Business owners often get confused about the differences in New Zealand law between unsolicited electronic messages (often called spam) and privacy. These are in fact two different concepts which are regulated by two different pieces of legislation. Let’s start with spam.
Spam
Anyone sending commercial electronic messages needs to follow the Unsolicited Electronic Messages Act 2007 (also known as the Spam Act). This law is enforced by the Department of Internal Affairs, which is the agency responsible for a range of other laws such as gambling, births, deaths & marriages etc.
The Spam Act applies to electronic messages (including email, text messages (SMS), instant messages, and faxes) that are commercial in nature i.e. promoting a product, service, business or investment opportunity.
The Spam Act says that when you send a commercial electronic message:
- the person receiving it must CONSENT to receive your messages.
- you need to clearly and accurately say who you are (as the sender).
- there must be a clear and easy way for the person receiving your commercial electronic messages to unsubscribe from or stop receiving them.
The law also says that you cannot use software to collect addresses to send commercial electronic messages that people have not already agreed to receive.
As you can see, there is nothing here about privacy or personal information.
Understanding consent
- Can I establish consent by emailing my existing customer database asking them to unsubscribe if they don't wish to receive messages?
A commercial electronic message may only be sent if the recipient has consented to receive it. If you don’t think that the recipient has consented, then the “click here to unsubscribe” type of email cannot establish consent for future purposes.
Many recipients may treat a message as spam and not respond or even open it. There is no real relationship when the communication is one-sided, and the recipient's silence should not be taken as consent.
- Can organisations send electronic messages to obtain or confirm consent from people on existing electronic databases?
For much of an existing list of customers you will often have proof of consent and it’s not necessary to send a message requesting that they confirm that consent. However, there is often a small percentage for which you are unsure whether you have consent. If you are contemplating emailing a customer database to confirm consent, consider carefully the wording of the message so you don’t inadvertently prompt recipients to unsubscribe.
- Can organisations send electronic messages to obtain or confirm consent from people on existing electronic databases?
Yes, verbal consent is okay. There is no obligation in the Spam Act for the consent to be in writing.
However, it is advisable to keep a record of verbal consent. If a complaint is ever laid the onus of proof of consent is on the sender of the message (as stated in section 9 (3) of the Act).
- Does receiving a business card from someone count as ‘inferred consent’ to include them in an email or fax newsletter distribution list?
That would depend on the circumstances of the business card swap.
‘Inferred consent’ in the context of supplying a business card primarily relates to the development of a relationship between the parties. Inferred consent would only apply if the electronic message sent specifically related to the relationship that had developed at the time a business card was supplied.
For example, if A and B exchange business cards during a business type meeting, general consent would be inferred between A and B that they agree to receive electronic messages from each other that relate specifically to the meeting or generally to A and B’s business. The content of the information shared can be limited or extended by A and B (i.e. you build your consent according to what information you want to receive).
It is unlikely that an intended outcome of a person handing out their business cards would directly lead to them receiving commercial electronic messages that in no way were attributable to the original circumstances where the cards were provided.
- If I have swapped business cards with someone and am sending them commercial electronic messages, do I have to keep all the business cards as proof of ‘inferred consent’?
You will need to keep proof of the consent in some form. Over time the on-going correspondence becomes evidence of a relationship and you won't have to keep the business card.
- If I send media releases out to newspapers on topics likely to be of interest to their readers do I need to ensure my media contacts opt in?
If it can be inferred from the business of your media contacts that they agree to receive your media releases, you might have inferred consent to send it. If you are not sure, write to them and get their express consent.
Consent may also be deemed if the media contacts address is conspicuously published (i.e. website, newspaper) and the message is relevant to them.
- How long can my business rely on inferred consent in a business relationship? For example, if I make one transaction with a customer, can I continue to send them promotional material one year later? Five years later?
You can’t reasonably infer consent from a single transaction. If you wish to send a customer with whom you have had one transaction marketing and promotional material, you should seek their express consent.
The Spam Act states that an electronic message that facilitates, completes or confirms a commercial transaction the recipient previously agreed to is not a commercial electronic message. You could use the sending of these electronic messages as an opportunity to seek express consent to send promotional material in the future.
Privacy
Privacy, on the other hand, is about compliance with the requirements of the Privacy Act 2020 in relation to personal information. The Act provides a framework for protecting an individual’s right to privacy of personal information. To summarise a complex piece of law:
- Under the Privacy Act all agencies that collect personal information must comply with the Privacy Principles in the Act. Agencies include businesses, employers and anyone else operating in some way in New Zealand. Personal information means information about an identifiable person. As you can see, these definitions capture a very wide range of information collected in NZ every day.
- Some of the 13 Privacy Principles require agencies to state what they’re collecting information for, what kind of information they’re collecting and how users can ask for access to their information so they can correct it. That’s why privacy statements/policies are required.
- Other Principles cover how agencies can use and disclose the information. This is likely to be where the confusion about spam vs privacy arises.
Everyone in business needs to understand and comply with these privacy laws. The requirements are too lengthy to go into in this article, but we strongly recommend you research and understand them and how they apply to your business. You can learn more from www.privacy.org.nz or seek advice from a privacy law specialist.
The article is intended to provide general information and should not be treated as legal advice. If you need specific legal advice for your situation, please get in touch at tamara@calibratelegal.nz. Or visit Calibrate Legal for more information and to connect with the legal expertise you need for your day-to-day business operations.