The Department of Internal Affairs

The Department of Internal Affairs

Te Tari Taiwhenua

Building a safe, prosperous and respected nation

 

Frequently asked questions

The answers below are based on the questions we have received to date. To help you find what you are looking for, these have been grouped into sections:

If you have any questions not covered by the answers below please contact us at info@antispam.govt.nz

Consent

Can I establish consent by emailing my existing customer database asking them to unsubscribe if they don't wish to receive messages?

A commercial electronic message may only be sent if the recipient has consented to receive it. If you don’t think that the recipient has consented then the “click here to unsubscribe” type of email cannot establish consent for future purposes. 

Many recipients may treat such a message as spam and may not respond or even open it. There is no real relationship when the communication is one-sided and the recipient's silence should not be taken as consent.

Is verbal consent okay and do I have to keep a record of it?

Yes, verbal consent is okay.

However, it is advisable to keep a record of verbal consent. If a complaint is ever laid the onus of proof of consent is on the sender of the message (as stated in section 9 (3) of the Act).

Does receiving a business card from someone count as ‘inferred consent’ to include them in an email or fax newsletter distribution list? 

That would depend on the circumstances of the business card swap. 

‘Inferred consent’ in the context of supplying a business card primarily relates to the development of a relationship between the parties. Inferred consent would only apply if the electronic message sent specifically related to the relationship that had developed at the time a business card was supplied.

For example, if A and B exchange business cards during a business type meeting, general consent would be inferred between A and B that they agree to receive electronic messages from each other that relate specifically to the meeting or generally to A and B’s business relationship. The content of the information shared can be limited or extended by A and B.

It is unlikely that an intended outcome of a person handing out their business cards would directly lead to them receiving commercial electronic messages that in no way were attributable to the original circumstances where the cards were provided.

If I have swapped business cards with someone and am sending them commercial electronic messages do I have to keep all the business cards as proof of ‘inferred consent’?

You will need to keep proof of the consent in some form. Over time the on-going correspondence becomes evidence of a relationship and you won't have to keep the business card.

We often contact people based on referrals from colleagues, or we research people doing work that would benefit significantly from our software. Can we count such referrals as deemed consent?

Referrals from colleagues without the recipient’s knowledge or consent cannot be defined as deemed or inferred consent. 

If your research identifies an electronic address or mobile number that is conspicuously published by the person in a business or official capacity (website, brochure or magazine) deemed consent may be possible. As long as the publication of the address is not accompanied by a statement to the effect that the relevant electronic address holder does not want to receive unsolicited electronic messages and the message is relevant to the business, role, functions or duties of the person in their business or official capacity.

I work for a tertiary institution. We currently send messages to enrolled students, who have supplied us with their email address for the purpose of communicating with them. Are these emails unsolicited, commercial emails as defined by the Act when we, or the Student Union, send students emails about the services available on campus?

There are two possible reasons your messages would not be considered spam under the Unsolicited Electronic Messages Act.

Firstly, an electronic message about the goods and services of a tertiary education institute is not considered an electronic message for the purpose of the Act and therefore does not need to meet the requirements of the Act.

The Act states that an electronic message that provides the recipient with information about goods or services offered or supplied by a ‘government body’ is not a commercial electronic message. ‘Government body’ includes the core government departments named in Part 1 of Schedule 1 of the Ombudsmen Act 1975) and ‘Crown Entities’ (as defined in section 10(1) of the Crown Entities Act 2004). Tertiary education institutions are Crown entities.

Secondly, if you are emailing students about services provided by the institution you should be able to rely on inferred consent. This is because there is a clear and reasonable expectation that messages will be sent, due to the nature of the relationship between the tertiary institution and the student.

We also suggest that you still clearly identify who sent the message, and provide a functioning unsubscribe facility.

I run a business which basically networks and approaches potential candidates in their current job on behalf of my client who may be looking for someone with the same skill set (i.e. ‘head hunting’). Is this considered a commercial purpose and if the person I approach has their email address published in a directory, is this regarded as ‘deemed consent’?

We consider that your purpose would be commercial as you are marketing or promoting a service. The Unsolicited Electronic Messages Act’s definition of a service is contained within section 2 of the Consumer Guarantees Act 1993.

