Opt-In Rules Are a Good Start

Many Web site visitors are willing to share personal

information about themselves provided that their
consent is obtained first. Consent cannot be presumed,
however. Sneaky is not O.K.
Facebook appeared to figure this out the hard way: it
would make unilateral changes that seemed to force users
to share more, not less, and then it would look bewildered
when many users cried foul.
Now, Apple and Google are learning that their users will
not automatically assume that everything the companies
do out of view is in their customers best interests. A furor
erupted after reports that the companies were engaging in
secretive location tracking using
customers iPhone and Android cellphones.
Both companies said they were logging the locations of WiFi hotspots and cell towers, not keeping tabs on the
phones owners. But the issue was serious enough
that Steve Jobs, the Apple chief executive, emerged from
his medical leave to oversee the wording of Apples official
explanation. The companys statement blamed very
complex technical issues which are hard to communicate
in a sound bite.
Its clear that tracking of any kind is a touchy subject. On
the Web, tracking can take the form of behavioral
targeting, based on the digital bread crumbs that people
leave as they go from one site to the next. Or it can involve

Web sites paying data brokers for personal information

about a Web visitor known only by his or her e-mail
address.
A Web site that tracks the actions of its anonymous visitors
is peering into the darkness, trying to determine its users
identities and interests so it can serve up targeted
advertising or purchase suggestions.
Ad networks infer tastes, says Bret Taylor, Facebooks
chief technology officer. They make a profile that you
cant edit or delete and you may not even know about.
At Facebook, its completely in your control.
In the normal course of business, Facebook naturally
comes into possession of highly detailed personal
information on its hundreds of millions of members. Its
knowledge of what members are doing online is no longer
limited to what is done at its Web site. Members are now
offered the option of using their Facebook user name and
password to log in at other Web sites, which permits these
sites to tap the visitors personal and social network
information.
Heres the key: the feature, called Login With Facebook, is
opt-in only, and users can opt out any time. If they do
revoke their permission, all information that was pulled in
from Facebook must be purged.
Facebook forbids partner Web sites from transferring any
information about its members to ad networks or data
brokers. It also uses technology to detect the attempts of
data brokers to scrape that is, record Facebook

members publicly visible profiles. (Search engines are

permitted to scrape Facebooks public profiles, but users
can elect to disallow that.)
Privacy settings are best managed in one place, not many.
For our landline phones, we have the National Do Not Call
Registry, at donotcall.gov, maintained by the Federal
Trade Commission. But for privacy protection around the
Web, there is no equivalent.
Maybe the closest thing we have to such a registry online is
the Facebook privacy settings page. Its true that
contemplating the options it offers will make your head
hurt it bears no resemblance to the simple binary toggle
of the Do Not Call list. Some people may wonder whether
Facebook wants to overwhelm them with privacy options,
in the hope that the typical user will simply give up trying
to restrict the range of information shared publicly. For
those who persevere, however, the system works in the
way a Do Not Track list would work: when a member
makes changes in his or her privacy settings, the changes
propagate to all of Facebooks partner sites.
In April Senators John Kerry, Democrat of Massachusetts,
and John McCain, Republican of Arizona, introduced
the Commercial Privacy Bill of Rights Act of 2011. It is a
strange amalgam of mediocre proposals that would not do
much of anything, other than place the onus on individuals
to manage their relationship with every Web site that
collects information about them, which means just about
every site. People who have tons of free time can opt out
but only one Web site at a time.

If a Web site visitor uses an e-mail address as a user name

and shares no other personal information that site
can buy from data brokers a file of personal information
about the visitor that is matched to the e-mail address.
One broker, Rapleaf, says it has information associated
with over 70 percent of active U.S. e-mail addresses and
recently set a new monthly record for itself: responding to
more than one billion information requests from its
clients.
The opt-out model advocated in the Kerry-McCain bill
means that a consumer would have to know about every
Rapleaf out there and visit each one to edit information or
opt out. It offers the much preferable opt-in design only
for a few special categories of sensitive information, like
medical conditions, health records or religious affiliation.
It was almost 20 years ago that The New Yorker ran its
cartoon of a dog in front of a computer, telling another dog
sitting nearby, On the Internet, nobody knows youre a
dog.
Without your consent, thats still as it should be.

