketing
sent to personal
e-mail addresses
obtained from
third parties,
online sources,
or refer-a-
friend

Direct marketing
sent to workplace
e-mail addresses
obtained from
third parties,
online sources,
or refer-a-
friend

USA

Opt-out

Opt-out

Opt-out

Opt-out

Canada

Opt-out

Opt-out

Opt-in

Opt-in

Mexico

Opt-out

Opt-out

Opt-out

Opt-out

UK

Opt-out

Opt-out

Opt-in

Opt-out

France

Opt-in

Opt-out

Opt-in

Opt-out

Belgium

Opt-in

Opt-out

Opt-in

Opt-out

Germany

Opt-in

Opt-out

Opt-in

Opt-in

Spain

Opt-in

Opt-out

Opt-in

Opt-in

Italy

Opt-in

Opt-out

Opt-in

Opt-in

Australia

Opt-out

Opt-out

Opt-in

Opt-out


Source: USA - Jay Cline; Canada - Kris Klein; Mexico - Luis Salazar; UK - Eduardo Ustaran; France - Pascale Gelly; Belgium - Jan Dhont, Lorenz Law; Germany - Sachiko Scheuing; Spain - Eduardo Ustaran; Italy - Rocco Panetta; Australia - Malcolm Crompton

Jay Cline is president of Minnesota Privacy Consultants