The Department of Internal Affairs

The Department of Internal Affairs

Te Tari Taiwhenua

Building a safe, prosperous and respected nation

 

Services › Anti-Spam › Questions and Answers

Twitter icon Facebook icon
The answers below are based on the questions we have received to date. Please keep referring to the website as we will be publishing our answers to a vast variety of questions and scenarios we have gathered on the Anti-Spam seminars we hosted across the country.

To help you find what you are looking for the answers to frequently asked questions have been grouped into sections:

If you have any questions which are not covered by the answers below please contact us at info@antispam.govt.nz


Consent


Can I establish consent by emailing my existing customer database asking them to unsubscribe if they don't wish to receive messages?

A commercial electronic message may only be sent if the recipient has consented to receive it. If you don’t think that the recipient has consented then the “click here to unsubscribe” type of email cannot establish consent for future purposes.

Many recipients may treat it as spam and not respond or even open it. There is no real relationship when the communication is one-sided and the recipient's silence should not be taken as acquiescence.

Can organisations send electronic messages to obtain or confirm consent from people on existing electronic databases?

For the majority of an existing list of customers you will often have proof of consent and it is unnecessary to send a message requesting that they confirm that consent. However, there is often a small percentage for which you are unsure whether you have consent.

After the Unsolicited Electronic Messages Act 2007 came into effect on September 5 sending a commercial electronic message to any person whose consent you do not have will be a breach of the Act.

If you are contemplating emailing a customer database to confirm consent, consider carefully the wording of the message. We are aware that some companies may have inadvertently caused the removal of otherwise satisfied customers from their databases by badly worded correspondence.

Is verbal consent okay and do I have to keep a record of it?

Yes, verbal consent is okay. There is no obligation in the Unsolicited Electronic Messages Act for the consent to be in writing.

However, it is advisable to keep a record of verbal consent. If a complaint is ever laid the onus of proof of consent is on the sender of the message (as stated in section 9 (3) of the Act).

Does receiving a business card from someone count as ‘inferred consent’ to include them in an email or fax newsletter distribution list?

That would depend on the circumstances of the business card swap.

‘Inferred consent’ in the context of supplying a business card primarily relates to the development of a relationship between the parties. Inferred consent would only apply if the electronic message sent specifically related to the relationship that had developed at the time a business card was supplied.

For example, if A and B exchange business cards during a business type meeting, general consent would be inferred between A and B that they agree to receive electronic messages from each other that relate specifically to the meeting or generally to A and B’s business. The content of the information shared can be limited or extended by A and B (i.e. you build your consent according to what information you want to receive).

It is unlikely that an intended outcome of a person handing out their business cards would directly lead to them receiving commercial electronic messages that in no way were attributable to the original circumstances where the cards were furnished.

If I have swapped business cards with someone and am sending them commercial electronic messages do I have to keep all the business cards as proof of ‘inferred consent’?

You will need to keep proof of the consent in some form. Over time the on-going correspondence becomes evidence of a relationship and you won't have to keep the business card.

If I send media releases out to newspapers on topics likely to be of interest to their readers do I need to ensure my media contacts opt in?

If it can be inferred from the business of your media contacts that they agree to receive your media releases, you might have inferred consent to send it. If you are not sure, write to them and get their express consent.

Consent may also be deemed if the media contacts address is conspicuously published (i.e. website, newspaper) and the message is relevant to them.

We often contact people based on referrals from colleagues, or we research people doing work that would benefit significantly from our software. Can we count such referrals as deemed consent?

Yes, if your research identifies a work related electronic address or mobile number that is conspicuously published by the person in a business or official capacity (website, brochure or magazine). The publication of the address must also not be accompanied by a statement to the effect that the relevant electronic address holder does not want to receive unsolicited electronic messages. Click here for a definition of deemed consent’.

The message however, must be relevant to the business, role, functions or duties of the person in their business or official capacity. You need to also clearly identify the sender of the message (and how they can be contacted) and include a functional unsubscribe facility. Note that you also cannot use addresses that are conspicuously published to establish a database as these addresses may be not be published conspicuously in the future and therefore no longer fit the deemed consent criteria.

Referrals from colleagues without the recipient’s knowledge or consent can not be defined as deemed or inferred consent.

