Can my e-communication be prohibited as spam or unlawful use of data? (cont’d)
(f) Application to the Janssens-Quidam case
To announce the cat hat launch, Janssens-Quidam did not restrict itself to the use of blogs and web boards.
First, taking advantage of a database of data collected during a competition a year beforehand for another Janssens-Quidam product, Leon (Head of Marketing) had sent a cat hat launch announcement to the competition participants. The e-mail, which was sent from the ‘email@example.com’ address, contained a few images (mainly photos of various employees wearing the hat at a number of London, Paris and Amsterdam landmarks). The body of the e-mail was rather limited:
‘Dear JQ friend,
We are pleased to announce the launch of a new product by Janssens Quidam SA/NV, the ‘cat hat’. Visit www.janssens quidam.be immediately to order one and to share your photos with this unusual accessory.
See you soon,
The Janssens-Quidam Team’
Moreover, in the name of Janssens-Quidam, he wrote a similar post on the Facebook ‘wall’ of the company.
Finally, some Janssens-Quidam employees also sent e-mails to all of their contacts. Leon, for instance, wished to redirect his contacts towards the Janssens-Quidam website and therefore sent a similar e-mail from the ‘firstname.lastname@example.org’ e-mail address rather than from his personal Gmail address, signing this time in his own name.
As he did not have the e-mail addresses of all of his contacts, he also sent private messages on Facebook with the same content as the e-mail sent to his contacts.
Fortunately for Leon and Janssens-Quidam, there was no negative reaction. It would nevertheless have been better to first think about the implications of sending all of these electronic messages in terms of spamming and of use of personal data.
In this example, four distinct operations are to be examined:
(i) E-mail to participants in a prior competition
Through the first operation, the company uses personal data (i) collected by Janssens-Quidam (ii) in the framework of direct marketing.
The legitimacy of the processing of personal data will depend on the terms of participation relating to the competition. If they explicitly state that the participant agrees to the use of his or her personal data for purposes of direct marketing, Janssens-Quidam may justify the processing in relation to the Privacy Act on the basis of consent of the recipient (the participant).
Moreover, if the aforementioned consent specifically covers direct marketing by electronic mail, the electronic mail in question will in principle not be considered as spam under the AISS. Otherwise, the company may attempt to dispute the classification as spam by invoking the ‘soft opt in’ exception (as described previously).
Finally, it is worth noting that in this example, the body of the e-mail was fairly limited. Janssens-Quidam failed to inform the recipient of his or her right to object to the sending of advertising in the future, and it also failed to make available to the recipient appropriate means by which to exercise this right. In doing so, Janssens-Quidam has committed an additional violation of the AISS.
(ii) Message on Facebook to the company’s fans
While it was possible in September 2011 to send a private message to all the ‘fans’ of a company, this possibility has since been removed.
At the time of publication of this web page, the administrator of the Facebook account of a company can only interact with ‘fans’ on Facebook in two ways:
- by sending a private message, in the case of prior contact by the ‘fan’, and
- by posting updates on the company’s Facebook wall.
In Janssens-Quidam’s case, Leon posted a message on the Facebook wall of the company in its own name, such that the ‘fans’ of the company see the message appear in their list of recent updates (their ‘News Feed’). This does not involve any processing of personal data by Janssens-Quidam, and it is not electronic mail either: it is a public communication (as defined previously) and cannot therefore be deemed to be spam under the AISS.
(iii) E-mail to an employee’s personal contacts from a professional address
In the case of the third operation, the company, not Leon, is deemed to be the sender of the e-mail, as it is sent from Leon’s professional address (email@example.com). The recipients are Leon’s personal contacts. In such case, the people in question have never given their consent to the company for the use of their data.
Moreover, it bears reminding that one should provide for the possibility for recipients to object to the use of electronic mail for advertising purposes for the future.
It is therefore best to avoid sending advertising by e-mail to the personal contacts of an employee, unless such e-mail is preceded by an e-mail from the company in which it asks for the person’s permission to use his or her personal data.
(iv) Private message on Facebook to an employee’s personal contacts
The fourth operation amounts to the use by a natural person of personal data that he or she has obtained in person. It is nevertheless likely that the data in question were collected in a purely personal context (especially in the case of ‘Facebook friends’, as Facebook is still used mostly for an exclusively personal purpose by natural persons).
The rules of the Privacy Act nevertheless apply to the processing of personal data by a natural person in the framework of his or her commercial activities (Article 3(2) of the Privacy Act).
Consequently, a similar reasoning to that used for e-mail sent to personal contacts (see point (iii) above) will apply, and it is therefore best to avoid such private messages on Facebook.