Background

The GCDO was asked to investigate a solution to the misuse of public email sign-up forms — in response to them being used for victimisation.

Existing guidance

Guidance on ‘double opt-in’ confirmation for email has previously been provided by the Department of Internal Affairs (DIA). These additional requirements will also be incorporated into that guidance.

Three steps to ensure you are not spamming — DIA

When following the ‘Three steps to ensure you are not spamming’ guidance, once someone enters their name and email address in a sign-up form, there is a requirement to send an email to that address confirming the requestor has access to the mailbox and wants to receive these messages.

Unfortunately, this feature can be misused to harass and threaten recipients.

Privacy Act 2020

Another consideration is organisations must satisfy themselves that the collecting of extra personal data (names) fits within the requirements of Principle 1 of the Privacy Act 2020. This principle is about data minimisation.

Privacy Act 2020 — Parliamentary Counsel Office

The question to consider for data minimisation

‘Do I need this extra information to send an email to the recipient?’

Principle 1: Purpose for collection of personal information — Privacy Commissioner

Updated guidance and requirements

• Public-facing email sign-up forms must not collect any information other than the individual email address being used to sign up.
• Sign-up confirmation messages must not contain any personal information.

These requirements ensure the minimum required information is collected for the purpose of the sign-up and protects recipients from the misuse of other fields.

All publicly facing email sign-up forms, which are not behind a secure logon, must only collect the email address being signed up and no other data. The ‘Three steps to ensure you are not spamming’ guidance for email-address confirmation still applies.

If other data is required, this needs to be collected after the user has confirmed their email address, and must be collected behind a secure login following normal data collection guidelines in the Privacy Act 2020.

How to make a good sign-up confirmation email

A good sign-up confirmation email contains:

• no personal data from the person signing up
• clear instructions on the confirmation
• an ‘Unsubscribe’ link.

The source site it comes from requests no data other than the email address, and provides a link to their privacy policy advising why the data is being collected and how it will be used.

Benefits of following the updated guidance and requirements

Following this guidance will:

• prevent the abuse and misuse of public email sign-up forms
• ensure compliance with the minimum data-collection requirements of the Privacy Act 2020
• ensure any other personal information is collected only from an individual with authorised access to provide it.

Testing

Any public-facing email sign-up service should undergo normal best practice for security testing, ensuring the service is free from vulnerabilities and secure from misuse.

Exclusions

If the email sign-up form is behind a secure login (minimum: username and password), associated newsletters may be sent including personalised greetings.

Relevant legislation — Parliamentary Counsel Office

• Unsolicited Electronic Messages Act 2007Parliamentary Counsel Office
• Harmful Digital Communications Act 2015Parliamentary Counsel Office
• Privacy Act 2020Parliamentary Counsel Office