I work for a tertiary institution. We currently send messages to enrolled students, who have supplied us with their email address for the purpose of communicating with them. Are these emails unsolicited, commercial emails as defined by the Act when we, or the Student Union, send students emails about the services available on campus?

There are two possible reasons your messages would not be considered spam under the Unsolicited Electronic Messages Act.

Firstly, an electronic message about the goods and service of a tertiary education institute comes within one of the exemptions to the definition of a ‘commercial electronic message’ in the Act.

The Act states that an electronic message that provides the recipient with information about goods or services offered or supplied by a ‘government body’ is not a ‘commercial electronic message. ‘Government body’ includes the core government departments named in Part 1 of Schedule 1 of the Ombudsmen Act 1975) and ‘Crown Entities’ (as defined in section 10(1) of the Crown Entities Act 2004). Tertiary education institutions are crown entities.

Secondly, if you are emailing students about services provided by the institution you should be able to rely on inferred consent. This is because there is a clear and reasonable expectation that messages will be sent, due to the nature of the relationship between the tertiary institution and the student.

I run a business which basically networks and approaches potential candidates in their current job on behalf of my client who may be looking for someone with the same skill set (i.e. ‘head hunting’). Is this considered a commercial purpose and if the person I approach has their email address published in a directory, is this regarded as ‘deemed consent’?

We consider that your purpose would be commercial as you are marketing or promoting a service. The Unsolicited Electronic Messages Act’s definition of a service is contained within section 2 of the Consumer Guarantees Act 1993.

The Act provides that if:
i) an electronic address is conspicuously published by a person in a business or official capacity, and
ii) it is not accompanied by a message that the address-holder does not want to receive unsolicited commercial electronic messages, and
iii) the message that is sent is relevant to the business, role, functions or duties of the person in their business or official capacity, consent is deemed to have been given.
    However, the Department does not consider that the offer of alternative employment would meet the third part of the test. The potential candidate’s employer certainly would not have provided them with a business email address so that their employee could be tempted away.

    Can we include two tick boxes for consent – one agreeing to receive messages from our organisation/client and one for agreeing to receive promotional material from third parties?

    Yes, if the customer ticked the box saying that they agreed to receive promotional material from third parties then it would not breach the Act to send them such material.

    If my business sends an email promoting a free product, is this classed as commercial and therefore spam?

    If a message markets or promotes a good or service it doesn’t matter that the good or service is provided for free, it will still be considered spam if you do not have the consent of the recipient.

    If I sell a product on the internet to a customer and in two weeks time I send an email asking after the customer’s satisfaction with the product would it be considered spam?

    The Unsolicited Electronic Messages Act states that an electronic message that facilitates, completes or confirms a commercial transaction the recipient previously agreed to is not a commercial electronic message.

    This means you can send emails confirming the order, confirming receipt of payment, and notifying delivery details. It does not mean you can send emails asking about customer satisfaction as you can not reasonably infer consent from a single purchase.

    If my business details are included in my email signature and I forward a joke/personal email to a friend which then gets forwarded on again, am I considered to be spamming?

    No this example does not qualify as a third party breach of the Unsolicited Electronic Messages Act, and therefore would not be considered spam.

    How long can my business rely on inferred consent in a business relationship? For example, if I make one transaction with a customer, can I continue to send them promotional material one year later? Five years later?

    We don’t consider that you can reasonably infer consent from a single transaction. If you wish to send a customer with whom you have had one transaction marketing and promotional material you should seek their express consent.

    The Unsolicited Electronic Messages Act states that an electronic message that facilitates, completes or confirms a commercial transaction the recipient previously agreed to is not a commercial electronic message. You could use the sending of these electronic messages as an opportunity to seek express consent to send promotional material in the future.

    I am a member of a gym and wish to stop my membership and cease receiving email newsletters. Are they allowed to contact me a year later to try and woo back my custom?

    No. If you have stopped your membership and/or unsubscribed then the gym cannot send you further commercial electronic messages until they have your consent.

    I work at a university. Can I email former students who have graduated with university/alumni information?

