Technology

Anti Spam Laws - How to Comply

By: James Date: April 14, 2014

Introduction

The Unsolicited Electronic Messages Act 2007 (the Act") is designed to curb the growth of spam in New Zealand and bring New Zealand into line with other countries (such as Australia, the United Kingdom and the United States) where anti-spam regulations have been adopted. Anti-spam legislation has proved effective overseas - notably, Microsoft won a USD$7 million settlement from Scott Richter (one of the world's most prevalent spammers) and, more recently, a Queensland-based company was fined AUD$11,000 for sending more than fifty thousand unsolicited text messages.

The Act is due to come into force on 5 September 2007, and imposes various requirements on senders of electronic messages. Businesses will need to ensure that appropriate electronic marketing practices are put into place before the Act comes into force, and that steps are taken to comply with the Act's requirements on an ongoing basis.

This background paper sets out the Act's requirements, enforcement regime and penalties, and provides practical guidelines for compliance with the Act.

What types of electronic messages does the Act cover?


The Act applies to "commercial electronic messages". An "electronic message" is a message sent using a telecommunications service to an electronic address, regardless of whether or not the message reaches its intended destination. Importantly, voice calls (made using a standard telephone service or using voice-over internet protocol) and faxes are expressly excluded from the definition.

An electronic message will be deemed to be a "commercial electronic message" when it:

(i) Markets or promotes goods, services, land, an interest in land, or a business or investment opportunity;
(ii) Assists or enables a person to dishonestly obtain a financial advantage or gain from another person; or
(iii) Provides a link, or directs a recipient, to a message that does one of the above.

There are some exceptions to this definition, which are set out in the Act (for example, where the electronic message provides a quote or estimate, where that quote or estimate was requested by the recipient).

The Act's requirements and prohibitions


The Act requires that:

  1. A person must not send any commercial electronic messages with a New Zealand link unless the recipient has consented to receiving the message;
  2. All commercial electronic messages must include accurate sender information that identifies the person who authorised the sending of the message and how that person may be contacted;
  3. All commercial electronic message must include a functional "unsubscribe facility" that allows the recipient (at no cost) to notify the sender that no further commercial electronic messages should be sent to the recipient's email address;
  4. "Address-harvesting software" must not be used in connection with (or with the intention of) sending unsolicited commercial electronic messages.


We note the following specific aspects of requirement (1):

"with a New Zealand link"

Section 9(1) of the Act requires that a person must not send (or cause to be sent) an unsolicited commercial electronic message that has a New Zealand link.

A message has a New Zealand link if one or more of the following applies:

(a) The message originates in New Zealand;
(b) The sender is either an individual that is physically present in New Zealand when the message is sent or an organisation that is centrally managed or controlled in New Zealand when the message is sent;
(c) The computer, server or device that accesses the message is located in New Zealand;
(d) The recipient is either an individual that is physically present in New Zealand when the message is accessed or an organisation that is centrally managed or controlled in New Zealand when the message is accessed; or
(e) The message is sent to an electronic address that ends with ".nz" or begins with an international access code directly followed by "64".

It is important to note that liability under the Act can arise whether or not the message is sent from New Zealand.

Consent requirement


Section 9(1) also requires that the recipient of a commercial electronic message must have consented to receiving that message. The Act provides for three types of consent:

(i) Express consent

Express consent is a direct indication from the intended recipient that they consent to receiving electronic messages from the sender. Express consent can be gained in a number of ways, such as completing a paper form, ticking a box on a website, or by phone discussion.

(ii) Inferred consent

Inferred consent is where the intended recipient has not directly instructed the sender to send the message, but consent can be reasonably inferred from the business relationship between the parties.

(iii) Deemed consent

Deemed consent is where a person conspicuously publishes their work-related email address or phone number (for example, on a website or in a magazine) and that publication is not accompanied by a statement that that person does not wish to receive unsolicited electronic messages to that address. Any messages sent to that electronic address must, however, relate to the recipient's business.

Section 9(3) of the Act provides that the sender must be able to prove that the recipient consented to receiving a commercial electronic message. Accordingly, where there is any uncertainty regarding inferred or deemed consent, the sender should obtain the intended recipient's express consent.

