When registering a domain name, your details (name, address, phone, email, etc.) are collected by your registrar and, unless they constitute restricted information, are published in the Whois database.
However, after the domain names have been registered, from the list of domain names published each day , companies search the email addresses in the Whois database in order to send them unsolicited sales offers.
Because you have just registered a domain name, these companies introduce themselves in glowing terms in order to sell you their skills in technical development, sales and other forms of expertise that may be of interest, plus various commercial offers and discounts valid for a limited time… only to you!
Some of you have become so exasperated that you have contacted Afnic so that these practices can be stopped.
But is Afnic the right organization to contact?
The legislative texts
- Paragraph 1 of Article L.45-5 of the French Electronic Communications and Telecommunications Act (CPCE) states that “registries publish each day a list of the domain names they have registered.”
- Paragraph 1 of Article R20-44-41 of the French Electronic Communications and Telecommunications Act states that “Each registry publishes each day the list of domain names registered the day before. This list is subject to access without financial compensation from the website of the registry.”
- Paragraph 1 of Article 12 of the State / Afnic Convention for the management of the .fr TLD states that “The Registry undertakes to publish the “Whois” data it collects in accordance with Article L45 -5 of the French Electronic Communications and Telecommunications Act (CPCE) in automatable formats and through Open licenses.”
The data are made available by Afnic in accordance with its legal obligations.
Using the information made available, third parties cross-check the data and use them in particular for commercial canvassing purposes.
Are these practices illegal? And if so, what can Afnic do about them?
Commercial cold-calling is strictly regulated by:
- Directive 2002/58 / EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications);
- Law No. 2004-575 of 21 June 2004 as amended on confidence in the digital economy (LCEN), transposition of the Privacy and Electronic Communications Directive;
- Law No. 78-17 of 6 January 1978 amended relating to computers, files and freedoms.
Thus, the Law on Confidence in the Digital Economy enshrines the “opt-in” system of protection for consumers, in accordance with “Privacy and Electronic Communications” Directive. In its current version, paragraph 1 of article L34-5 of the CPCE states that “No person shall direct marketing by automated electronic communications within the meaning of paragraph 6 of Article L.32, by fax or email using the contact details of an individual, subscriber or user, who has not given prior consent to receiving direct marketing material by this means. “
Article 1 of the CPCE L34-5 paragraph does not apply to corporations. This means that if only the impersonal email addresses of corporations are used, such as contact@ [company name].fr, canvassing can take place without it being required to obtain the addressee’s prior consent or provide an opt-out system. Canvassing done on a business to business (“B2B”) basis is lawful.
For individuals, the legal provisions provide for two exceptions to the opt-in system of direct marketing, involving:
- B2B canvassing of individuals contacted on the basis of their capacity with a corporation using email addresses such as firstname.name@[company name].fr;
- Post-contractual relationships.
In cases where personal data are used as part of the two exceptions to the opt-in system, direct marketing can be sent to you subject to the condition that you can refuse all future commercial solicitation (cf. the right to opt-out as defined in Article 38 of Law No. 78-17).; in general, it will be a clickable link in the email in order to notify the recipient’s wish not to receive other messages.
In cases where personal data are not used as part of the two exceptions to the opt-in system and respect for your right to opt out, if your personal email address is used without your prior consent to being canvassed and you have no contractual relationship with the company sending the message, then the cold-calling practices constitute spam.
Your courses of action in France are as follows:
- Visit the website of the French national platform for reporting Spam connected to the relevant authorities: https://www.signal-spam.fr/english;
- Opt out of the use of your personal data by contacting the prefecture of your department (DDPP or DDCSPP). We invite you to read the DGCCRF factsheet dated of 10 July 2014 “Opting out of the use of personal data for commercial marketing purposes”.
Whatever the case, Afnic is not empowered to take action against companies using spam whether the companies are using domain names or the information made available via the Whois database and the daily publication of lists of registered domain names.
When the companies doing the canvassing are registrars accredited by Afnic, neither is Afnic entitled to intervene, since its supervisory powers as defined by law in Article L45-4 of the CPCE (in French) are limited to its registrar and accreditation activities.
However, given the excessive practices of some companies and the number of reports received, Afnic has intervened at various levels and in particular it has:
- Contacted companies using data to remind them of the law applicable to the sending of unsolicited commercial email;
- Contacted the DGCCRF e-commerce department and France’s data protection authority (CNIL), to inform them of these practices;
- Modified the format of publication of the daily list of domain names from UTF8 to the digital image format “GIF”, publication of which is available for a rolling 7-day period; this has helped make it more difficult to access the information while respecting the legal framework.
Finally, even if Afnic cannot take action against the companies in question, we use this blog to keep you up to date about them, and invite you to make use of the various possible courses of action described above.