Legal Requirements in the USA and EU

Requirements United States

Europe

Type of
Email
Messages

The CAN-SPAM Act

covers commercial
email messages, the
primary purpose of
which is the
advertisement or
promotion of a
commercial product or
service.

The EU directive covers all

direct email marketing
messages, including
charitable and political
messages.

Permission /
Opt-In
Requiremen
t

No, the CAN-SPAM Act

allows direct marketing
email messages to be
sent to anyone, without
permission, until the
recipient explicitly
requests that they
cease ("opt-out").

Yes, direct marketing email

messages may be sent only
to subscribers who have
given their prior consent
("opt-in"). Prior permission is
required for business-toconsumer (B2C)
communication covering all
"natural persons".
Exceptions:
A business relationship in
which contact information
was obtained constitutes
prior consent as long as a
means to opt out was
provided at the same time
and continues to be provided
with each such message and
each message is about
similar products or services

by the same company.

For business-to-business
communication (B2B), i.e.
"legal persons", EU member
states are free to make "optout" the minimum legislation.
However, national legislation
of the member states can
require opt-in for B2B email,
too.

Unsubscribe
/ Opt-Out
Requiremen
t

Yes, every message

must include opt-out
instructions. The sender
must honor the opt-out
requests of recipients
within 10 days.
New Rule Provision
2008:
An email recipient
cannot be required to
pay a fee, provide
information other than
his or her email address
and opt-out
preferences, or take
any steps other than
sending a reply email
message or visiting a
single Internet Web
page to opt out of
receiving future email
from a sender.

Yes, every message must

include opt-out instructions.
The practice of sending email
for purposes of direct
marketing or without a valid
address to which the
recipient may send a request
that such communications
cease, is prohibited.
Existing Business
Relationship:
When the email address is
obtained in the context of the
sale of a product or service,
the natural or legal person
may use the email for direct
marketing of its own similar
products or services provided
that customers clearly and
distinctly are given the
opportunity to object, free of
charge and in an easy

manner, to such use of

electronic contact details
when they are collected and
on the occasion of each
message in case the
customer has not initially
refused such use.

Sender
Identity

The CAN-SPAM Act bans

false or misleading
header information. The
email's "From", "To" and
routing information
including the
originating domain
name and email
address must be
accurate and identify
the person who
initiated the email.
The Act prohibits open
relay abuses, falsifying
header information,
generating multiple
email addresses to
send from, deceptive
subject headers,
address harvesting and
dictionary attacks, and
other fraudulent ways
of sending spam.
New Rule Provision
2008:

Disguising or concealing the

identity of the sender on
whose behalf the
communication is made is
prohibited.

The definition of
"sender" was modified
to make it easier to
determine which of
multiple parties
advertising in a single
email message is
responsible for
complying with the
Act's opt-out
requirements.
New Rule Provision
2008:
A definition of the term
"person" was added to
clarify that the CANSPAM Act's obligations
are not limited to
natural persons.

Subject
Lines /
Labeling

Deceptive subject lines

are prohibited. The
subject line cannot
mislead the recipient
about the contents or
subject matter of the
message. Identification
that the message is an
advertisement or
solicitation is required.

Contact
Information

Yes, a valid physical

postal address is

Yes, the same information

disclosure requirements

/ Postal
Address

required.
New Rule Provision
2008:
A "sender" of
commercial email can
include an accurately
registered post office
box or private mailbox
established under
United States Postal
Service regulations to
satisfy the Act's
requirement that a
commercial email
display a "valid physical
postal address".

apply to business email as to

physical business letters.
Companies registered or
operating in the EU need to
state their company details
on every electronic business
communication sent from
their organization. Business
email messages sent by a
company should include:
The full name of the
company and its legal
form
The place of
registration of the
company
The registration number
The address of the
registered office
The VAT number
A valid return address must
be always provided.

