There is no law or regulation that specifically regulates electronic marketing.
The US regulates marketing communications extensively, including email and text message marketing, as well as telemarketing and fax marketing.
The CAN-SPAM Act is a federal law that applies labeling and opt-out requirements to all commercial email messages. CAN-SPAM generally allows a company to send commercial emails to any recipient, provided the recipient has not opted out of receiving such emails from the sender, the email identifies the sender and the sender’s contact information, and the email contains instructions on how the recipient can easily and without cost opt out of future commercial emails from the sender. The FTC and state Attorneys General, as well as ISPs and corporate email systems can sue violators. Knowingly falsifying the origin or routing of a commercial email message is a federal crime.
Text Messages
Federal and state regulations apply to the sending of marketing text messages to individuals. Express consent is required to send text messages to individuals, and, for marketing text messages, express written consent is required (electronic written consent is sufficient, but verbal consent is not). The applicable regulations also specify the form of consent. This is a significant class action risk area, and any text messaging (marketing or informational) program needs to be carefully reviewed for strict compliance with legal requirements.
Calls to Wireless Phone Numbers
Similar to text messages, federal and state regulations apply to marketing calls to wireless phone numbers. Prior express consent is required to place phone calls to wireless numbers using any autodialing equipment, and, for marketing calls, express written consent is required (electronic written consent is sufficient, but verbal consent is not). The applicable regulations also specify the form of consent. This is a significant class action risk area, and any campaign or program that involves calls (marketing or informational) to phone numbers that may be wireless phone numbers needs to be carefully reviewed for strict compliance with legal requirements. The definition of autodialing equipment is generally considered to, broadly, include any telephone system that is capable of (whether or not used or configured storing or producing telephone numbers to be called, using a random or sequential number generator.
Telemarketing
Beyond the rules applicable to text messaging and calling to wireless phone numbers, there are federal and state telemarketing laws as well. Federal telemarketing laws apply to most telemarketing calls and programs, and state telemarketing law will apply to telemarketing calls placed to or from within that particular state. As a result, most telemarketing calls are governed by federal law, as well as the law of one or more states. Telemarketing rules vary by state, and address many different aspects of telemarketing, such as calling time restrictions, do-not-call registries, opt-out requests, mandatory disclosures, requirements for completing a sale, executing a contract or collecting payment during the call, further restrictions on the use of auto-dialers and pre-recorded messages, and record-keeping requirements. Many states also require telemarketers to register or obtain a license to place telemarketing calls.
Fax Marketing
Federal law and regulations generally prohibit the sending of unsolicited advertising by fax without prior, express consent. Violations of the law are subject to civil actions and have been the subject of numerous class action lawsuits. The law exempts faxes to recipients that have an established business relationship with the company on whose behalf the fax is sent, as long as the recipient has not opted out of receiving fax advertisements and has provided their fax number ‘voluntarily,’ a concept which the law specifically defines.
The law also requires that each fax advertisement contain specific information, including:
- A ‘clear and conspicuous’ opt-out method on the first page of the fax
- A statement that the recipient may make a request to the sender not to send any future faxes and that failure to comply with the request within 30 days is unlawful, and
- A telephone number, fax number, and cost-free mechanism to opt-out of faxes, which permit consumers to make opt-out requests 24 hours a day, seven days a week
- Violations are subject to a private right of action and statutory damages, and thus pose a risk of class action lawsuits
Personal data protection is regulated mainly in:
National Constitution: Article 182 provides the constitutional protection of habeas data, giving individuals the right 'to access any file or record, private or public, electronic or hand written, that contains information which may produce damage to personal honour and family privacy. It is also a method to prevent the transmission or disclosure of such data, rectify inaccurate or misleading data, update data, require confidentiality and to eliminate false information. This guarantee does not affect the secrecy of journalistic sources.'
Law of the Civil Registry (Article 109, Decree 62-2004). This law refers only to public personal information that is contained in the archives of the Civil Registry.
