New Bill Takes Permission Beyond Opt-in in EU

For email marketers operating in the European Union, getting permission will soon extend beyond getting customers to opt-in to letting them into the inbox.

"There are very legitimate concerns about the privacy of individuals," says Dennis Dayman, chief security officer of Eloqua, "and there has to be some sort of protection for the end user."

In a nutshell, what the bill basically does is state that marketers have to get “explicit consent” to use your data, even when it comes down to tracking mechanisms like cookies. "The thinking is that the end users should be able to make that choice," says Dayman.

The European Privacy Directive will go into effect May 25. There was some panic early on from marketers, who didn't initially know what this provision—tacked on to another piece of legislation—would mean for the business community, notes Dayman. For example, how would it impact new technology? And what would it mean for small businesses, desperate for ways to build lists and make connections with prospective customers?

The bill states that if a consumer visits a website, the marketer must get explicit opt-in to place a cookie on their computer. One way to get consent is, of course, to present the visitor with a form the minute they enter your site, asking them to agree to the cookie, or to receive email, or whatever. "And this will probably scare the regular user," notes Dayman.

However, permission can also be granted by browser consent. The bill is modeled after existing legislation in Germany, which states that if you visit a German site and your browser allows cookies, you're giving the marketer consent to place a cookie on your machine.

What It Means to You

And what is the impact of this bill for U.S. marketers, right now?

"We're trying to determine where cross border laws apply," says Dayman. "You need to recognize that the Internet doesn't understand boundaries, because it is global."

Dayman points to Canada as an example. In Canada, it is illegal to send email to someone without their permission. But in the past, the law didn't apply to U.S. marketers emailing into Canada.

However, Canada's new bill C-28 clamps down on unsolicited commercial e-mail, forcing businesses that send bulk emails to be able to demonstrate the receivers’ permission to send advertising or promotional email messages, says Dayman. And the bill requires that senders outside of Canada, who send messages to Canadians, will need to comply with the legislation, as will Canadians who send messages from Canada to other parts of the world.

As it stands today, Canada's privacy regulation Personal Information Protection and Electronic Documents Act (PIEPDA) has already put a requirement on opt-in for anyone who wanted to "process" or use email addresses of Canadian citizens. “When you look at as well, the United States is one of the last few countries that doesn't have opt-in requirements on email addresses,” says Dayman.

The best tactic for U.S. companies seems to be to adhere to the laws of their home country. "Track your customers, but give the individual the ability to opt-out," he says.

One company Eloqua works with made the decision to be hyper-transparent. When someone opts in, as soon as they hit the submit button they immediately receive an email explaining any third party tracking technologies used.

“In Germany this is a requirement today as it will be across the entire EU after May 25,” says Dayman. “What some of our German customers and partners do today is either require a affirmative check-box for not only email opt-in, but also tracking, and in other cases they attach the email and tracking opt-in to the ‘submit’ button along with a few quick bullet points as to what the action of hitting the submit button is opting-in the visitor too.”

The emailer’s preference center should also offer an opt-out to emails and tracking, and outline all of this explicitly in their privacy policy.

“We find that when you’re cognizant of customers’ needs and wants, and behave up front about what you’re doing with the data you’re collecting, the customer is more likely to want to work with you,” he says. “Being hyper-transparent at the form helps those who won't read a long privacy policy understand quickly what action they may or may not want to take.”

Emailers need to take a look at where in the world their business presences exist, and where they could and would be held responsible for potentially breaking the law.

"We could see that the 27 EU member nations could implement the law as written today, or they could make it more stringent or less stringent," says Dayman. "They could come back and say we require exclusive opt-in for everything."

"There will be bad guys who won't listen but all the good guys are listening, and they'll be the ones who you want to model [your behavior] after."