Legislation

"CAN-SPAM Act"

"EU Opt-In Directive"

The Controlling the

Assault of Non-Solicited
Pornography and
Marketing Act of 2003
(CAN-SPAM or the Act).

The EU directive 2002/58/EC.

The EU directive specifies a
minimum legislation for the
member states.
Directive 2003/58/EC
amending Council Directive
68/151/EEC.

Links

FTC's Spam Site:

http://www.ftc.gov/spa
m/
15 USC Chapter 103 Controlling The Assault
Of Non-Solicited
Pornography And
Marketing
http://uscode.house.gov
/
download/pls/15C103.tx
t
FTC Approves New Rule
Provision Under The
CAN-SPAM Act
http://www.ftc.gov/opa/
2008/05/canspam.shtm
16 CFR Part 316: Project
No. R411008:
Definitions and
Implementation Under
the Controlling the
Assault of Non-Solicited
Pornography and
Marketing Act of 2003
(the CAN-SPAM Act):
Final Rule and
Statement of Basis and
Purpose
http://www.ftc.gov/os/
2008/05/R411008frn.pd
f

European Law:
http://eur-lex.europa.eu
EU Directive 2002/58/EC
Directive 2002/58/EC of the
European Parliament and of
the Council of 12 July 2002
concerning the processing of
personal data and the
protection of privacy in the
electronic communications
sector (Directive on privacy
and electronic
communications) Article 13
Unsolicited communications
http://eurlex.europa.eu/LexUriServ/
LexUriServ.do?
uri=OJ:L:2002:201:0037:003
7:EN:PDF
Directive 2003/58/EC
http://eurlex.europa.eu/LexUriServ/
LexUriServ.do?
uri=CELEX:32003L0058:EN:H
TML
Amending Council Directive
68/151/EEC
http://eurlex.europa.eu/LexUriServ/
LexUriServ.do?
uri=CELEX:31968L0151:EN:H
TML

Wikipedia

http://en.wikipedia.org/
wiki/CAN-SPAM

http://en.wikipedia.org/
wiki/Directive_on_Privacy_an
d_
Electronic_Communications

L-Soft is a proponent of explicit prior recipient permission, opt-in, and

strongly recommends double opt-in, even if this is not required by
legislation. Here are two quick checklists that can help you comply with
email marketing messaging requirements.

Quick Checklist of Legal Requirements

Do I have prior explicit and verifiable permission, opt-in, from the
recipient?
Does the message have:
A clear and accurate sender identity?
An accurate subject line?
Clear and easy opt-out instructions?
A physical postal address and company details?
A valid return address?
Have I tested that the subscription and unsubscription works?
Have I checked the test messages carefully before posting? Did
my colleague do this, too?
Can I process the replies and any subscriber requests promptly?

Quick Checklist of Email Best Practices

Obtain prior permission via double opt-in subscription. Send an
automated and well thought-out welcome message with key
instructions and expectations.
Test deliverability
Use email authentication: Check that SPF, Sender ID,
DomainKeys, DNS records correctly verify the sender.

 Use a spam checker: Scan email message to make sure that

it is not identified as spam by common spam filtering
applications such as SpamAssassinTM.
Test readability
Check the HTML message design and readability. It must
work with blocked images.
Use alternative text part for HTML messages.
Keep the subject line short and clear. 25 characters display
in most clients.
Provide wanted, expected, relevant and interesting messages to
each recipient.
Provide clear instruction on how the subscribers can
automatically unsubscribe (opt out). Send an automated and well
thought-out farewell message. This works as a successful
confirmation, gives an opportunity to ask for feedback and thank
the subscriber.
The Distinction Between Opt-In and Opt-Out

