10.1 Introduction
Setting regulations to control unsolicited messaging and protect against data-related privacy breaches has been an emerging issue since the global launch of the online world and the popularity of the public domain.
Although there is no globally accepted law to protect users from breaches of privacy or anti-spam prevention, there are a number of national policies in effect that are important to know and understand when engaging in the field of digital marketing. For this reason, Module 10 - the final module of this course - will focus on the legal considerations for the UK and those that are in effect around the world.
10.2 The legalities: The UK
Within the UK, there are three forms of legislation or guidelines that are aimed at combating spam messages and protecting the privacy of its citizens.
These include the Data Protection Act 2018, Privacy and Electronic Communications Regulations 2003 (PECR), and the UK Code of Non-Broadcast Advertising and Direct and Promotional Marketing (CAP Code), all of which will be outlined below. But first, the two regulating bodies - the Information Commissioner's Office (ICO) and the Advertising Standards Authority (ASA) - will be briefly discussed.
Activity 1
Estimated Time: 25 minutes
Clarity of digital marketing regulations.
To engage in this activity, you can select a piece of legislation or guidelines related to digital marketing campaigns. This could be the General Data Protection Regulation (GDPR) in Europe, the CAN-SPAM Act in the United States, or similar regulations from other countries or regions.
Once you've chosen a regulation, take some time to read through its content. You can involve your family members in this activity by discussing the regulation's provisions and its implications together. Pay attention to how the regulation is written—is it in legal language or does it use more straightforward sentence structures? Note any parts that you find particularly clear or difficult to understand.
After reviewing the regulation, consider the key takeaways. What are the main requirements or restrictions outlined in the regulation? Are there any aspects that you found challenging to comprehend? Reflect on whether someone without a legal background would find it easy to interpret the regulation accurately. Do you think the regulation could benefit from being written in simpler, more accessible language?
By engaging in this activity, you'll gain a better understanding of the regulations governing digital marketing campaigns and the language used in legal documents. It will also prompt you to consider the importance of clarity and accessibility in regulatory frameworks.
10.3 UK regulating bodies
The Information Commissioner's Office (ICO) was established in 1984 under its former official title of the Data Protection Registrar. Reporting to the British Parliament, the ICO is sponsored through the Department of Culture, Media, and Sport. Despite this governmental affiliation, it functions as an independent authority for data protection and serves as the regulatory office for the UK. The ICO's responsibilities include registering data controllers, addressing reported concerns, and enforcing relevant laws.
These laws encompass the Data Protection Act, Freedom of Information Act 2000, Privacy and Electronic Communications Regulations, and the Environmental Information Regulations 2004. Additionally, the ICO maintains an international branch that collaborates with similar organizations beyond the UK's borders.
On the other hand, the Advertising Standards Authority (ASA) is a non-statutory organization situated in the UK. Operating without legal authority, the ASA relies on a set of industry-led guidelines. Funding for the ASA is derived from the advertising industry rather than the government. Originating in 1961 as the Committee of Advertising Practice (CAP) under the UK Advertising Association, the ASA evolved the following year to handle complaints regarding false advertisements and other marketing-related issues.
10.4 UK legislation and guidelines
The first of three regulations to be discussed is the Data Protection Act.
It was introduced in 1998, updated in 2018 to incorporate the General Data Protection Regulations (GDPR), and is regulated by the ICO. The mandate of the Data Protection Act is to deal with the processing of data as it relates to living citizens. It is considered to be the main legislation in effect that relates to data protection in the UK. Although it does not directly relate to privacy itself, it does aim to dictate how to process personal data and how to limit its free movement.Under the Data Protection Act, the only way data can be shared is through the consent of the individual, with noted exceptions for purposes related to national security, crime and taxation, and other domestic reasons.
However, one of the biggest criticisms of this Act is that its interpretation can be somewhat difficult, meaning it can be easy to manipulate the understanding of the Act's parameters, which can allow a business or organization to breach the Act without consequence.
Since the introduction of the Data Protection Act, another form of legislation has come into effect that focuses more on data privacy and the realm online of communications. This piece of legislation is called the Privacy and Electronic Communications Regulations 2003, or PECR.
PECR
PECR is regulated by the ICO, which is the same authority that oversees the Data Protection Plan. It operates in much the same way as the do-not-call registry but pertains to email, SMS, and other mobile messaging systems, rather than unsolicited telephone marketing.
Under PECR, it is illegal to send promotional information via these technologies without the consent of the user.