    As discussed in the question above (already on the website) a university is a crown entity and therefore can send electronic messages about its goods and services without needing consent. This would include information to past and perspective students. We would suggest that you still clearly identify who sent the message, and provide a functioning unsubscribe facility.

    If someone gives me a third party’s business card, do I have consent to email the third party? Or should I phone them first to ask consent?

    No, you do not have consent to email the third party. However, phoning to ask for consent to send them commercial electronic emails would be perfectly fine.

    Can I send someone a quote for goods/services if they have not requested one?

    If a quote has not been requested by the recipient of the message then it is a commercial electronic message, and you would not have consent to send it.


    Unsubscribe


    Do I need to have an unsubscribe ‘button’ or some other flash unsubscribe facility?

    No. The Unsolicited Electronic Messages Act stipulates that your unsubscribe function needs to be clear and conspicuous, free, likely to be functional for at least 30 days after the original message is sent, and able to be sent using the same method of communication that was used to send the original message.

    For example, if you used a sentence such as “Please reply by return email with ‘unsubscribe’ in the subject line if you do not wish to be contacted again’ this should meet the requirements of the act (providing the request was actioned within five days, and met the above criteria).

    Is a confirmation email saying ‘thank-you for unsubscribing’ okay?

    Yes. If it is within 5 days!

    When does the five working days commence (in which you must honour the unsubscribe request)?

    The clock starts the day after the recipient used the unsubscribe facility. Therefore you need to ensure that you have a system whereby all unsubscribe requests are actioned within the 5 working day period.

    Is it okay if I have a web-based link to unsubscribe at the bottom of my email?

    A web-based link is fine provided that you don’t make it unnecessarily difficult for someone to unsubscribe.

    Some phone companies state as part of their cellphone contracts that customers will receive promotional text messages. Can anyone contract out of the unsubscribe requirements?

    The Unsolicited Electronic Messages Act allows parties to contract out of providing an unsubscribe facility. However, it does not say that you can contract out of the requirement to send commercial electronic messages only to someone who consents to receive them.

    This means that if a customer informs a company that they wish to unsubscribe, the company must action the request. In other words the customer can withdraw their consent to receive promotional electronic messages at any stage regardless of what the contract says.

    If a customer unsubscribes from my email database, can I send an email asking why they left, or ask them to complete an exit survey?

    Yes, but only if the email is sent within the 5 working days in which the unsubscribe request must be actioned.


    Avoiding Spam

    How do I avoid becoming an ‘accidental’ spammer?

    If your Internet security is not robust, spammers can take over your computer and use it to send spam to other people without your knowledge.

    In this case, the spam is actually channelled through your computer to the outside world, so you appear to be the sender. This can happen if your computer has been infected with a virus or your email/web server is configured in ‘open relay’ or ‘open proxy’ (see next question for definition).

    Spammers are always on the lookout for vulnerable computers through which they can channel their junk mail. This trick helps to hide the spam’s true origin, which protects the spammer’s identity.

    The security practices below will help you avoid becoming an accidental spammer:
    • Use anti-virus software and update it regularly
    • Install personal firewall software
    • Download and install the latest security patches for your computer system
    • Use long and random passwords e.g. your password should be between 8-15 characters and include letters and numbers
    • Only open an email attachment if you know what it is and who sent it – otherwise, delete it immediately! Run all attachments through up-to-date anti-virus software before opening them.
    What does it mean when my email/web server is running as ‘open proxy/relay’?

    Open proxy or open relay occurs when a small business runs a server that is misconfigured – this means that the setting on the server is set in a way that makes it vulnerable to exploitation.

    If you are running an open proxy, you are contributing to the spam problem. Spammers are always on the lookout for misconfigured servers through which they can channel their junk mail. These tactics help to hide the spam’s true origins and, in turn, protect the spammer’s identity.

    If your computer is being used as an open proxy, the message’s hidden header information shows you as the source of the spam even though you did not generate it.

    If you are running an open proxy, you should immediately:
    • Get your proxy reconfigured
    • Secure your server. Get an IT expert to check the settings and show you how to adjust them. The manuals for your server’s software will also explain how to secure it
    • Install anti-virus software and keep it up to date.
    I am receiving bounced emails that look like they’ve been sent from me. What does this mean?