An Educational Service of the American Library Association

Office for Information Technology Policy

Prepared by Leslie Harris & Associates www.lharris.com in conjunction

with OITP staff www.ala.org/oitp
----------------------------------------------------- Online sites engage in different practices with respect to consent for
collection of personally identifiable information.
-It is important for library users to read privacy policies before they
provide personally identifiable information online and, if necessary, to
exercise their right to say no to a particular use of their personally
identifiable information.
In general, most web sites rely on one of two methods for allowing users
to exercise their right to object to a specified use of personally
identifiable information known as "opt-in" and "opt-out." This message
discusses the difference between these methods of obtaining consent
for the collection of consumers' personally identifiable information
online.

What is Opt-In?

 When a company uses opt-in marketing, the consumer must

affirmatively give the company permission to send information about
new products or sales, or to share the consumer's information with
other companies in a business relationship with the company where
that consumer has an opt-in agreement. Generally, a consumer must
click on web site boxes or send an e- mail request to the company, or its
affiliates in order to authorize consumer e-mail..

What is Opt-Out?

When a company uses opt-out marketing, the company privacy policy

indicates that the consumer is presumed to want information about
sales or new products, and will be sent such information unless the
consumer "opts out" of receiving it. Consumers may also be given the
option to opt-out of allowing a company to share the consumer's
information with affiliated companies or third parties. Some companies
make opting out very simple, using a similar click-box system that other
companies use for opt-in agreements, only leaving the default setting as
"yes, you may send me information." Others make it difficult, requiring
regular mail or a phone call to remove a person from a marketing list.

Business groups, for the most part, tend to prefer the opt-out approach
because it is easier to capture consumer information. For most
businesses, the sharing, selling, or trading of personally identifiable
information beyond the original transaction is part of a business
strategy. On the other hand, this approach may pose a dilemma for
consumers who either may not be aware of this practice, or who may
not wish to participate.

Email Marketing When to use

opt-in and when to use opt-out
Most companies now use some form of direct marketing to find new customers, and to keep in touch
with existing customers. The advent of email revolutionized the direct marketing industry, making the
process cheaper, more wide-reaching and in some circumstances more effective. Unfortunately all of
the advantages of email marketing are also exploited by spammers.

As a result we have witnessed an increasing volume of spam, which frustrates recipients and devalues the
power of email marketing. To help control the increased use of email for direct marketing, and in part to
deal with the risk of spam the EU issued in 2002 a directive on privacy and electronic communications.
The directive was brought into force in the UK by the Privacy and Electronic Communications ( EC
Directive) Regulations 2003. The regulations apply to all organizations that send out marketing by
telephone, fax, automated calling system, and email, SMS, MMS or using any other form of electronic
communication.
Despite the regulations having been in force since December 2003, there is still a great deal of confusion
over what organizations must do to comply, relating in particular to the use of opt-in and opt-out when
collecting marketing details. This part of the paper sets out some basic rules which companies should
follow to help comply with their legal obligations.

Individual and corporate subscribers

The regulations make a distinction between individual subscribers (e.g.john.smith@hotmail.com) and
corporate subscribers (e.g.john.smith@company-name.com). This paper will concentrate on individual
subscribers, as it is here that the Regulations have the most significant impact.
Save for some notable exceptions relating to existing customers, the Regulations provide that
organisations cannot send unsolicited marketing communications by email to individual subscribers
unless the recipient has given his prior consent.

Prior consent
Understanding the meaning of "prior consent" is the key to understanding what procedures are
necessary when collecting personal data in order to be able to send email marketing.
Consent by definition requires some sort of positive action on behalf of the recipient. However, it is a
widely held misconception in data protection terms that consent requires that the user "opts-in" to their
data being used. Prior consent does not mean the same thing as "opt-in".
An "opt-in" generally refers to a tick box which, if filled in by the user, indicates positively that they
would like to be contacted by a particular form of communication.