The Act provides that if:

  • an electronic address is conspicuously published by a person in a business or official capacity, and
  • it is not accompanied by a message that the address-holder does not want to receive unsolicited commercial electronic messages, and
  • the message that is sent is relevant to the business, role, functions or duties of the person in their business or official capacity, consent is deemed to exist.

Can we include two tick boxes for consent – one agreeing to receive messages from our organisation/client and one for agreeing to receive promotional material from third parties?

Yes, if the customer ticked the box saying that they agreed to receive promotional material from third parties then it would not breach the Act to send them such material. 

If my business sends an email promoting a free product, is this classed as commercial and therefore spam?

If a message markets or promotes goods or services it is irrelevant that the goods or services are free, the message will still be considered spam if you do not have the consent of the recipient. 

If I sell a product on the internet to a customer and in two weeks' time I send an email asking after the customer’s satisfaction with the product would it be considered spam?

The Unsolicited Electronic Messages Act states that an electronic message that facilitates, completes or confirms a commercial transaction the recipient previously agreed to is not a commercial electronic message.

This means you can send emails confirming the order, confirming receipt of payment, and notifying delivery details. It does not mean you can send emails asking about customer satisfaction as you cannot reasonably infer consent from a single purchase.

If my business details are included in my email signature and I forward a joke/personal email to a friend who then forwards the email again, am I considered to be spamming?

If you are sending an email with a link to a commercial service (including email signatures), then you are required to have the consent of the recipient. You must also include accurate contact details for the sender of the email and a functional unsubscribe facility.

However, if you are communicating to a friend it is unlikely the Department will receive a complaint about your email due to the nature of your relationship and the nature of the email. If there is no link to a commercial service and the email is not commercial by nature, then the Act will not apply.

Any email your friend then sends is sent under their authority and they are responsible for ensuring they meet the requirements of the Act.

How long can my business rely on inferred consent in a business relationship? For example, if I make one transaction with a customer, can I continue to send them promotional material one year later? Five years later?

We don’t consider that you can reasonably infer consent from a single transaction. If you wish to send a customer, with whom you have had one transaction, marketing and promotional material you should seek their express consent. 

The Unsolicited Electronic Messages Act states that an electronic message that facilitates, completes or confirms a commercial transaction the recipient previously agreed to is not a commercial electronic message. You could use the sending of these electronic messages as an opportunity to seek express consent to send promotional material in the future.

I am a member of a gym and wish to stop my membership and cease receiving email newsletters. Are they allowed to contact me a year later to try and woo back my custom?

No. If you have stopped your membership and/or unsubscribed then the gym cannot send you further commercial electronic messages until they have your consent.

If someone gives me a third party’s business card, do I have consent to email the third party? Or should I phone them first to ask consent?

No, you do not have consent to email the third party. However, phoning to ask for consent to send them commercial electronic emails would be perfectly fine.

More information on 'Consent'

Unsubscribe

Do I need an unsubscribe ‘button’ or other fancy unsubscribe facility?

No. The Unsolicited Electronic Messages Act stipulates that your unsubscribe facility needs to be clear and conspicuous, free, likely to be functional for at least 30 days after the original message is sent, and able to be sent using the same method of communication that was used to send the original message.

For example, a sentence such as “Please reply by return email with ‘unsubscribe’ in the subject line if you do not wish to be contacted again’ should meet the requirements of the Act (providing the request was actioned within five days, and met the above criteria).

Is a confirmation email saying ‘thank-you for unsubscribing’ okay?

Yes. If it is sent within five working days of the unsubscribe request.

When does the five working days commence (in which you must honour the unsubscribe request)?

The clock starts the day after the recipient used the unsubscribe facility. Therefore you need to ensure that you have a system whereby all unsubscribe requests are actioned within the five working day period.

Is it okay if I have a web-based link to unsubscribe at the bottom of my email?

A web-based link is fine provided that you don’t make it unnecessarily difficult for someone to unsubscribe.

Some phone companies include contracts that state customers will receive promotional text messages which will not include an unsubscribe facility. Is this ok?

The Unsolicited Electronic Messages Act allows parties to contract out of providing an unsubscribe facility. However, unsubscribe requests relevant to commercial electronic messages must still be actioned if received.

