I received spam, now what?

How to protect against unsolicited commercial communications

“I am the nephew of the shot dead King of Nicaragua, we have a big amount of money and we ask you to help us to transfer the funds in Europe!” Congratulations! You have just won … “ Do you recognize this? There is hardly any internet user who has not received such an email.

Spam is a phenomenon with many faces. We may summarize it as a collective term for all forms of unsolicited communications, thrusted on consumers, circulated in social networks, as instant messaging (ICQ, Skype, etc.), SMS, calls and others. The most popular form of spam which is in focus in this article is the spam received by e-mails. I will also consider communications and calls received for direct marketing purposes.

Spam is a global issue which requires adequate protection mechanisms.

Practical protection

Before analyzing in details the applicable regulation regimes, I will discuss briefly the practical protections mechanisms used for “filtering” an e-mail, by the service providers as well as by the users themselves. In the so-called “black lists” after receiving an unsolicited communication the user may add e-mail address, IP address, or other characteristics of the message in the “black list”. When consumer receives again similar message corresponding to the set criterion, the message will not reach the consumer. Other mechanism is to introduce a list of banned words and phrases. Bulgarian consumers came to the inventive method to identify and block the phrase “unsolicited commercial communication” to protect against the “legitimate Bulgarian spam”. In order to be effective; it is recommendable the phrase to be written into the message header.

Who decides which message is solicited or not?

If filtering is performed by the service provider, and not by the user himself, this may lead to the consumer not receiving the solicited correspondence. Analyzing the content of the sent personal and official correspondence represents a disclosure of information, which breaches the freedom and privacy of correspondence, guaranteed by the supreme law – the Constitution.

Based on the practice, it may be considered that the said mechanisms reduce significantly the unsolicited messages received by the consumers.

Protection by law – the „legitimate Bulgarian spam“

The Electronic Commerce Act in force as of 24.12.2006 („ECA”) does not use the term “spam”. Instead, it regulates the “unsolicited commercial communications”, defined as: advertising or other messages to promote, directly or indirectly, goods, services or reputation of a person carrying out a commercial or craft activity or practicing a regulated profession, sent via e-mail without the prior consent of the recipient.

I will consider here the main legislative protection mechanisms.

Mechanism for consumer protection

According to the ECA, sending of unsolicited commercial communication to consumers without their prior consent is prohibited. The term “consumer” is defined in the Consumer Protection Act as any individual who acquires goods or uses services that are not intended for commercial or professional activity, as well as any natural person who, as a party to a contract under this law, acts beyond the range of his/her commercial or professional activity. The Law sets out the type of restrictive regime, the so-called opt-in.

On the other hand, the ECA treats the important case of an already established contact between the sender and recipient of the commercial communications. The law provides that calling, messaging or e-mailing with or without human interference for the purposes of direct marketing and advertising are permitted only with the prior consent of the consumer. The consent can be withdrawn at any time. The ability of each recipient to disagree with future receipt of such messages is the so-called “unsubscribe” procedure (e.g. promotional activities in which the participants can disagree through link placed at the end of the message or through calling the promotional organizers). In any case, the sending of messages for marketing and promotional purposes is prohibited, unless it can identify the person who sent the message or does not include a valid electronic address to which the recipient may send a request to cancel future messages.

Mechanism for legal entity protection

Here I will focus on the free regime or the so-called “opt-out” set out by Law. This regime applies for the recipients- legal entities. In this case, the law does not require prior consent, for example given by the legal representative/manager of the company. ECA has provided a mechanism for protection in the form of Register of legal entities within the Commission for Consumer Protection. The law prohibits expressly sending of unsolicited messages to the e-mail addresses entered into the register. The nature of the register raises questions in the field of the national legislation on personal data protection. For example, the Commission of Personal Data Protection has been approached in connection with a case in which the entity has registered a domain name in the Register of legal entities within the Commission for Consumer Protection, including personal e-mail addresses. As a result all personal e-mail addresses using the same domain names will appear in the register, without explicit consent given by the individuals. The Commission in its Statement 1 concluded that the information regarding a personal e-mail address of an individual does not constitute personal data and, therefore, does not constitute a violation under the Law on Protection of Personal Data. A search within the database of the register indicates that it cannot be determined whether an e-mail entered into the register is used for the purposes of an individual or a legal entity. The entry into the register is an effective option the legal entity to be protected from unsolicited commercial communications as far as the law provides penalties. A service provider who commits or permits a violation shall be penalized with up to BGN 2000, and, the penalty could reach BGN 4000 for repeated violation.
Regardless of whether the regime for consumer or that for legal entities applies, the ECA introduces a general provision that the senders of unsolicited commercial communications by e-mail without the prior consent of the recipient are obliged to ensure that the messages are clearly and unambiguously identifiable as unsolicited as soon as they are received by the recipient. The said provision is a typical expression of the “opt-out” regime.

Besides the fact that we are subject of unsolicited commercial communication, we are often attacked by unsolicited SMS. It is expected soon that the Commission for Consumer Protection will rule on the case with the so-called “unsolicited SMS”, which is a famous practice of mobile operators to include users in various games or services, and in order to exit the game, the user is obliged to send paid SMS. Currently, the Commission for Consumer Protection developed the so-called territory of unsolicited SMS, which scope and protection will be considered further.

Lyuba Bozova

McGregor & Partners

The article has been published in Bulgarian, in Capital Daily:


1Statement of the Commission of Personal Data Protection reg. № П-7552/2014