Unless the user ticks the box then the organization cannot use their details for the form of marketing
listed. This is in contrast with an "opt-out", where the default position is that the user will be contacted
by that form of marketing, unless they tick the box to indicate that they would prefer not to be. The
benefits of opt-out over opt-in are clear where the default position presumes the right to market, and
requires no further action by the recipient, average collection rates are considerably higher, meaning
more emails can be sent to more people.
"Prior consent", however, does not specify any particular means of assessing the user's intention. The
main thing to consider is whether the user fully appreciates that they are consenting and what they are
consenting to. Therefore, while opt-in is one way of demonstrating a user's consent, it is not the only way.
Another equally acceptable practice would be to collect the customer's details, at the same time presenting
them with a data protection notice which is drafted to state that by providing their details the user
consents to the receipt of unsolicited marketing emails. Key to this is the way in which the consent
statement is drafted. It must be a positive statement, the effect of which is to be considered as positive
consent by the user.
At the same time the user must be provided with an opportunity to opt-out of their details being used for
this method. The best way of achieving this is to include an opt-out tick box as a part of the data
protection notice. Failing to opt-out alone is unlikely to constitute valid consent, however, in context, it
can indicate that consent has been given if a clear prominent message is provided, in the data protection
notice or otherwise, such as, 'By submitting your details, you are indicating your consent to receiving
marketing emails from us, unless you have ticked the box below to indicate your objection to receiving
these messages'.

Points to remember
Confusion still reigns about the use of opt-in and opt-out for email marketing purposes. The confusion
centres around a misunderstanding of what is required to fulfil the obligation to obtain a user's "prior
consent".

Prior consent
Prior consent is not the same as opt-in, and it is possible to use a properly drafted consent statement in
the data protection notice along with an opt-out box, and still comply with the Privacy and Electronic
Communications Regulations.

Identify data
Include a short statement at the point at which the user submits their email or telephone address to the
effect that these may be used for marketing communications unless the user expressly requests that they
are not.

Consent statement
Make sure that the data protection notice is properly drafted, and includes a statement to the effect that
by providing email and telephone numbers the user consents to their being marketed to by these methods.
The drafting of this is very important, as it must be written in such a way as to be considered active
consent of the user. It should be provided before the point at which the user clicks to proceed with the
registration/transaction (for example before the "submit" button).

Opt-out
Following this, include an opt-out box, which allows the user to select to opt-out of email marketing
communications.

Unsubscribe opportunities
Ensure that all marketing emails provide an easy and free means by which the user can opt-out of future
marketing, and make sure that if they use this opt-out their request is adhered to in all future marketing.

DIRECT MARKETING OPT-IN AND OPT-OUT PROVISION

We intend to use your Data in direct marketing and we may not so use your Data unless we have received your
consent (which includes an indication of no objection). We would like to use the Data in our records including your
name, [phone number, email and/or correspondence address ] to send you marketing materials. When you register,
you will be given the option to opt-out of subscribing to our regular update service which will send you

Email and direct mail alerts for new products, features, enhancements, special offers, upgrade opportunities,
contests, events of interest, and one-off marketing promotions. Such alerts may include marketing information about
clothing, shoes, bags and accessories offered by NET-A-PORTER and our subsidiaries, or products and services
offered by our selected business partners.
We do not sell or otherwise pass your Data to third parties for their marketing purposes but the Data may be provided
to subsidiaries and associated companies of NET-A-PORTER for informing you of their marketing information about
clothing, shoes, bags and accessories. Marketing communications you subscribe to will only be sent by The Net-APorter Group Limited.
At all times, we will offer you the opportunity to unsubscribe out of any service or update to which you have
subscribed, if you change your mind. Any e-mail we send you will contain an easy automated unsubscribe link so that
you can opt-out of that particular mailshot. Simply follow the indications in the e-mail. Alternatively you can change
your email preferences or opt out of all emails by logging into My Account. To opt out of direct mail service or
updates, please contact a NET-A-PORTER.COM customer care representative on +44 330 022 5700 or by email
at customercare@net-a-porter.com.
Back to top