This means that if a customer informs a company that they wish to unsubscribe, the company must action the request. In other words the customer can withdraw their consent to receive promotional electronic messages at any stage.

If a customer unsubscribes from my email database, can I send an email asking why they left, or ask them to complete an exit survey?

Yes, but only if the email is sent within the five working days in which the unsubscribe request must be actioned. After this period, you will no longer have consent to email the recipient.

More information on 'Unsubscribe'

Legislation

How similar is our Anti-Spam legislation to Australian Anti-Spam legislation?

The Unsolicited Electronic Messages Act 2007 is based on the Australian Spam Act 2003. However, it is simpler than the Australian Act in that it uses general descriptions and definitions and less specific exceptions.

For a more detailed comparison see the citations at the end of every section of the Unsolicited Electronic Messages Act. 

We have heard that some organisations are exempt from the prohibitions and requirements of the Unsolicited Electronic Messages Act. Is that true?

Everyone, including the Crown is bound by the Act. However, information about goods or services offered or supplied by a government body or a court or tribunal is not considered ‘commercial’ and therefore will not be subject to the consent-identification-unsubscribe requirements. You should note that the definition of ‘government body’ is very wide and also includes many educational institutions and crown entities. 

Section 6(b) provides more exceptions to the ‘commercial’ definition, which in most cases involve ongoing relationships between the sender and the recipient. 

It is important to remember that as a general rule, exceptions will depend on the content of the message, and will not be blanket exemptions covering everything an organisation may send via an electronic message. 

How can web communities ensure that they are compliant with the Act?

Follow the three steps to ensure you are not spamming i.e. consent of the recipient, identify yourself and provide a functional unsubscribe facility.

If you send something to another community member who objects to the message, apologise and don’t do it again. In most cases that will be the end of the matter.

Why aren’t phone communications covered under the Unsolicited Electronic Messages Act?

The purpose of the Unsolicited Electronic Messages Act is to address the abundance of unsolicited messages being sent using particular forms of electronic communication.

Phone calls operate in a different manner to the electronic messages defined in the Act and would require unique legislation to regulate. Also, the inclusion of phone calls in the definition of spam would limit opportunities for businesses to make ‘first contact’ communications.

Regarding emails with a New Zealand link – does the email address strictly have to be .nz? Could we use a .com email address to send our messages instead?

The Act prohibits electronic spam with a New Zealand link. A spam email address that ends in ‘.nz’ is just one example of this. An electronic message is considered to have a New Zealand link if it is sent to, from, or within New Zealand. See section 4 of the Unsolicited Electronic Messages Act for a full definition. 

My organisation is not government, but supplies government services. Are we exempt under the Ombudsmen and Crown Entities Acts?

If the message provides the recipient with information about goods and services offered or supplied by a government body, court, or tribunal, then it is not a commercial electronic message. It does not matter that your organisation is not a government body.

New Zealand spam law

Email a friend

Will it be considered spam if we run a campaign encouraging existing customers to “email a friend”?

Friend-get-friend campaigns, or ‘viral marketing’, usually encourage subscribers to provide the name and email address of a friend who is then sent a commercial electronic message and emailed by the company or promoter encouraging them to opt in/register.

An electronic message such as this would be unsolicited because the friend has not consented to receiving the message from the company or promoter. Consequently if the message was commercial (i.e. marketing or promoting goods, services, land, a business or investment opportunity) it would be considered spam. However, if the company's email is forwarded by the recipient to a friend(s) this is usually okay.

For example: A and B are good friends, and send each other emails on a routine basis. Company C has an express consent from A to send commercial emails to them. A then decides to forward to B commercial emails he received from company C. If it can be assumed from the relationship that B is happy to receive the commercial emails forwarded by A, consent could reasonably be inferred.

That consent, however, will not exist between the company and B. If the company only had A’s consent, it cannot assume B has consented to receive its commercial emails. In most cases, the relationship between A and B is not likely to be of interest to the Electronic Messaging Compliance Unit, unless B complained about A’s emails. In that case, the onus will be on A to show that inferred consent existed. 

I work for a marketing company and viral marketing is a good way for us to build up brand awareness. Are you saying that viral marketing is considered spam?

As discussed in the above question viral marketing (or friend get friend) commonly involves the production of something interesting and then relying on people to circulate it to their friends. 