    If you are receiving bounced emails that look as if you sent them your address or domain name has probably been misused by a spammer. This is known as ‘spoofing’.

    ‘Spoofing’ means the spammer is pretending to be you by making their junk mail look as if it comes from your email or website address. The spam does not actually originate from your computer, it just lists you as the sender.

    It is unlikely this activity is directed against you personally. This activity is usually random.

    Unfortunately, there is very little that you or your ISP can do about spoofing. It’s just a hazard of using the Internet. The problem will usually cease of its own accord after a few weeks.

    Don’t be concerned that your name or business will be black-listed as a spammer. The Department and other authorities can read the ‘header information’ that shows the actual path an email has travelled, which proves that the spam didn’t originate from your computer.

    How do spammers get my address?

    ‘Spammers’ obtain email addresses in a variety of ways:
    • Web pages: Specialised programmes called ‘web spiders’ wander around the Internet visiting every page they can find. As they come across email addresses they add them to the spammer’s address database. Additionally your address can be ‘harvested’ when you register a domain name or join an Internet chat room.
    • Mailing lists: If you have purchased something online or registered with an Internet site your email address may have been added to a mailing list that has then been made available to spammers. Alternatively a company you have had dealings with may presume you have consented to receive promotional emails.
    • Newsgroups or bulletin boards: If a newsgroup or bulletin is publicly accessible there is a fairly good chance that your address will be ‘harvested’ and added to a spammer’s address database.
    • Guessing: Spammers may use a computer programme to try and deliver mail to addresses using popular words, names and numbers. They repeat the process over and over again until eventually they find an address the mail server will accept.

    Legislation


    How similar is our Anti-Spam legislation to Australian Anti-Spam legislation?

    Unsolicited Electronic Messages Act is based on the Australian Spam Act 2003. However, it is simpler than the Australian Act in that it uses general descriptions and definitions and less specific exceptions.

    For a more detailed comparison you can look at the citations at the end of every section of the Unsolicited Electronic Messages Act.

    We have heard that some organisations are exempt from the prohibitions and requirements of the Unsolicited Electronic Messages Act. Is that true?

    Everyone, including the Crown is bound by the Act. However, information about goods or services offered or supplied by a government body or a court or tribunal is not considered ‘commercial’ and therefore will not be subject to the consent-identification-unsubscribe requirements. You should note that the definition of ‘government body’ is very wide and also includes many educational institutions and crown entities.

    Section 6(b) provides more exceptions to the ‘commercial’ definition, which in most cases involve ongoing relationships between the sender and the recipient.

    It is important to remember that as a general rule, exceptions will depend on the content of the message, and will not be blank exemptions covering everything the organisation sent as emails.

    How can web communities ensure that they are compliant with the Act?

    Follow the three steps to ensure you are not spamming i.e. consent, identify and unsubscribe.

    If you send something to another community member who objects to the message, apologise and don’t do it again. In most cases that will be the end of the matter.

    Why aren’t phone communications covered under the Unsolicited Electronic Messages Act?

    The purpose of the Unsolicited Electronic Messages Act is to address the abundance of unsolicited messages being sent using particular forms of electronic communication. This problem is not being experienced to the same extent with phone communications. The inclusion of phone in the definition of spam would have further limited opportunities for businesses to make ‘first contact’ communications.

    Regarding emails with a New Zealand link – does the email address strictly have to be .nz? Could we use a .com email address to send our messages instead?

    The Act prohibits electronic spam with a New Zealand link. A spam email address that ends in ‘.nz’ is just one example of this. An electronic message is considered to have a New Zealand link if it is sent to, from, or within New Zealand. See section 4 of the Unsolicited Electronic Messages Act for a full definition.

    My organisation is not government, but supplies government services. Are we exempt under the Ombudsmen and Crown Entities Acts?

    If the message provides the recipient with information about goods and services offered or supplied by a government body, court, or tribunal, then it is not a commercial electronic message. It does not matter that your organisation is not a government body.


    Email a Friend


    Will it be considered spam if we run a campaign encouraging existing customers to “email a friend”?

    Friend get friend campaigns, or ‘viral marketing’, usually encourage subscribers to provide the name and email address of a friend who is then sent a commercial electronic message and emailed by the company or promoter encouraging them to opt in/register.

