Enhance Contrast

OPTA and DPA issue joint ruling on “Tell-a-friend” systems on websites

“Tell-a-friend” systems are allowed on websites subject to conditions. Independent Post and Telecommunications Authority of the Netherlands (OPTA) and the Dutch Data Protection Authority (CBP) announced this today in the form of a ruling. “Tell a friend” is a function on a website which allows an internet user to inform an acquaintance about a specific message or new feature on that website. This method of marketing (viral marketing) is used quite extensively on websites and falls within the jurisdiction of both OPTA and the CBP. The regulatory authorities have drawn up a joint ruling to provide clarity about the conditions subject to which “tell-a-friend” systems can be lawfully used.

Tell a friend
In the case of a “tell-a-friend” system a website sends an e-mail message (on the initiative of a visitor and on his behalf) to the addressee without the latter’s prior consent. This is covered by the prohibition against sending unsolicited electronic messages for commercial, non-commercial and charity purposes (spam act). In addition, a personal e-mail address always constitutes personal data. The Personal Data Protection Act [Wet bescherming persoonsgegevens] stipulates requirements which apply in relation to the use of personal data.

Conditions governing lawful use
In this joint ruling OPTA and the CBP have determined that a “tell-a-friend” system can only be lawful if it satisfies the following conditions:
1. the communication must occur entirely on the initiative of the relevant internet user (or sender) and the website may not offer any consideration (or opportunity to obtain any) to the sender or the recipient;
2. the identity of the person who initiated the e-mail message must be clear to the recipient, so as to ensure that he can hold that person to account if he does not appreciate such e-mail messages;
3. the sender must be able to inspect the entire message that is sent on his behalf, so as to ensure that he can accept responsibility for the personal content of that message;
4. the website in question may not store or use the e-mail addresses and other personal details for purposes other then sending that one message on behalf of the sender. In addition, that website must secure the system against potential abuse, such as the automated transmission of spam.

Collaboration protocol
OPTA and the CBP agreed on a collaboration protocol on 30 June 2005. This protocol sets out arrangements governing the treatment of matters in respect of which the duties assigned to OPTA and the DPA or the exercise of the powers vested in them intersect or overlap. Under the terms of the Telecommunications Act [Telecommunicatiewet] and the Personal Data Protection Act the two regulators enjoy jurisdiction in areas affecting the protection of the privacy of users (of the internet or otherwise) and the use of personal details by providers of electronic communication services. The protocol is largely concerned with the division of labour when tackling spam and other matters pertaining to privacy under the Telecommunications Act.

The joint ruling may be downloaded from the CBP and OPTA websites.

About the Dutch DPA

The Dutch Data Protection Authority (Dutch DPA) supervises compliance with legislation regulating the use of personal data, under the terms of the Wet bescherming persoonsgegevens (WBP) [Dutch Data Protection Act]. The use of personal data must be notified to the Dutch DPA unless the situation is covered by an exemption.

The Dutch DPA advises the government and other organisations on the protection of personal data and associated topics. The Dutch DPA assesses codes of conduct and mediates in disputes between citizens and users of personal data. The Dutch DPA can, either on its own initiative or at the request of an interested party, investigate whether the way in which personal data has been used in a particular situation is in line with the Act, and can impose sanctions if necessary. A fine may be imposed for continued failure to report. In the event of an infringement of the Act, or its subordinate regulations, the Dutch DPA can proceed to impose an administrative fine or incremental penalty.