Is your business spam compliant?: New anti-spam legislation for New Zealand

New Zealand has joined the worldwide legislative battle against spam with the passing of the Unsolicited Electronic Messages Act in February this year. The new legislation is expected to come into effect on 5 September 2007, following a six-month grace period to allow time for businesses to ensure that their existing practices and policies are compliant with the Act.

The Act is designed to tackle the proliferation of electronic junk mail and other messages such as SMS text sent by organisations we don't know and often can't identify.  Apart from the annoyance and time factor involved in clearing these messages, spam creates economic costs for both service providers and users and, is being used as a major vehicle for malicious and fraudulent material.

In itself the new legislation is unlikely to have much impact on the bulk of spam received in your inbox.  The difficulty is that despite spam accounting for a large proportion of New Zealand's email traffic, only 4 to 10 percent of spam actually originates in New Zealand.

Enforcing New Zealand legislation against foreign-based spammers will depend on the New Zealand Government forming co-operative relationships and multilateral arrangements with other countries and international bodies. 

This has always been acknowledged by the Government.  The Act is only one part of its "multi-pronged attack on spam" and it will serve as a platform for it to take part in international measures to combat spam.

In this update we provide an overview of the new anti-spam legislation and set out some practical issues businesses will need to address before the Act takes effect in September.

Purpose of the Act

The Act seeks to promote the responsible use of electronic messages by:

• prohibiting the sending of commercial electronic messages that have a New Zealand link, except where the message is sent to people who have provided their consent to receiving those messages;

• requiring all electronic messages with a New Zealand link to identify the person authorising the sending of the message and how that person may be contacted;

• requiring all electronic messages with a New Zealand link to include a functional unsubscribe facility embedded into the electronic message; and

• prohibiting the use of software to harvest electronic addresses, and the use of harvested address lists.

Who will it affect?

The new law changes the ground rules for businesses involved in digital marketing by requiring an opt-in process before commercial electronic messages (as defined by the Act) can be sent to customers or potential marketing targets.  Fines of up to $200,000 for individuals and up to $500,000 for organisations will be incurred for breaching the Act.

The new rules for electronic messaging

Electronic messages

The Act applies to messages sent to an electronic address using a telecommunications service, and includes email, instant messaging or text messaging.  It does not apply to voice calls (including voice messages using voice over internet protocol technology), direct mail or to fax transmissions.

New Zealand link

The Act only applies to electronic messages with a New Zealand link.  The definition of "New Zealand link" is very wide and covers not only messages originating in New Zealand being sent to any destination but also messages that originate overseas being sent to an address accessed in New Zealand. The Act also applies where it would be reasonable to expect that an electronic address has a New Zealand link (for instance, email addresses ending in .nz), even if that address does not exist.

This feature is particularly important in addressing the global spam problem.  However, liability for breaches of the new rules apply only to people resident in or organisations carrying on business or activities in New Zealand.

Commercial electronic messages

A commercial electronic message is a message whose:

• purpose is the marketing or promoting of goods or services; or

• object is to obtain a dishonest financial advantage (to cover off the kind of messages used by Nigerian scam operators). 

There are exceptions as to what represents a commercial electronic message.  These include quotes or estimates (if requested); messages facilitating, completing or confirming an already agreed commercial transaction; and messages that provide the recipient with information about goods or services offered by a government body.

Consent

This is fundamental to stopping unsolicited commercial electronic messages. Consent can be either express or inferred (from the conduct and business and other relationships between the parties).  The Act also deems consent to have occurred where:

• an electronic address has been published by a person in a business capacity;

• there is no accompanying statement that there is no consent to the sending of messages; and

• the message sent is relevant to the business, role, functions, or duties of that person.

Required particulars

The Act requires that any electronic message covered by it clearly and accurately identifies the person who authorised the sending of the message and includes accurate information about how to readily contact that person.  The information must reasonably be likely to be valid for at least 30 days after the message is sent.

It also mandates that electronic messages must include a functional clear and conspicuous unsubscribe facility allowing the recipient to opt out from receiving further messages.  Again, this facility must be reasonably likely to be functional for at least 30 days after the principal message is sent.  The unsubscribe facility must allow the recipient to respond using the same method of communication that was used to send the original message.

Prohibition on address harvesting software and harvested address lists

The Act imposes a strict prohibition on the use of address harvesting software or harvested address lists.  Address harvesting software means software that is capable of, or marketed for use for searching the Internet for electronic addresses and for collecting and compiling those addresses.

