Dealing with spam emails4 min read . Updated: 27 Dec 2012, 10:34 PM IST
There is no law in India to regulate what companies can or cannot do with your personal data
Travel site Cleartrip landed a massive PR victory and garnered lots of Internet brownie points this month, ironically after firing its PR company.
The flacks had allegedly sent messages for clients other than Cleartrip to email addresses provided by the firm. Cleartrip wasn’t happy and it warned the agency twice; the agency did it again, Cleartrip fired the agency, as per the post Cleartrip posted on its company blog. This then went viral on Twitter and Facebook to many oohs, aahs, etc., from the Twittering classes.
While the cynic in me is wont to believe that Cleartrip’s in-house PRs guessed exactly at the kind of positive spin the firing and blog post would generate, it is not fair to criticize the company for taking a stand which really is way overdue and should be mandated by law.
Alas it isn’t.
Whenever I sign up with any company—be it a phone network provider, a travel website, an Internet booking site, a bank or anywhere else, I give it a unique email address (on Google’s Gmail, for example, and a few other email services, if your address is email@example.com, you can sign up for Cleartrip, say, with firstname.lastname@example.org, and emails would still reach you. But if Cleartrip, for argument’s sake, decided to sell your email address to spammers or a dodgy PR agency had their way with the Cleartrip database, you could 1) simply filter out all email sent to that address, and 2) know exactly which company sold you out.
Well, I’ve been running an experiment along those lines for the past few years and the unpleasant conclusion was that most major Indian consumer brands indulge in what appears to be a side business in selling your email address (or worse, perhaps getting it stolen from them).
The list of culprits includes my mobile phone services provider (yes, one of the big ones), a booking site, a major online retailer, the local chapter of a well-known software company, an online listings site, and…I gave up counting after a while.
Those emails usually came from third party email marketing agencies that send out rather slick emails from well-known brand names (think life insurance, Internet shopping, and bigbank credit card spam, rather than Viagra and “medicines" promising to “enhance" certain parts of the male anatomy).
It’s clear that the mass email marketing company is making money from sending unsolicited emails to my address (and they all have shiny websites that could inspire trust), though I’m not sure what or how much the companies whose customer I am are getting out of this.
On the bright side, most of these email mass marketing companies actually appear to be somewhat trustworthy, oxymoron notwithstanding—if you click the unsubscribe link at the bottom they’ve tended to leave me alone afterwards.
The point to all this, apart from some minor annoyance to our email reading habits, is that unlike in many other countries, there is really no law in India to regulate what companies can or cannot do with your personal data.
HSA Advocates partner Salman Waris, who specializes in data protection laws—or the lack thereof in India—tells me, however, that some sections of the much maligned Information Technology (IT) Act could be helpful here.
For one, under section 79 of the Act, Internet intermediaries must take care and diligence with regard to the services they provide, which read together with section 43A of the Act (compensation for failure to protect personal data from theft), can “indirectly bring into play a data privacy law", explains Waris.
But there is no specific law that would obligate them or would impose a penalty on companies that started sending out spam. Several drafts of full-fledged Indian data protection Acts have languished without ever passing into law, though of course significant progress has been made by the department of telecommunications with telephone “do not disturb" registers and SMS spam curbs.
Unlike the so-called CAN-SPAM Act in the US that imposes stiff penalties for ruthless email spammers, such regulation in India is still a while off, though Waris suggests that since my domestic email spammers appear to respect unsubscribe requests, perhaps they are aware of potential liabilities.
For example, Waris posits that under Section 66A of the IT Act, if interpreted generously, there could be some action against ruthless email spammers who do not leave you alone with their clients’ sales messages.
Section 66A, of course, came into recent national infamy after the death of Bal Thackeray and the arrest of two young women who had posted allegedly offensive messages about the subsequent Mumbai shutdown on Facebook. Well, if their messages were offensive, then it might just be possible to argue that spam is, too.
But what we really need, rather than bending existing laws even further out of shape and risking that they become draconian new instruments of civilian torture, is perhaps just to pass a simple data protection law that works.
If that did happen, a blog post by a company writing that it doesn’t like spam would not attract nearly as much attention.
Kian Ganz is a lawyer-turned-journalist based in Mumbai, from where he publishes legallyindia.com