This is fine, provided the company has the consent of the person they send the initial electronic message to and the campaign itself doesn’t encourage spamming. For example, a campaign that encourages people to forward emails to 100 friends would not be reasonable.

We have set up a website to promote a new product we have launched. To do so we created a game that is fun to play, and allows the user to send a challenge to their friend via email. The email message links to the game with some text set by the challenger. Who has the onus of consent?

The primary question is whether or not the sending of the commercial electronic message is ‘unsolicited’. 

In this case the challenger (not the company) is the sender of the commercial electronic message and would need to have the consent of the recipient. In the case of a friend sending a friend a message this should not be a problem as the nature of the relationship is that consent can reasonably be inferred.

If the Department was approached by someone who objected to a friend sending them commercial electronic messages we would probably suggest that they speak to their friend in the first instance, and request that they stop sending such messages.

TXT messages

Since a text (SMS) message can normally contain a maximum of 160 characters what are the guidelines for meeting the requirements of including sender identification and an unsubscribe facility?

You must identify the sender of the messages, how the recipient can contact them, and provide a free-of-charge unsubscribe facility.

For example, Judith owns ‘Beautiful U’ beauty salon and has express consent to send her clients promotional TXT messages. She includes ‘Beautiful U. Reply OPT-OUT to unsubscribe’ at the end of every message. The cost of the reply is reverse billed to Beautiful U.

Note: If you use another organisation, a third party, to send commercial electronic messages on your behalf and the unsubscribe function is directed to the third party organisation they will need to include your businesses contact details also.

What are the guidelines around SMS systems that send TXT messages that cannot accept replies? For example the business requires that the recipient of the TXT send an email to unsubscribe.

An email address used as an unsubscribe function in a TXT message is not compliant with the Unsolicited Electronic Messages Act. The unsubscribe facility must allow the recipient to respond to the sender using the same method of communication used to send the original message. 

If you send commercial TXT messages you must arrange a free unsubscribe facility via TXT message.

What if a business has a really long name – what are the rules around reducing the business name?

Abbreviating a company's name is suitable, as long as the abbreviation allows the recipient to clearly and accurately identify the company i.e. organisations such as TVNZ and VTNZ would be fine.

Does the unsubscribe in a TXT and fax have to be free?

Yes the legislation says it must be free. If your provider is unable to provide this service then you must not send commercial electronic messages using text or fax. 

Are abbreviated place names acceptable identification?

Commonly used abbreviated place names such as Auck, Chch, Wgtn are suitable for identifying the specific location of the sender. The message must also contain information on how to contact the business responsible for the message (i.e. if the reply to opt-out doesn’t already do this).

Regarding the TXT message unsubscribe facility via TXT – is it acceptable to send two TXT messages, with the second containing the unsubscribe details?

Including the unsubscribe facility on a multi-page TXT is acceptable. It does not have to be included in the first TXT.

General

How do spammers get my address?

‘Spammers’ obtain email addresses in a variety of ways:

  • Web pages: Specialised programmes called ‘web spiders’ crawl through online information to find and extract specific data. Malicious parties have been known to harvest contact information this way for the purpose of sending spam. Contact information can also be extracted manually if you conspicuously publish personal information.
  • Mailing lists: Be careful when purchasing goods online and registering your details for online services as this information may be used or made available to spammers. Even legitimate companies have been known to provide data to third parties, so always ensure you understand the terms and conditions associated with any goods or services you use.
  • Data breaches: Customer databases have also been known to be stolen from companies through a data breach. Even large, well-resourced companies have been known to fall victim to attacks losing millions of records.
  • Social media: Many social media sites and platforms are free because they provide your information to third- party services such as advertising. This is a known financial model where if there is no clear, identifiable product then you, the end user are the product. Always ensure you understand any terms and conditions with social media and use appropriate settings to protect your privacy.
  • Guessing: Spammers may use computer software to assist them identifying addresses using popular words, names and numbers.

Our company visits trade shows and uses trade directories to contact businesses that may need our goods and services. Do we have the deemed consent of the other businesses to do so?

Contacts published in a trade directory would be ‘conspicuously published’ and therefore you would have deemed consent to send messages if they are relevant to the business, role, functions, or duties of the person/company that the message is sent to. 