An easy opt-out option must also be offered to the user at the time when consent is given, as well as any other communications from the business to the user. PECR also restricts the processing and sharing of personal data (including location and traffic information) to any third-party businesses, unless authorized by the user themselves. In 2012, PECR was amended to include the regulation of 'cookies' (which are similar to page tagging as discussed in Module 8 on Web Analytics) and other such technologies. When a company is in breach of PECR, they can face penalties of up to £500,000, depending on circumstances.
CAP-Code
The final regulation to be considered in relation to the UK is the UK Code of Non-Broadcast Advertising and Direct and Promotional Marketing, which is alternatively referred to as the CAP-Code. It is enforced by the ASA but was written by the Committee of Advertising Practice (CAP).
The CAP-Code asserts that any advertising made within the UK should be legal, decent, honest, and truthful.
It also states that marketing initiatives should not lead to serious harm, exploitation, or misuse of information, nor should it ignore or encourage violence or any other unsafe practice. Furthermore, the CAP-Code states that any company using advertisements of any form (traditional or digital platforms of marketing) must provide evidence for any claims made in said marketing efforts prior to their launch. And, even though the CAP-Code has no legal bearing to prevent offenders from disobeying its guidelines, it is an industry-led set of standards. This means breaching these guidelines is an offense to the industry, as well as the user and legally-binding regulations.
Activity 2
Estimated Time: 15 minutes
Regulation Offenders
To identify a case which has breached one of the regulations listed in Module 10.
Look up a campaign or product that was guilty of false advertising or breaching the privacy of its customers. Briefly conduct research regarding the scenario, the consequences, and related information. Again, any of the regulations discussed in this module may be used for this activity.
Once you feel you have enough information, reflect on the questions below:
-What was the outcome of the breach? Was it related more to privacy or unsolicited messages? Did you feel the outcome was justified? How would you have ruled the outcome of the case?
-Knowing what the regulation stated, why do you think a company would opt to breach the parameters of the particular legislation or policy you looked at? Do you feel the risk was worth the penalty?
10.5 The Legalities: Global
Now that the UK-related regulations have been reviewed, this section will take a look at some of the most recognized legislation from around the world. This will include examining the regulations from Australia, Canada, the European Union, and the United States. Each of these countries' privacy and anti-spam legislation will be summarized in their respective sections below.
Prior to outlining the above regulations, it is important to note that there are currently no wide-reaching regulations in effect in Africa, Asia, and South America, which is why they have not been covered in this module. Although some countries within each of these global regions do have some legislation in place, the emphasis of this course is predominantly on the UK. Therefore, the main focus of this module's coverage will be on the countries and regions that would mainly be targeted in online advertising campaigns.
10.6 Australia
Australia's legal standing on topics such as privacy and anti-spam initiatives come in the form of two different regulations. These regulations include the Federal Privacy Act and the Spam Act. Each will be outlined below.
The Federal Privacy Act
The Federal Privacy Act was officially launched in 2001. It is enforced through the Office of the Australian Information Commissioner (OAIC), which functions much like that of the UK version, only it was established in 2010, so it is relatively new. The Federal Privacy Act is a piece of legislation that provides Australian citizens with legal protections related to privacy of information.
The Spam Act
In addition to the Federal Privacy Act, the Australian government also introduced the Spam Act in 2003. This body of legislation is administered through the Australian Communications and Media Authority (ACMA), which is a federal agency. Its purpose is to regulate the various forms of commercial electronic communications, such as those sent through email. It aims to control unsolicited messaging with a particular focus on email and mobile platforms.
The Spam Act also attempts to restrict the practice of email harvesting, or the collection of emails obtained without consent used for the purpose of sending out mass mailings. It also states that any communications sent by a business must be done with the user's consent, and an option to opt-out must be included. However, the exception to this rule indicates that the only emails to be sent without the user's consent are those deriving from governments, registered charities, and political parties. The exemptions also include educational institutions, so long as they are going to either current or former students.
10.7 Canada
The next country to be reviewed is Canada.
Like Australia, it also has two separate forms of legislation - one that pertains to data protection and another that is focused on unsolicited communications. The first in this section to be briefly discussed is the Personal Information Protection and Electronic Documents Act, which will be followed by Canada's Anti-Spam Legislation.
