Internet Newsletter for Lawyers |
|---|
Yet, even if in the long term the current regulatory policies are likely to benefit businesses and individuals alike, recent data protection developments are causing concern and anxiety among many businesses.
Another directive – the electronic communications data protection directive or “e-privacy directive” – which must become law throughout the EU before 31 October 2003 (and has already become law in several European countries), goes even further: as a general rule, direct marketers must obtain the recipient’s consent before sending marketing e-mails.
The only unsolicited commercial e-mails that can be sent without the recipient’s prior permission are those sent to a business’ own customers in relation to products and services which are similar to those provided in the past, as long as customers are given the opportunity to opt out of those e-mails when their data is collected and on the occasion of each message.
Despite the absence of proper official interpretation and case law in this area, these obligations are already effectively in force in the UK by means of the British Code of Advertising, Sales Promotion and Direct Marketing.
In terms of the ability to send promotional e-mails to existing customers, the DTI acknowledges that the directive does not make it wholly clear whether the exception to the general rule should apply to prospective customers (i.e. those who have registered an interest in a product or service without buying it) as well as to individuals who have previously bought something. The draft regulations, on the other hand, are drafted in a way that does not require an actual purchase for this exception to apply.
With regard to the concept of similar products or services, the DTI has stated that, given that businesses are bound by the individual’s right to opt-out of direct marketing, it seems sensible to adopt a broader, rather than a narrower, interpretation of the word “similar”. Therefore, under the draft regulations, a business will be entitled to rely on the similar products or services condition provided that the recipient of the e-mail would have reasonably expected to be sent information about those products or services.
Other key issues addressed by the draft regulations include:
* The amount of information to be provided to individuals about the use of cookies and how to refuse them. In terms of where and how information about the purposes for which cookies are used is provided, the DTI takes the view that such information should be included in a clearly signposted privacy or cookie statement. However, the draft Regulations do not expand on the kind of information to be made available.
* The scope of “value added services” based on traffic and location data. The DTI is keen to ensure that there is no constraint on the type of services that may be provided as long as subscribers give their consent and are informed of the data processing implications.
* The way in which the consent of individuals can be obtained in order to use traffic or location data for marketing or to offer value added services. Subscribers and users must give their informed consent and understand the data processing implications of each service, but service providers must take their own view on how to comply with the law (e.g. by relying on a combination of media to get their message across).
* The scope for providers of directory enquiry services to include subscribers details by default instead of seeking active consent. The DTI’s objective is to ensure that subscribers can make an informed decision about being listed, and what kind of entry to have, but also to maximise the chance of subscribers choosing to be listed and minimise the complexity of consent procedures.
* DTI Consultation - the official pages of the DTI’s unit in charge of implementing the e-privacy directive.
* The European Commission - a good starting point for anything to do with EU data protection law.
* Privacy.org - a site with daily news, information and initiatives on privacy. This is a joint project of the Electronic Privacy Information Center and Privacy International.
* PrivacyExchange - global information on national data protection laws, regulations, standards and practices.
* Cookie Central - bible for anything to do with cookies.
* Platform for Privacy Preferences Project (P3P) - the official site of the P3P project of the World Wide Web Consortium aimed at building privacy policies in a standard, machine-readable format.
* TRUSTe - a self-regulatory initiative based on respect for personal identity and information.
* EuroCAUCE - ad-hoc coalition of Internet users and service providers dedicated to the fight against unsolicited commercial e-mails in Europe.
* BLP's data protection mini-portal - A collection of resources and up to date information aimed at helping private and public sector organisations comply with data protection law and practice (I am responsible for this one).
Eduardo Ustaran is the Head of the Data Protection and E-privacy Unit at Berwin Leighton Paisner and the chairman of the Society for Computers & Law Internet Interest Group. eduardo.ustaran@blplaw.com
Back to Contents.