Note: You would not have deemed consent if the published electronic address was accompanied by a statement to the effect that the address holder does not want to receive unsolicited electronic messages. 

Are emails inviting the recipient to complete an online survey counted as commercial if the survey is about a good/service offered by the company?

If the purpose of the survey is commercial (e.g. to promote a good or service, test brand loyalty and recognition) then the message will be considered spam if you do not have the consent of the recipient.

I work for a charitable trust. How do I go about raising awareness of issues relating to my organisation (for example donating money to charity, or a fundraising walk) by email without spamming?

Firstly, charities generally send emails to known contributors i.e. signed up members. These messages would probably have either express consent or the sender could reasonably infer consent. If the member then sends the message on to their friend then the onus of consent is on the member (and the nature of their relationship with their friend means that consent can reasonably be inferred).

The other issue to consider is whether the charity’s message is ‘commercial’. Consider whether the message is marketing or promoting goods or services. If the message does not market or promote goods and services then it is not a commercial electronic message and therefore would not be considered spam.

Can you send an email enticing recipients to opt-in to an email distribution list for future correspondence e.g. an invitation to a launch party or the chance to go into a prize draw?

Yes, providing you have consent to send the original email. 

For example, the original email might be to confirm an order or receipt of payment for an order. You have inferred consent to send this message and you can use it as an opportunity to ask a customer if they wish to join your database.

If I include a disclaimer on the bottom of my email such as, “if you received this email in error, please delete it’, will I be covered?

The Unsolicited Electronic Messages Act provides that it is a defence (against the accusation of spamming) if the person who sent the message, or who caused the message to be sent, did so by mistake. However, in order to rely on this defence, the onus of proof will be on the sender. 

If a salesperson at my company sends an unsolicited electronic message to customer who is liable? The salesperson or the company?

If a company has clear policies on the process for obtaining consent and who may send commercial electronic messages, and an employee breaches those policies it is likely the Department will regard it as a breach by the employee.

However, it will depend on a number of factors such as the intent of the message, the training and policies in place, the accounts used to send the message, whether a database was used appropriately, etc.

What does ‘double opt-in’ mean?

Employing a double opt-in system is a good idea because it eliminates the chance of abuse, where someone submits someone else’s email address without their knowledge and against their will.

Usually a user subscribes to a newsletter, or other communication, by filling in some type of form and a confirmation email is sent to the email address provided asking the recipient to click on a link to register. Hence the user has opted in twice and you have the assurance that they really want to receive your communications.

How will the Act regard automated messages from websites? For example, if a customer buys a product online, she/he will receive a confirmation of the order. If I add ‘don’t miss our great new product…’ at the bottom, does that order confirmation become spam?

An automated page on a website is not a message sent to an electronic address and is therefore not covered by the Unsolicited Electronic Messages Act.

In the case of automated replies to a customer’s email address, the Unsolicited Electronic Messages Act states that an electronic message that facilitates, completes or confirms a commercial transaction the recipient previously agreed to is not a commercial electronic message. You can attach promotional material to such a message.

How will the Act affect research companies emailing out a survey? Does it depend on what is being asked in the survey? 

Yes, it will depend on the content and whether it comes within the definition of a commercial electronic message.

How do written petitions that ask for your email address fit in with the Act?

Written petitions do not come within the definition of a ‘commercial electronic message’ and therefore would not constitute spam.

I own a small business and we receive a lot of emails enquiring about buying and selling our products. If I retain these email addresses am I then entitled to send promotional emails, or am I considered to be ‘address harvesting’?

The Unsolicited Electronic Messages Act contains a prohibition against using addresses gathered using ‘address harvesting software’ to send spam. This type of software searches the Internet for electronic addresses and compiles them into lists. Collecting electronic addresses from emails you have received is not using address-harvesting software.

However, you can’t just collect these emails to use when promoting your products because you cannot reasonably infer consent from a single correspondence. When you are replying to the queries it’s a good opportunity though to seek express consent to send the recipient promotional emails in the future.

As an individual, can I take action against a company that is spamming me, or do I have to go through Internal Affairs?

Yes, an individual victim of spam can take independent action seeking compensation and damages against spammers.

More information: