The legal part of the CSA Blog – what is it about?
In our new Blog, we will report on the decisions of European national courts and the European Court of Justice (ECJ) that are relevant for CSA Senders and the field of email marketing. Other topics will include ongoing legislative deliberations and newly enacted laws. We also cover key decisions of the EDPB (European Data Protection Board) and the national data protection authorities in Europe and shed light on important sanctions at European and national levels. The aim is to provide up-to-date information and relevant legal news that tangent the field of email marketing.
Another focus will be on recurring questions and problems that arise during the CSA certification and complaints procedures. These are especially topics from the areas of permission (consent and existing customer relationship), documentation, legal notices and opt-outs. We aim to address these topics briefly and concisely and to provide food for thought.
The CSA already offers comprehensive whitepapers on a variety of topics, which provide detailed information on the legal requirements to be met in email marketing. This series will of course be continued and can be accessed here.
The legal “evergreens”
As part of the certification process, the CSA checks whether essential requirements for legally compliant email marketing are met. The companies that are certified by the CSA have proven that they have met these requirements – in addition to other requirements within the scope of a technical and reputation check – in the course of a defined procedure. Once successful, the company will be certified by the CSA and can then enjoy the benefits of membership as a CSA Sender (including improved email deliverability, support for legal and technical issues and communication with participating partners, protection of reputation through early warnings from the CSA Complaints Office, and daily spam trap reports).
In the course of the certification procedure, but also in the complaints received by the Complaints Office, focal points have emerged where senders need support and need to make corrections in their marketing work.
The absence of permission, i.e. the existence of a declaration of consent or an existing customer relationship, is often the reason for legal reviews. In 2019, for example, insufficient permission data accounted for the majority of all legal review procedures of the appeals body.
In principle, the sender must have received the consent of the addressee before sending the promotional mailing. The legislator and the courts are leaning more and more towards the protection of the addressee. This is therefore subject to strict legal requirements, which will be discussed in detail later.
Only in exceptional cases and under even stricter conditions may the sending of advertising emails be permitted in the case of an existing customer relationship. In these cases, a contract between the parties already exists.
In addition to the fulfilment of these requirements, appropriate documentation of the data collected is of crucial importance, as – in the event of a dispute – the sender must prove that they are sending advertising on a legally secure basis.
Every business-related email sent must contain an easily recognisable full-text legal notice. The addressee must be able to inform themselves sufficiently about the client, i.e. the company from which the advertising email is sent, and above all to be able to contact the sender. This means that important contact details, registry entries, as a rule a telephone number and, in every case, an email address must be included in every email. Complaints are often lodged when the addressee is not in a position to contact the sender.
The sender must always bear in mind that the addressee must have the possibility to cancel further mailings at any time, regardless of whether permission is based on consent or an existing customer relationship (so-called opt-out). On the one hand, this means that a simple and legally unambiguous possibility for this must be granted, and, on the other hand, this must also be documented accordingly, as the sender also bears the so-called burden of proof for this.
In our blog, we will also provide information about important decisions on fines. Last year, the number of fines imposed by data protection authorities across Europe increased significantly compared to the previous year. Even small and medium-sized companies can no longer fly under the radar and are being hit with fines that sometimes are high enough to threaten their very existence. The total amount of fines has risen to double-digit millions. The CSA therefore sees it as its task to raise awareness and provide information in this area in order for senders to avoid loss of reputation and financial losses.
The blog will also look at important court decisions and point out their consequences for the industry. An example of this is the ECJ’s decision on Privacy Shield, which initially put data exchange between the EU and the US on hold and raised many questions.
Finally, the CSA will track important new legislation developments and report on these in the blog. An important reform to be implemented in the near future will be the new e-Privacy Regulation, which, as things stand at present, will involve major changes in tracking in particular, and will put the industry’s business practices to the test.