Penalties for breaching the Act


The Act sets up a civil penalty regime where either a Government enforcement department or an affected individual may take action against another person in respect of a breach of the Act.

In addition to breaches of the Act's key requirements (as set out above, numbered (1)-(4)), a person will commit a breach where they are in any way knowingly concerned in or a party to any breach of the Act's key requirements. For example, where an employer authorises an employee to send an unsolicited electronic message, that employer will be liable under the Act.

 

Enforcement


The "enforcement department " has several obligations under the Act, including investigation and enforcement, education, monitoring information and technologies and cooperation with international enforcement agencies. The Department of Internal Affairs ("the Department") is responsible for enforcing the Act.

Where a breach has occurred, an affected person may:

(i) Complain to the Department of Internal Affairs;
(ii) Seek an injunction from the High Court; and/or
(iii) Apply to the Court for compensation or damages.

The Department and/or its officers may, however:

(i) Issue a formal warning or civil infringement notice to the perpetrator;
(ii) Apply for a search warrant and exercise the powers of search and seizure granted by the warrant;
(iii) Accept an enforceable undertaking from a perpetrator and seek an order in the Court for a breach of that undertaking;
(iv) Seek an injunction from the High Court; and/or
(v) Apply to the Court for compensation or damages. The maximum monetary penalty the Courts may impose is $500,000 for organisations and $200,000 for individuals.

Defences


Section 12 provides that a person who sends an electronic message in contravention of the Act has a defence if:

(a) The message was sent by mistake (i.e. a reasonable mistake of fact); or
(b) The message was sent without the sender's knowledge (for example, by a virus).

How to comply with the Act


In order to ensure compliance with the Act, we recommend that the following steps be taken:

1. Clean/check marketing lists


You should check your email/text marketing lists to ensure that each intended recipient has consented to receiving commercial electronic messages from you, in one of the forms discussed above (express, inferred or deemed consent). Where you are unsure if consent can be inferred or deemed, you should either obtain the intended recipient's express consent or remove the intended recipient from your marketing list.

Bearing in mind that the sender of a commercial electronic message must be able to prove that the recipient consented to receiving the message, you should ensure that you keep any documents/records evidencing consent, so that they may be produced if necessary.

Marketing lists will also need to be kept current, which will include removing persons from those lists when they notify you that they no longer wish to receive messages.

You may also wish to consider using faxes or telemarketing to communicate with potential customers, as these forms of communication are not caught by the definition of "electronic message".

2. Configure all outgoing commercial electronic messages


All outgoing commercial electronic messages will need to:

(a) Contain a functional "unsubscribe" facility; and
(b) Clearly identify the sender of the message and contain accurate contact details for the sender.

3. Set company policies


We recommend that you put in place protocols prescribing which employees may send commercial electronic messages and the required regulatory content of those messages (i.e. unsubscribe facility, contact details).

In addition, all staff should be educated about the need for compliance with the Act.

Further information on the Act


Regulations will, at some stage in the future, be passed to provide further information on some aspects of the Act, for example:

(a) Specific circumstances in which consent to receiving commercial electronic messages will be inferred;
(b) Further exceptions to the definition of commercial electronic messages;
(c) Regime for issuing formal warnings and civil infringement notices.

For further information and practical guidelines for compliance, you can also refer to the Department's dedicated anti-spam website: http://www.antispam.govt.nz

Other legislation


There are other statutes relevant to the spam problem. For example, existing legislation prevents misleading or deceptive conduct (Fair Trading Act 1986), forgery or fraud (Crimes Act 1961), breaching computer network security and integrity (Crimes Act), making or supplying pornographic or offensive material (Films, Videos and Publications Classifications Act) and harassment (Harassment Act 1997).

In addition, the Privacy Act 1993 sets out rules which guide how personal information (including electronic address information) can be collected, used, stored and disclosed.

Disclaimer


This Background Paper by its nature cannot be comprehensive and cannot be relied on as legal advice, but is instead provided to assist readers to identify legal issues on which they should seek specialist legal advice.

James Carnie
Principal
Clendons
PO Box 1305
Auckland
New Zealand
Phone: +64 9 306 8000
DDI: +64 9 306 8002
Fax: +64 9 306 8009
Email: james.carnie@clendons.co.nz