HOW YOU CAN ACCESS AND IF NECESSARY, CHANGE THE DATA NET-APORTER MAINTAINS
If for any reason you are concerned that the Data held by NET-A-PORTER is not correct, please visit the website
and, after logging into the site using the "Sign In" menu on the home page, your Data will be made available for
review and change in the "My Account" section. Only you or, upon your request, the Customer Care department, may
access your Data from the website using your password and User ID. Your Data may be changed online within My
Details, Shipping Details, and My Email Preferences. You can change or delete saved credit/debit card details each
time you make a purchase. You will also be able to delete saved credit/debit card details by adding or editing a
shipping/billing address. If you change your billing or shipping address while your order is still being processed, the
order will be re-processed through security validation checks. If you prefer, you may contact us by email
at customercare@net-a-porter.com and we will amend your Data.
Back to top

RETENTION OF DATA
We will not keep your Data longer than is necessary for fulfilment of the purposes specified above for which they are,
or are to be, used. Data provided by you is retained if the purpose for which the Data was collected still exists, it is so
required by law, statute or regulation, or it is in the public interest.
Back to top

WHERE AND HOW TO ASK QUESTIONS OR FILE COMPLAINTS

If you require further information about our Privacy Policy, please go to the help section of the web site
where frequently asked questions (FAQ's)frequently asked questions (FAQ's) are answered. If you require more
information please go to the Contact Us section of the web site and send an email to the relevant NET-A-PORTER
department. If you wish to talk to a NET-A-PORTER customer care representative please call +44 330 022 5700 or
write to: c/o Data Protection Officer, The Net-A-Porter Group Asia Pacific Limited, 10/F Goodman Interlink, 39 Tsing Yi
Road, Tsing Yi, New Territories, Hong Kong.

(1) What is a marketing email?

English law does not have a core conception of a marketing email. Different sets of rules regulate
different kinds of email.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (the "Privacy Regulations"),
the most important piece of legislation in this field, regulate the transmission of "communications for the
purposes of direct marketing by means of electronic mail". The courts can be expected to place a broad
interpretation upon these words. However, the key provisions on email marketing apply only to
"unsolicited" communications to "individual subscribers".

The Data Protection Act 1998 regulates emails which contain personal data (e.g. individuals' names fred.bloggs@company.ltd.uk).
Voluntary codes (such as the Direct Marketing Association's Code of Practice) and the contractual terms
of hosting companies tend to cover a wide range of communications. Some hosting terms, for example,
cover all unsolicited commercial emails.

(2) Aren't all unsolicited marketing emails illegal?

No.
Emails sent to corporate subscribers which do not contain any personal information (e.g.
admin@company.ltd.uk) are not specifically regulated under English law - save that the emails must
contain certain information (see below).
"Corporate subscribers" in this context includes limited companies, PLCs and LLPs; it does not include
sole traders or general partnerships.
In all other cases, unsolicited emails sent for direct marketing purposes will be unlawful unless the
recipient has in some way consented to receive the email.

(3) Opt-outs, opt-ins and soft opt-ins

Opt-outs, opt-ins and soft opt-ins are three different ways of obtaining consent to send marketing emails.

An opt-out is where the email recipient has been given, at the point at which the contact
information was submitted, the opportunity to opt-out from receiving the emails, and has not done so
(e.g. by not ticking a box in an HTML form).

An opt-in is where the email recipient has specifically indicated a desire to receive the emails at
the point at which the contact information was submitted (e.g. by ticking a box in an HTML form).

There is also a special form of consent under the Privacy Regulations called the "soft opt-in". This
applies where (i) an email address was obtained in the course of the sale or negotiations for the sale of
a product or service to that recipient, (ii) the direct marketing is in respect of similar products and
services, and (iii) the recipient was given the opportunity to "opt out" when the details were collected and
with subsequent communication.