Law for Transparency and for Access to Public Information (Article 3.5, Decree 170-2006). This law enables the access of any person to all the information contained in public entities, except that which is classified as 'Confidential.' It also extends the constitutional protection of habeas data and forbids the transmission of personal information that may cause any kind of discrimination or any moral or economic damage to people.
Rulings on the Law for Transparency and for Access to Public Information (Article 42, Accord 001-2008). Provide a definition of databases containing personal confidential information, and requires data subject consent, prior to the use of it by any third party.
In addition, the Law for the Protection of Confidential Personal Data (the “Law”) is currently in discussion in the Honduran Congress. Congress has approved the first chapters of the Law. The complete approval of the Law and the date for when the Law will enter into force is expected in the first half of 2019.
Definition of personal data
Public Personal Data under the Law of the Civil Registry is defined as: Public Data whose disclosure is not restricted in any way, and includes the following:
- Names and surnames
- ID number
- Date of birth and date of death
- Gender
- Domicile (but not address)
- Job or occupation
- Nationality
- Civil status
Definition of sensitive personal data
The Law for Transparency and for Access to Public Information defines ‘Sensitive Personal Data’ as: "Those personal data relating to ethnic or racial origin, physical, moral or emotional characteristics, home address, telephone number, personal electronic address, political participation and ideology, religious or philosophical beliefs, health, physical or mental status, personal and familiar heritage and any other information related to the honor, personal or family privacy, and self-image."
Other Definitions:
- Consent: Written and express authorization of the person to whom the personal data refers in order to disclose, distribute, commercialize, and/or use it in a different way as it was originally given for
- Confidential Information: Information provided by particular persons to the government which is declared confidential by any law, including sealed bids for public tenders
- Classified Information: Public information classified as that by the law, and / or by resolutions issued by governmental institutions
Two entities are responsible for enforcing personal data protection:
- National Civil Registry
http://www.rnp.hn - Institute for the Access to Public Information
http://www.iaip.gob.hn
Only Obligated Entities must inform the Institute for the Access to Public Information of their databases. Obligated Entities are:
- Government institutions
- NGO’s
- Entities that receive public funds, and
- Trade unions with tax exemptions
The Institute for the Access to Public Information will maintain a list of the databases of the above-mentioned entities.
Only Obligated Entities must appoint a data protection officer.
Individuals, companies, and / or Obligated Entities that collect personal data may not use sensitive personal data or confidential information without the consent of the person to whom such information relates.
However, consent is not required to use or transfer personal data in the following cases:
- If the information is used for statistical or scientific needs, but only if the personal data is provided in a way that it cannot be associated with the individual to whom it relates
- If the information is transmitted between Obligated Entities, only if the data is used in furtherance of the authorised functions of those entities
- If ordered by a Court
- If the data is needed for the purpose it was provided to the individual or company to perform a service. Such third parties may not use personal information for purposes other than those for which it was transferred to them
- In other cases established by law
Individuals and / or companies may not transfer, commercialize, sell, distribute or provide access to personal data contained in databases developed in the course of their job, except with the express and direct written consent of the person to whom that data refers, subject to certain exceptions.
The Institute for the Access to Public Information has the authority to require all Obligated Entities to take necessary security measures for the protection of the personal data they collect and / or use.
The current legislation neither clarifies nor specifically identifies the security policies or security mechanisms that Obligated Entities must comply with.
As a general statement, the Institute for the Access to Public Information has to ensure the security of all Public Information, of all information classified as confidential by public entities, of all sensitive personal data, and of all information to which the current legislation gives a secrecy status.
Breach notification is not required.
The Institute for the Access to Public Information may receive complaints about abuses regarding the collection of personal or confidential data.
The Institute will impose corrective measures and establish recommendations for those persons or companies who disclose personal data, sensitive personal data or confidential data without authorization.
There is no law or regulation that specifically regulates electronic marketing.
There is no law or regulation that specifically regulates online privacy.
