Internet Newsletter for Lawyers
November/December 2003, by Delia Venables

Email - the New Law
By Charles Black

On 11 December 2003 the Privacy and Electronic Communications (EC Directive) Regulations 2003 come into force. This legislation gives effect to the EU’s Directive 2002/58/EC of 12 July 2002, introduced to provide additional laws to protect privacy in the light of new digital technologies. This article considers how the new law will affect email marketing campaigns undertaken by firms and chambers, and also whether the law will have any impact on controlling junk email.

Key points

The new Privacy Regulations add to the privacy laws created by the Data Protection Act and deal primarily with protecting privacy from intrusion by unsolicited communications by telephone, fax and email (including SMS messaging). The Regulations modify certain sections of the Data Protection Act and repeal the Telecommunications (Data Protection and Privacy) Regulations 1999 and 2000. A number of the Regulations relate to the obligations of telecom companies in relation to call identification, malicious and nuisance phone calls and other issues affecting an individual’s right to privacy including unsolicited communications by fax and telephone. This article is concerned with Regulations 22 and 23 which deal with unsolicited email. Regulation 22(2) provides that

Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.

(3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where -

(a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;

(b) the direct marketing is in respect of that person's similar products and services only; and

(c) the recipient has been given a simple means of refusing.... the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

The effect of Regulation 22 is that it is unlawful to send an email for direct marketing purposes unless the recipient has consented to receive it. The giving of consent would seem to require a positive action in that the recipient has to have "previously notified the sender" of their consent. The need for a positive action was plainly set out in the Directive which the Regulation implements, referring to obtaining "prior explicit consent".

Sub-section (3) deals with "existing relationship" cases where the recipient is either a customer or potential customer. Initially sub-section (3) appears as a qualification to the general rule that consent is required before a direct marketing email can be sent to them. However, upon closer analysis this is not the case. There are 2 essential requirements to send direct marketing emails lawfully to existing relationship persons:

Firstly, the recipient still needs to have been given "a simple means of refusing" the use of his contact details for the purpose of such direct marketing, at the time the details were initially collected...". If the details are collected via a web site enquiry form, this is dealt with by a simple check box which the user can tick to indicate their consent. However, if the recipient's email address is captured during a telephone conversation it seems that the user will have to be asked if they consent to their email being used for direct marketing purposes. Sales teams handling such enquiries need a way of recording this.

Secondly, even if the user consents to receive email for direct marketing purposes it is not permissible to then send an email to them marketing a dissimilar type of product - so solicitors firms and barristers chambers cannot market non-legal services to their clients or potential clients.

Consent is therefore the key to sending direct marketing emails legitimately. Recipients must have the opportunity to withdraw their consent at any time.

Regulation 23 makes it unlawful to send out direct marketing emails without showing the valid email address of the sender or without providing a valid email address to which the recipient can send a request to unsubscribe from receiving such emails in future.

Although the regulations require consent, there are no restrictions under sub-section (2) on the content of the email - so if you have the recipient's consent to receive marketing emails there are no restrictions on the products you can market or on who is actually selling the products. This means you can send out emails on behalf of third parties, promoting their products. Under sub-section (3) you can only send emails about your own products and services, so this clearly excludes sending emails on behalf of third parties.

The position on a business obtaining a mailing list or selling a mailing list to third parties is not all that clear. Consider a hypothetical example. A recipient has consented to receive emails from Company X. Also, they have ticked a checkbox to indicate they consent to receiving emails from any third parties selected by company X. Company X has, as a result, a mailing list of people who consent to receiving emails from any third parties selected by Company X. Company X is approached by Company Y to market Company Y's products to Company X's mailing list. In this scenario, Company X can clearly send out the email itself to its mailing list promoting Company Y's products. But can Company X hand over the mailing list to Company Y and allow Company Y to actually send out the email? The reference in Sub-section (2) to emails being sent "at the instigation of the sender" seems to imply that this is permissible. However, the consent has to have been notified to the sender, which in the scenario under consideration is Company Y. It is submitted that as consent is the key issue, provided the recipient has informed Company X that they are happy to receive emails from third parties then it is permissible.

Liability and enforcement

A breach of the Regulations does not give rise to any criminal penalties, only civil. Under Regulation 30, a person can commence proceedings for compensation against a person who has breached the Regulations. It is a defence for the person "to prove that he had taken such care as in all the circumstances was reasonably required to comply with the relevant requirement". The Information Commissioner (appointed under the Data Protection Act) has enforcement duties.

Practical guidelines for marketing emails

Case law will no doubt make the precise boundaries of what is permissible clearer, but in the meantime the following guidelines would appear to be sensible:

* ensure that any marketing emails are sent only to users who have positively consented;

* when capturing enquiries from potential clients via your web site, ensure the enquiry form gives the opportunity for the user to consent to receiving further marketing emails from you by providing a check box which they can tick; this information should automatically be stored in the database used for your mailing list;

* when capturing enquiries via the telephone ensure a way of recording that the user has been asked for their consent and for whether or not this is granted;

* ensure any marketing email you send out enables the recipient to easily unsubscribe at any time;

* ensure any email that is sent out shows the sender's email address (e.g. "");

* ensure that a valid email address is provided to which the recipient can send an email requesting that they be taken off your mailing list.

With the new Privacy Regulations in mind, my own company, Nasstar, has developed an online mailing application which a number of barristers chambers are using to market their services by email. The mailing application is easily managed via an online management system. With an infrastructure that can handle over 4 millions messages a day, Nasstar's mailing application ensures that each email sent has an unsubscribe link at the bottom enabling the user to unsubscribe easily.

The application also enables an authorised user on behalf of the sender to manually unsubscribe a particular recipient if they choose to telephone or email the sender requesting that they be removed (rather than following the unsubscribe link). The mailing application also ensures that the email address of the sender is shown.

The problem of junk email

The aim behind the new Privacy Regulations is to protect individuals from unsolicited bulk email - commonly referred to as spam or junk email. Will they do this?

In my opinion, the new law is unlikely to have any major impact in the battle against spam. Over 90% of junk email comes from the USA, and so the UK must wait to see what legal measures they take to tackle spam. At present the federal government is considering an opt-out law i.e. all spam is legal unless you have expressly opted out from receiving it. To combat spam, it seems that governmental co-operation on an international level may be required to create and police a standardized legal framework across the globe. Without such a legal framework it is technology rather than law that is providing effective solutions in the war against spam.


The new privacy law means firms and chambers must have a system in place for managing their mailing list both in terms of collecting data and sending marketing emails to the list. Whilst the law should be welcomed as providing a framework for businesses sending out emails, the law is unlikely to have any practical effect on controlling junk email. The invasion of spam from international jurisdictions, particularly the USA, means that the law will not have any impact on the main source of spammers. The most effective solution for junk email remains the use of technology solutions, many of which were considered in the September/October issue

Charles Black is the founder and Managing Director of Nasstar a business ISP which provides web sites, content management systems, hosting, email solutions, broadband and networks to a large number of businesses including chambers and solicitor firms. Charles is also a qualified barrister having been called to the Bar in 1996 and having undertaken pupillage in 1997.

Back to Contents.