Spam – the unsolicited email that bombards email inboxes daily selling porn, genital enhancement, life insurance, or the opportunity to make a million dollars – is becoming a costly epidemic.

Spam sets European businesses back by an estimated $2.5 billion annually, due mainly to lost productivity and the cost of upgrading hardware and software to manage and protect against it, according to a recent study by US-based research company Ferris Research.

But these costs are not the only risk to businesses. Ironically, a big challenge facing many companies this year is in the form of the European Union’s new ‘anti-spam’ directive, which aims to reduce the prevalence of unsolicited emails, and mobile phone text messages.

The aim of the EU’s Directive on Privacy and Electronic Communications is, ostensibly, to stop the spread of spam. However, it will also have a huge impact on the way legitimate businesses gather and record data on customers, and how they interact with them through email and the web. And this will happen quickly, since businesses only have until 30 October 2003 to comply with the rules set out by the directive.

In simple terms, businesses in the EU-member states will need to adopt an ‘opt-in’ approach to email marketing – companies will only be permitted to collect data for marketing emails and SMS messages from individuals who have explicitly consented to the use of their details in this way, whether by way of a tick box in their marketing material, or over the phone.

Many UK businesses already use the opt-in approach for email marketing. However, the new directive will force even these companies to audit their existing marketing databases in order to make sure that every customer in it has opted in. This is where the toughest challenge arises.

To comply by 30 October 2003, “businesses have to be a lot more circumspect about the relationships they have with the people in their databases,” says Heather Rowe, a solicitor at Lovells. “They will have to ask themselves ‘What have we got here, and how did we get it?’ It is not impossible that businesses will have to trash databases they already have.” Even if a company has acquired an email address legitimately, but the person is not an existing customer, it will have to get consent from the customer before 30 October, adds Rowe.

According to law firm Eversheds, businesses can target customers who have bought products or services from them in the past, subject to a handful of provisos. For example, a customer’s details must have been collected in the context of a “sale”, and at that time, they must have been told about the possible use of their data for marketing. In addition, the opportunity to opt-out must be given with each subsequent marketing message. Finally, only that organisation is allowed to use the customers’ details.

The problems don’t end there. Since the marketing material customers can receive must only be for products that are “similar” to that for which the customer’s details were originally gathered, this could lead to a situation where, for example, banks are not able to market different financial products to customers who have only purchased a loan.

Another problem is that businesses will have to maintain separate databases and processes for email marketing and postal marketing, as the new directive does not apply to the latter.

As with any legislation, there are still grey areas that need to be formalised through consultation between government agencies and businesses – a process that Rowe expects will begin in the Spring of 2003. But until these issues are cleared up, it will be difficult for companies to know what sort of processes they need to build, or technology they need to invest in to comply with the directive.

According to Robert Dirskovski, head of interactive media at the Direct Marketing Association (DMA), companies will need to provide documentation to prove they have consent from individuals just to continue using existing emails in marketing databases. However, the directive does not describe how this should be demonstrated or stored, says Dirskovski.

Indeed, the DMA views the directive as an onerous law that will do more to restrict European businesses’ marketing practices than reduce the flow of spam. According to Dirskovski, 90% of spam comes from outside the EU region, the majority of it originating from the US, a market that is currently unregulated at a federal level.

Nevertheless, after 30 October 2003, consumers can and will take action against companies that they believe are spamming them – and it is up to European businesses to protect themselves against potential lawsuits.