The onus of proving that the use of the software or list was not in connection with, or was not with the intention of, sending unsolicited commercial electronic messages lies with the person who contends that this has occurred.

Defences

The Act offers two defences against the violation of its core requirements.  A person who sends or who authorises the sending of an electronic message in breach of the Act's rules on electronic messaging, has a defence if they can show the message was sent by mistake, or if the message was sent without the sender's knowledge (for example, because of a computer virus).

Regulations

The Act itself does not complete the picture on electronic messaging prohibitions.  Regulations may be passed to further streamline its application.  Some areas of importance that may be affected by such regulations include:

• what amounts to inferred consent;

• exceptions to the definition of commercial electronic message; and

• conditions for unsubscribe facilities.

Enforcement, procedures and penalties

Enforcement

Any person affected by a breach can complain to the Enforcement Department (namely, the Department of Internal Affairs). A person may also seek an injunction in the High Court or sue for damages if he or she has suffered damage arising out of, for example, a denial of service attack.

On receiving a complaint the Enforcement Department may not only initiate legal proceedings for breach, but also has powers to apply for and execute search warrants, issue formal warnings, issue contravention notices (which will require the payment of a fine) or accept an enforceable undertaking, the breach of which will result in fast track legal remedies before the courts.

Penalties and fines

A person affected by spam may seek an injunction from the High Court, may apply to the High Court for compensation for any loss suffered or damages (which are not to exceed an amount equal to the financial benefit obtained by the spammer) or may apply to the High Court to join any court action initiated by the enforcement department.  An enforcement officer may issue formal warnings, issue a civil infringement notice requiring the spammer to pay a penalty, apply for an injunction or make an application for the spammer to pay a pecuniary penalty, compensation or damages.

An individual faces pecuniary penalties of up to $200,000 while an organisation faces penalties of up to $500,000.  Factors to be assessed in deciding the level of fine include the number of messages sent, the number of addresses to which an electronic message was sent, and whether the perpetrator has previously contravened the Act.

Some issues for business

The Act raises a number of practical issues for business, such as:

• will new business processes have to be adopted for a business to comply with the opt-in requirements for commercial electronic messages and what might these be?

• how far can a business rely on inferred consent as opposed to express consent in relation to the sending of commercial electronic messages?

• should more marketing effort be focussed on other forms of marketing not covered by the Act (such as telemarketing)?

• what steps should be taken by businesses to avoid being deemed to have given their consent to receiving unsolicited commercial electronic messages?

• what issues arise for businesses based here and overseas in order for them to comply with legal requirements in other countries for the regulation of unsolicited electronic messages?

• what new policies are required for compliance with other parts of the new legislation?

• what further training is required to ensure that staff are in a position to support your company’s compliance efforts?

One area likely to cause considerable difficulty for organisations is being able to determine with certainty when they will be able to rely on inferred consent.  A recent review of the Australian anti-spam legislation , which has been in place since 2003, indicates that many Australian businesses have found compliance with an equivalent provision to be confusing and unduly onerous.  As noted above, some of these difficulties may be addressed in regulations setting out circumstances giving rise to inferred consent.  However, it is likely that this will be an on-going issue, which will require further clarification in the Act as well as the development of industry guidelines and codes of practice.

The road ahead

No-one expects the Act to deliver an immediate end to spam.  However, it is an important element in solving the problem and brings us in line with other countries such as Australia, the United Kingdom and the United States in fighting the increasing cost of spam.  The new legislation should be seen as one step in a range of complementary strategies, including the development of industry codes and international cooperation.

While the efficacy of the Act remains to be seen, it introduces further compliance issues for New Zealand business.  The biggest initial impact will be on digital marketers and internet service providers, but all businesses will need to review their procedures to ensure that:

• either express or inferred consent exists for all commercial electronic messages;

• all electronic messages contain accurate information identifying the business organisation and provide a functional unsubscribe facility;

• harvested address lists are not used; and

• employees are educated on the new legislative changes and adequate email practices, software programs and databases are in place.

Organisations should start to seek advice on the potential implications of the new legislation for their businesses and develop appropriate strategies to ensure they comply.

For further information, please contact your usual Bell Gully advisor or:

WELLINGTON

Dean Oppenhuis
Partner

Enquiries and information

For more information on any of the cases, articles and features in Commercial Quarterly, please email Diane Graham or call her on 64 9 916 8849.