    An electronic message such as this would be unsolicited because the friend has not consented to receiving the message from the company or promoter. Consequently if the message was commercial (i.e. marketing or promoting goods, services, land, a business or investment opportunity) it would be considered spam. However, if the companies email is forwarded by the recipient to a friend(s) this is usually okay.

    For example: A and B are good friends, and send each other emails on a routine basis. Company C has an express consent from A to send commercial emails to them. A then decides to forward to B commercial emails he received from company C. If it can be assumed from the relationship that B is happy to receive the commercial emails forwarded by A, consent could reasonably be inferred.

    That consent, however, will not exist between the company and B. If the company only had A’s consent, it cannot assume B has consented to receive its commercial emails.
    In most cases, the relationship between A and B is not likely to be of interest to the Electronic Messaging Compliance team, unless B complained about A’s emails. In that case, the onus will be on A to show that inferred consent existed.

    I work for a marketing company and viral marketing is a good way for us to build up brand awareness. Are you saying that viral marketing is considered spam?

    As discussed in the above question viral marketing (or friend get friend) commonly involves the production of something interesting and then relying on people to circulate it to their friends.

    This is fine, provided the company has the consent of the person they send the initial electronic message to and the campaign itself doesn’t encourage spamming. For example, a campaign that encourages people to forward emails to 100 friends would not be reasonable.

    We have set up a website to promote a new product we have launched. To do so we created a game that is fun to play, and allows the user to send a challenge to their friend via email. The email message links to the game with some text set by the challenger. Who has the onus of consent?

    The primary question is whether or not the sending of the commercial electronic message is ‘unsolicited’.

    In this case the challenger (not the company) is the sender of the commercial electronic message and would need to have the consent of the recipient. In the case of a friend sending a friend a message this should not be a problem as the nature of the relationship is that consent can reasonably be inferred.

    If the Department was approached by someone who objected to a friend sending them commercial electronic messages we would probably suggest that they speak to their friend in the first instance, and request that they stop sending such messages.


    Text Messages


    Since a text (SMS) message can normally contain a maximum of 160 characters what are the guidelines for meeting the requirements of including sender identification and an unsubscribe facility?

    You must identify the sender of the messages, how the recipient can contact them, and provide a free of charge unsubscribe facility.

    For example, Judith owns ‘Beautiful U’ beauty salon and has express consent to send her clients promotional text messages. She includes ‘Beautiful U. Reply OPT-OUT to unsubscribe’ at the end of every message. The cost of the reply is reverse billed to Beautiful U.

    Note: If you use another organisation, a third party, to send commercial electronic messages on your behalf and the unsubscribe function is directed to the third party organisation they will need to include your businesses contact details also.

    What are the guidelines around SMS systems that send text messages that cannot accept replies? For example the business requires that the recipient of the text send an email to unsubscribe.

    An email address used as an unsubscribe function in a text message is not compliant with the Unsolicited Electronic Messages Act. The unsubscribe facility must allow the recipient to respond to the sender using the same method of communication used to send the original message.

    If you send commercial text messages you must arrange a free unsubscribe facility via text message.

    What if a business has a really long name – what are the rules around reducing the business name?

    The abbreviated use of a companies name is suitable, as long as the abbreviation would allow the recipient to clearly and accurately identify the company i.e. organisations such as TVNZ and VTNZ would be fine.

    Does the unsubscribe in a text and fax have to be free?

    Yes the legislation says it must be free. If your provider is unable to provide this service then you must not send commercial electronic messages using text or fax.

    Are abbreviated place names acceptable identification?

    Commonly used abbreviated place names such as Auck, Chch, Wgtn are suitable for identifying the specific location of the sender. The message must also contain information on how to contact the business responsible for the message (i.e. if the reply to opt-out doesn’t already do this).

    Regarding the text message unsubscribe facility via text – is it acceptable to send two texts, with the second containing the unsubscribe details?

    Including the unsubscribe facility on a multi-page text is acceptable. It does not have to be included in the first text.


    General


    Our company visits trade shows and uses trade directories to contact businesses that may need our goods and services. Do we have the deemed consent of the other businesses to do so?