PIPEDA
The Personal Information Protection and Electronic Documents Act, or PIPEDA, was first introduced into Canadian law in 2000, through the Ministry of Industry. The Act aims to control data privacy by governing how the private sector collects, uses, and discloses personal information. It states that the consent of the individual must be obtained in order to use the data collected on them. PIPEDA was rolled out in three phases, which started a year after its introduction into Parliament. This first phase applied to federally regulated industries, such as banks, broadcasting agencies, and the country's airlines. The following year, 2002, the health sector was added to the list of industries that were to follow the Act's regulations. Finally, in 2004, PIPEDA expanded to include any organization that collects personal information as part of their business practice.
CASL
Ten years after the final phase of PIPEDA was implemented, Canada's Anti-Spam Legislation (CASL) was introduced. Although it passed through legislation in 2014, it was not officially enforceable until 2015. CASL is regulated by three different federal agencies, including the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau, and the Office of the Privacy Commissioner of Canada.
Just like many other anti-spam laws, CASL requires consent of the recipient, with an easy opt-out option, and full identification - including valid contact information - of the sending business. CASL deals with commercial electronic messages (CEMs), which include unsolicited mailings, such as emails, texts, and even tweets. It also aims to protect Canadian citizens from hacking, malware, spyware, and any other act that can lead to an infringement of privacy through an individual's computer or mobile device. However, the rules found within CASL do not apply to not-for-profits.
In addition to the basics behind CASL, there are two other considerations to be noted. The first is that as of July 1st, 2017, it will be legal under this law for individuals and organizations to take legal action against offenders of CASL. The second is that even if the intent is not to distribute within Canada but the US instead, it is advisable to follow the guidelines of the Canadian legislation. This is because CASL is viewed as being more severe than the US regulations, which will be covered shortly.
FACT
Canada's Anti-Spam Legislation is considered to be one of the world's toughest anti-spam laws in
effect today.
Source: Salesfusion.
10.8 European Union (EU)
The set of guidelines pertaining to data protection in the European Union is the General Data Protection Regulation (GDPR).
General Data Protection Regulation
This regulation was officially accepted in 2016 and became enforceable in 2018. In doing so, it amalgamated all data protection laws within the EU. This includes creating one singular piece of regulation across all of the EU's 27 members - or representing the 27 national data protection regulations that are currently in place.
The General Data Protection Regulation is an attempt at revising and building on the EU's ability to contribute to how data is transferred outside of the alliance, as well as improving a user's control of their personal data.
10.9 The United States
The final country outside of the UK to have its legislation looked at is the United States.
In 2003, the Controlling the Assault of Non-Solicited Pornography And Marketing Act, or as it is more commonly known, CAN-SPAM Act, was created. The following year, it became legally enforceable, under the regulation of the Federal Trade Commission - an agency of the United States government. It covers digital marketing related to commercial messaging but is predominantly focused on those sent via email.
The CAN-SPAM Act states that every email or message has to include the contact information of the sending company, as well as an opt-out solution. It also indicates that a sender cannot use false headers or subject lines when sending these types of communications, and that they must be easily identifiable as a form of advertisement. If found to be in breach of the CAN-SPAM Act, penalties of up to US$16,000 can be fined.
However, it should be stressed that these fines are based per email received, not sent. In other words, if five of the same email is received, then the company would be charged the fine five times.
But the CAN-SPAM Act has fallen under some criticism. As a result, it has become known as the “You-Can-Spam' Act. This is because it has failed to be properly enforced in a number of states. It is also one of the reasons why, when engaging in digital marketing in the United States, that the CASL implemented by its neighboring country of Canada be used as marketing guidelines. The reason for this is that the CASL encompasses many of CAN-SPAM's guidelines while remaining far stricter than its US counterpart.
Module Summary
This final module focused on the regulations involved in digital marketing by examining the two main aspects: data protection and control of unsolicited marketing. These regulations were presented by specifically focusing on the UK and then reviewing guidelines from four other regions.
Regarding the UK, the module began with an introduction to the two regulating bodies: the Information Commissioner's Office (ICO) and the Advertising Standards Authority (ASA). It then outlined three current regulations: the Data Protection Act, the Privacy and Electronic Communications Regulations 2003 (PECR), and the non-legally binding UK Code of Non-Broadcast Advertising and Direct and Promotional Marketing, also known as the CAP-Code.
The module then proceeded to outline regulations found within Australia, Canada, the European Union, and the United States. Understanding the basics of these regulations and guidelines makes it easier to implement strategic digital marketing initiatives without concerns of legal action.
Module 10 aimed to summarize each of the noted regulations, as they are widely referenced and considered around the world. Finally, it is important to keep in mind that when it comes to digital marketing, information can easily cross borders, making it all the more important to understand the basic legalities for the world's largest online markets.
.svg)
