Recently, ILITA (the Israel Law, Information and Technology Authority) published new guidelines addressing the interpretation and implementation of provisions of the Protection of Privacy Law relating to direct mail and direct-mail services. The guidelines seek to regulate, inter alia, the issue of obtaining consent to use information for the purpose of direct mail and direct-mail services.

First of all, why is it important to differentiate between the two terms?

“Direct mail” is when an entity personally contacts a person, based on a certain characteristic which is shared to segmented group of people included in a database. , such as when a company contacts a particular segment of its customers according to their consumption habits.

“Direct-mail services” are when an entity that collects personal information delivers that information to a third party and enables that third party to use the information for direct mail purposes. At issue is basically the trading of information included in databases as a data broker service.

Consent – fundamental principle in privacy protection laws

The fundamental principle in the Protection of Privacy Law is that the infringement of a person’s privacy without his consent is prohibited. The question of when it can be said that a person has consented to infringement of his privacy is, therefore, one of the key questions under privacy protection laws.

The term “consent” is indeed defined in the law, but quite vaguely. The law prescribes that a person’s consent needs to be an informed consent, but does not require the consent to be given expressly or concretely, and states that one can deduce consent even if it is tacit or implied.

In the modern age, the issuing of consents for uses of personal information that might constitute “infringement of privacy” is nearly a daily occurrence. Many services that we use, such as communications and social networking services, require us to consent to the service-provider’s privacy policy, and this policy includes, in most cases, many provisions that entail some form of infringement of privacy. Coupled with this, very few consumers of such services thoroughly read the privacy policy, if they bother to read it at all.

The burden imposed and the required degree of consent

According to the guidelines, when personal information is being used for direct mail purposes and that use has very little to do with the original transaction during which the customer provided his personal information, and whenever direct-mail services are involved, the uniform contract must demonstrate heightened transparency to the customer and include more detailed options for the customer to delineate his specific choice. The objective is to ensure that customers are aware of the other uses of their personal information and that their consent is being actively given and reflects their free will.

As for the burden imposed on service-providers to obtain their customers’ consent to use information, the guidelines differentiate between direct-mail services and direct mail:

When at issue are direct-mail services, the guidelines state that the customer’s express and concrete consent must be obtained to use his information for purposes that do not relate to the purpose of the original transaction, in the format of opting in. The correct way to do this in a written contract (as well as in an online agreement or a voice consent, with the necessary adjustments) is to present to the customer, immediately after the clause that specifies the type of information and nature of the use that is being requested, an option between two boxes – to mark either “opt in” (consent) or “opt out” (no consent), and an additional box for a separate confirmation of the customer’s selection. According to the guidelines, it is possible to conclude that the customer gave adequate specific consent to the use being made of the information he provided only if he marked the ‘opt in’ box, and confirmed his selection.

For example, if an online trading service-provider wants to sell information about its customers to a third party for the purpose of enabling that third party to directly contact these customers, then the service-provider must obtain the express consent of its customers in the above format.

The obligation is less stringent when at issue is “direct mail” (and not a direct-mail service), when a service-provider wants to contact its own customers via direct mail (and is not selling information to another party), and the customer is expecting to receive the direct mail as part of the transaction. In such instances, it is enough that the contract with the customer explains the planned use of the information and enables the customer to refuse to allow use of his information for the purposes of direct mail, in the format of “opting out,” even if this means that he is refusing to receive all components of the service.

For example: if that same online trading service-provider wants to contact its own customers for the purpose of offering them special deals on the trading website to which they registered, on the basis of a shared characteristic (socioeconomic situation, previous similar purchases, etc.), it is enough that the service-provider enables its customers to refuse to receive direct mail.

The burden to be imposed on service-providers is a complicated one. From now on, it will not be enough for the agreement to specify the many uses that are being made of the information and to merely mention that direct-mail services is one of the many uses. The service-provider will have to call its customers’ attention to the fact that it intends to make use of the information for the purpose of direct-mail services. This format will require many service-providers in the economy to change the structure of their engagement process and to differentiate between two categories of customers – those that gave their consent to direct mail or to direct-mail services and those that refused to give consent.