CSA Digital Email Summit 2020
Legal Insights Vol. 1 – Documentation/burden of proof and fines
Legal Insights Vol. 1 – Documentation/burden of proof and fines
The Importance of Documenting Consent for Commercial Emails
The first of the series of webinars and workshops offered as part of the 2020 CSA Digital Email Summit took place online on 30 August 2020. The series of workshop on legal issues deals with the legal requirements for email marketing. The requirements of the GDPR and the e-Privacy Directive are presented in a practical manner and with reference to issues that have arisen in the context of certification and complaint procedures. The staff of the Complaints Office, Alexandra Koch-Skiba, Peter-Paul Urlaub and Sebastian Fitting took the attendees through legal issues related to the documentation of consent to use email addresses in email marketing.
An increase in notifications
Sebastian started off by having a look at the statistics for the previous year. In 2019, 96 percent of the complaint cases at CSA ended in notification, which means that one or more aspects of the email in question violated the CSA criteria. There has been a steady increase of notifications issued by CSA over the last few years, parallel to the increase in the volume of email sent. Around two-thirds of these were in connection with legal issues.
Why is it important to document consent?
The legal violations that were subject to notification in 2019 can be broken down into issues related to insufficient permission (46%), data consent (24%), the imprint (16%), the opt-out notice (10%), and other issues (4%). Peter-Paul took the attendees through why exactly issues with the documentation requirements for consent to the receipt of commercial emails are a problem. Basically, the burden of proof of consent is on the sender and can result in fines (issued by data protection authorities) or notifications (issued by the CSA/ eco Complaints Office) if documentation of consent is incomplete or missing. Often senders run into issues because they cannot prove when and where they received consent to use a specific email address.
What that means in practice is that consent must be confirmed in a double-opt (DOI) in procedure. The DOI email should include the date, time and source (e.g. online form) of the consent, the text of the declaration of consent and a confirmation request. What is may not be included is any form of advertising. The next webinar in the series, on 7 Sept. 2020, will look at what exactly is considered to be advertising, among other issues.
The cost of not having consent
It’s clear that documenting consent well is crucial. It avoids complaints, avoids fines and also ensures that the sender’s good reputation is maintained. Fines can be very high, recently Woolworths had to pay a fine of over USD 1 million for sending emails without consent, even after customers complained or withdrew consent. This year, a German health insurance company sent emails to ‘just’ around 500 people without consent and were fined… EUR 12,000, EUR 250,00 or EUR 1.2 million; what do you think? [1]
Who’s responsible for proving (the lack of) consent?
A question that arose during the webinar was how can the CSA be sure that the consent documented is actually authentic. The burden of proof lies with the sender and here is where the necessity of documenting consent becomes clear. CSA checks complaints about emails received without consent by forwarding the proof of consent provided to CSA by the sender to the complainant. The complainant can then comment on the authenticity of that proof.
Senders should also make sure they don’t just track and record when and where they collected an email address, but also the original text of the declaration of consent (e.g. on an online form) and any other data required to authenticate the consent, e.g. encryption keys. Terms of service or privacy policies, however, are not part of this documentation of consent. Everything the owner of the email address has agreed to should be in the declaration of consent.
If the sender has acquired addresses from another source, then the sender is still the party that is subject to the burden of proof and must be able to provide opt-in data to the CSA, if required to do so. The source must provide the sender will all of the necessary documentation of consent.
Single-opt ins are not accepted by the courts, as there aren’t enough data points to identify the person providing consent, e.g. on a website. Saving an IP address is not sufficient.
Live collection of email addresses
The attorneys recommended collecting email addresses electronically when collecting addresses live, e.g. at a stand in a shop. Then there is clear consent and no mistakes can be read in mistyping addresses. These addresses should be confirmed by sending an DOI email in a timely manner. In the past, courts have reprimanded the first use of email address months after they were first collected. Likewise, DOI emails should ideally be sent within a few hours of the person first e.g. signing up for a newsletter. Two weeks later would be definitely too late.
What constitutes advertising? What needs to be considered in opt-in notices and imprints?
To find out more about what exactly is considered to be advertising (and hence not allowed in DOI emails, for example) , sign up for the next webinar in the series, on 7 Sept. 2020. The third Legal Workshop, on 14 Sept. 2020 looks at the legal requirements for opt-in notices and imprints. Join these upcoming Legal Workshops to make sure that your commercial emails are compliant with the CSA criteria and to ask any questions you have related to these legal requirements.
[1] This year, a German health insurance company in Baden Württemberg sent emails to ‘just’ around 500 people without consent and were fined EUR 1.2 million.