Viral marketing and the law

This guide covers two kinds of viral marketing by email:

1. 'Tell a friend' services, in which a website invites a visitor to enter a friend's email address and the website sends an email to that person; and
2. Emails sent by marketers that encourage recipients to forward the message to a friend.

There are risks with each approach. This guide explains how to minimise them.

'Tell a friend' viral marketing

A website may invite a visitor to recommend a particular page or product to a friend. Usually the visitor's email address is requested as well as the friend's email address. The friend then receives an email that, on arrival, looks like it was sent by the person making the recommendation – in order that it appears to come from a trusted person. This, in theory, distinguishes the email from unsolicited marketing which is more likely to cause offence or at least more likely to be deleted without being read.

There is an argument that website operators should not do this because arguably they are faking the identity of the actual sender, a practice known as 'email spoofing'. There is also an argument that the operator is sending unsolicited commercial email without prior consent. Strictly speaking, these are unlawful practices.

The general rule in relation to emailing individuals (as opposed to emailing businesses or their employees), found in the Privacy and Electronic Communications (EC Directive) Regulations 2003, is:

"…a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender."

In practice, 'tell a friend' services are popular and unlikely to cause problems if you follow the Information Commissioner's guidance on viral marketing set out in its Guide to Privacy and Electronic Communications (62-page / 256KB PDF). Viral marketing is addressed at pages 33-34. This guidance can be summarised as follows:

• It is safer not to give visitors any incentive to "tell a friend" because that creates a strong argument that you are the "instigator" of the message and thus responsible for sending the message.
• Check that the recipient hasn't already asked you to suppress his details. In practice, this means your website should communicate with the database holding your suppression list before sending the email. It may be possible to counter this with the argument that you are getting the consent of the site visitor, who is saying that, right now, he has the consent of his friend but legally, this is probably a weak counter-argument. In any event where the individual requests you suppress his details "you should ensure rapid suppression ... to avoid further distress."
• Someone could use your system to annoy one individual with emails from lots of companies. The Commissioner points out that the victim may forever associate your company with that unpleasant experience.
• Tell your visitor that you will let his friend know how you got his details. There is nothing in the law to prevent you doing this and it is particularly important if you propose to offer an incentive (though see the warning in the first bullet).
• As you are sending a message to someone you assume has consented via a third party you should include a statement on your Tell a Friend page along the lines of: "By hitting the button you confirm that you have the consent of the individual whose details you are supplying". This should be in an obvious position, and in any event above the "Send" button.

The last of these points has also been raised by the UK's advertising watchdog, the Advertising Standards Authority (ASA), which administers a rulebook called the CAP Code. Breaching the CAP Code usually results in bad publicity, though sometimes the ASA applies sanctions. Any sanctions imposed will be proportionate to the breach.  The ASA's focus is on amending, withdrawing or stopping any offending communications as soon as is practically possible. 

In a 2009 ruling the ASA criticised a movie promotion website that invited visitors to provide friends' addresses to whom the promoter sent hoax emails. The website did not ask the person who initiated a hoax to confirm that he or she had the friend's consent. This was found to breach rule 43.4c (now rule 10.13) of the CAP Code. The rule requires 'explicit consent' of consumers when sending emails except in limited circumstances. 

We would add the following tips to the Commissioner's guidance:

• Make your identity clear in the email that you send. Purporting to be a consumer could result in a prosecution under the Consumer Protection from Unfair Trading Regulations 2008. Usual requirements of business emails will also apply, so include:
  • Your company registration number;
  • Your place of registration (e.g. Scotland or England & Wales); and
  • Your registered office address.
• Avoid using the email addresses provided on the "tell a friend" page for any purpose other than to fulfil the request and do not save the addresses. If you are going to do this, make this clear and provide a means of opt-out. Bear in mind the risk of complaints.
• Limit the number of emails that can be sent by one user to avoid misuse or at least be able to recognise and deal with any excessive use.
• Resist the opportunity to promote your services beyond what is being recommended by the visitor to your site.
• Write the subject line in the third person – e.g. "John Smith thought you'd like this…" – and don't imply in the subject line that John Smith is actually sending the email (i.e. avoid saying "I thought you should see this".) Alternatively, allow visitors to choose the subject line.
• Offer a simple means of making a complaint in the event that the recipient does not know the sender, e.g. a contact email address.
• Do not allow users to leave their own name and email address blank (albeit there is little you can do about fictional details being provided).

Our final point comes from an ASA ruling against a viral promotion that allowed emails to be sent anonymously which was found to breach rule 3.7 of the CAP Code, which says that before distributing a marketing communication for publication, "marketers must hold documentary evidence to prove all claims, whether direct or implied, that are capable of objective substantiation." (Note: The wording of rule 3.7 in the latest version of the CAP Code has been slightly amended).

Risk management

We cannot guarantee that these steps will eliminate the potential legal risk. The commercial risk may be fairly low as in the event of a complaint or new guidance from the courts, the ASA or the Information Commissioner, a website can change or even abandon its 'tell a friend' services without collateral damage. For a breach of the Data Protection Act or the Privacy and Electronic Communications Regulations the Information Commissioner may however impose a fine of up to £500,000. A high commercial risk therefore exists with data collection practices: get these wrong and you build a database that may be unlawful to use – making it potentially worthless.

Please forward this email

The second type of viral marketing is where a marketer asks a person to forward an email to one or more friends. Generally these emails are harmless, provided the identity of the sender is clear.

Organisations must not seed a viral marketing campaign by asking staff to send emails that purport to come from them as independent consumers. To do so risks prosecution, a fine and a maximum prison sentence of two years under the Consumer Protection from Unfair Trading Regulations 2008.

These Regulations state that "Falsely claiming or creating the impression that the trader is not acting for purposes relating to his trade, business, craft or profession, or falsely representing oneself as a consumer" is an unfair commercial practice and is therefore illegal.
Consequently, as with any business-related email, the identity of the organisation behind the campaign should be clear.

• Your company registration number;
• Your place of registration (e.g. Scotland or England & Wales); and
• Your registered office address.

See also the OUT-LAW Guide on the Consumer Protection from Unfair Trading Regulations.

Such forwarded emails can also fall foul of the CAP Code. The Advertising Standards Authority through CAP have issued a Help Note on Advertising Virals which may also be of assistance. It notes that viral messages that are offensive, misleading, unfair or irresponsible or might otherwise bring advertising into disrepute, will be in breach of the CAP Code. It also states: "advertising virals are not excepted from the Code merely by having originated on a website or by being forwarded-on by consumers".