    Contacts published in a trade directory would be ‘conspicuously published’ and therefore you would have deemed consent to send messages if they are relevant to the business, role, functions, or duties of the person/company that the message is sent to.

    Note: You would not have deemed consent if the published electronic address was accompanied by a statement to the effect that the address-holder does not want to receive unsolicited electronic messages.

    Are emails inviting the recipient to complete an online survey counted as commercial if the survey is about a good/service offered by the company?

    If the purpose of the survey is commercial (e.g. to promote a good or service, test brand loyalty and recognition) then the message will be considered spam if you do not have the consent of the recipient.

    I work for a charitable trust. How do I got about raising awareness of issues relating to my organisation (for example donating money to charity, or a fundraising walk) by email without spamming?

    Firstly, charities generally send emails to known contributors i.e. signed up members. These messages would probably have either express consent or the sender could reasonably infer consent. If the member then sends the message on to their friend then the onus of consent is on the member (and the nature of their relationship with their friend means that consent can reasonably be inferred).

    The other issue to consider is whether the charity’s message is ‘commercial’. Consider whether the message is marketing or promoting goods or services. If the message does not market or promote goods and services then it is not a commercial electronic message and therefore would not be considered spam.

    Can you send an email enticing recipients to opt-in to an email distribution list for future correspondence e.g. an invitation to a launch party or the chance to go into a prize draw?

    Yes, providing you have consent to send the original email.

    For example, the original email might be to confirm an order or receipt of payment for an order. You have inferred consent to send this message and you can use it as an opportunity to ask a customer if they wish to join your database.

    If I include a disclaimer on the bottom of my email such as, “if you received this email in error, please delete it’, will I be covered?

    The Unsolicited Electronic Messages Act provides that it is a defence (against the accusation of spamming) if the person who sent the message, or who caused the message to be sent, did so by mistake.

    If a salesperson at my company sends an unsolicited electronic message to customer who is liable, the salesperson or the company?

    If a company has clear policies on the process for obtaining consent and who may send commercial electronic messages, and an employee breaches those policies it is likely the department will regard it as a breach by the employee.

    What does ‘double opt-in’ mean?

    Employing a double opt-in system is a good idea because it eliminates the chance of abuse, where someone submits someone else’s email address without their knowledge and against their will.

    Usually a user subscribes to a newsletter, or other communication, by filling in some type of form and a confirmation email is sent to the email address provided asking the recipient to click on a link to register. Hence the user has opted in twice and you have the assurance that they really want to receive your communications.

    How will the Act regard automated messages from websites? For example, if a customer buys a product online, she/he will receive a confirmation of the order. If I add ‘don’t miss our great new product…’ at the bottom, does that order confirmation become spam?

    An automated page on a website is not a message sent to an electronic address and is therefore not covered by the Unsolicited Electronic Messages Act.

    In the case of automated replies to a customer’s email address, the Unsolicited Electronic Messages Act states that an electronic message that facilitates, completes or confirms a commercial transaction the recipient previously agreed to is not a commercial electronic message. You can attach promotional material to such a message.

    How will the Act affect research companies emailing out a survey? Does it depend on what is being asked in the survey?

    Yes, it will depend on the content and whether it comes within the definition of a commercial electronic message.

    How do written petitions that ask for your email address fit in with the Act?

    Written petitions do not come within the definition of a ‘commercial electronic message’ and therefore would not constitute spam.

    I own a small business and we receive a lot of emails enquiring about buying and selling our products. If I retain these email addresses am I then entitled to send promotional emails, or am I considered to be ‘address harvesting’?

    The Unsolicited Electronic Messages Act contains a prohibition against using addresses gathered using ‘address harvesting software’ to send spam. This type of software searches the Internet for electronic addresses and compiles them into lists. Collecting electronic addresses from emails you have received is not using address-harvesting software.

    However, you can’t just collect these emails to use when promoting your products because you cannot reasonably infer consent from a single correspondence. When you are replying to the queries it’s a good opportunity though to seek express consent to send the recipient promotional emails in the future.

    As an individual, can I take action against a company that is spamming me, or do I have to go through Internal Affairs?

    Yes, an individual victim of spam can take independent action seeking compensation and damages against spammers.