Privacy and Electronic Communications - Ten Tricky Questions Answered
by Eduardo Ustaran
The Privacy and Electronic Communications (EC Directive) Regulations came into force
in the UK on 11 December 2003. These Regulations represent a complete U-turn in the
law applicable to direct marketing by electronic means and regulate the use of cookies
and location-based services for the first time. Here are some of the tricky questions
answered.
1. What is the distinction between B2B and B2C marketing e-mails?
"B2B" and "B2C" are the commonly used abbreviations for "Business to Business" and
"Business to Consumer" respectively. This is an important distinction because the bulk
of the new regime dealing with direct marketing by e-mail only applies where the recipient
of the e-mail is an "individual subscriber" i.e. essentially when that individual pays for the
use of the electronic communications services.
Therefore, e-mail marketers can distinguish between communications sent to individual
subscribers and communications sent to corporate subscribers (i.e. limited companies
in the UK, limited liability partnerships in England, Wales and Northern Ireland and
partnerships in Scotland). The latter can be lawfully targeted provided that those sending
marketing e-mails do not conceal their identities and provide a valid address to which the
recipients can send their opt-out requests. No matter how personal a corporate address
is (e.g. bill@microsoft.com) it will still be regarded as a corporate subscriber.
2. What is the difference between opt in, soft opt in and opt out?
The Regulations do not refer to opt in or opt out. They simply require – as a general rule
– the prior consent of the recipients of promotional e-mails. Such consent may be
obtained by means of a so-called opt in box (i.e. a mechanism that requires ticking a box
to indicate someone's consent to receiving marketing e-mails) but it can also be obtained
by other means as long as the individual takes some positive action to express his or her
willingness to receive marketing materials.
The Regulations do permit the sending of unsolicited e-mails about similar products or
services to those individuals with whom you have a commercial relationship, provided
that they have not opted out in the past and are given the opportunity to opt out in future
e-mails. This exception is often known as "soft opt in", since it is not strictly regarded as
obtaining consent, but allows individuals to exercise an element of control over the direct
marketing they receive.
3. Can you lawfully buy or rent e-mail addresses from third parties?
The way the Regulations are drafted means that an individual can only notify his or her
consent regarding marketing e-mails to the sender of such e-mails. Therefore, the only
lawful way in which a list of e-mail addresses can be compiled by one party and used by
another is if the individuals actually solicit the information.
If you wish to use e-mail addresses compiled by a third party for your direct marketing
campaigns, you must ensure that the individuals to whom the addresses relate have
specifically requested the information that you wish to send.
4. Legacy mailing lists – can you continue to use them?
The Regulations do not establish any transitional period to bring existing e-mail lists in
line with the new regime – so after 11 December 2003, it will be in breach to use e-mail
lists which were not originally compiled in accordance with the new requirements.
However, the Information Commissioner has said that he is prepared to take a pragmatic
view on pre-existing lists for the time being, as long as opt out requests are acted upon
promptly.
5. Will the new regime make any difference to the flood of spam reaching our mailboxes?
The new regime will apply throughout the European Union, so marketing e-mails sent
from any EU Member State will be subject to the law of each country (e.g. the
Regulations in the UK). E-mails sent from non-EU Member States will not be covered and
as a result, much of the spam flooding the Internet will be unaffected.
Nevertheless, the Regulations and the equivalent laws being adopted across Europe will
prevent the development of spam havens within the EU and are likely to be a model that
will be followed in other countries as part of the international fight against spam.
6. Cookies – how are they regulated?
The Regulations require that web site operators provide clear and comprehensive
information about the use of cookies on their sites. According to the guidance provided
by the Information Commissioner, such information should be included in a clearly
signposted privacy policy or cookie statement. In addition, web site users must be told
how to reject cookies.
7. Location based services – how will they affect individuals?
From 11 December, the use of information about the geographical location of an
individual as pinpointed by mobile equipment is subject to strict information and consent
requirements. Whilst using location data for direct marketing purposes is still a while off,
providers of services that rely on this information (such as child and employee location
services) must come up with practical ways of making individuals understand the
implications of this technology and facilitating their acceptance.
8. How do you obtain consent from children?
UK data protection law does not distinguish between adults and children – all have the
same rights under the law. However, given the increasing use of electronic
communications by children and the number of instances where the new regime requires
the consent of individuals before processing their data, e-businesses and mobile services
providers must ensure that they take the right steps to allow minors to decide whether
to give their consent or not.
This means that the wording of statements seeking consent to e-mail and SMS
marketing or allowing others to locate a mobile phone user must be particularly clear and
simple. In most cases, parental consent will not actually be required, given that when it
comes down to privacy, it will be up to the real users of the technology (even if they are
children).
As a parent (rather than a lawyer), my advice is that we should all take an interest in what
our kids are up to when using electronic communications.
9. How is the Information Commissioner going to police compliance?
Practice will show where the regulator's priorities lie. At this stage, organisations relying
on electronic means to collect personal data and promote their products, services or
causes must make a special effort to respect individuals' wishes, as the Information
Commissioner has openly stated that he will be paying particular attention to those
businesses that fail to honour opt out requests.
10. How do you comply with the new law on an international basis?
It is quite obvious that global data protection law is far from being harmonised. Even on
a pan-European basis it is virtually impossible to adopt a "one size fits all" approach.
Business with EU-wide operations must therefore identify the key privacy issues affecting
their operations and assess how the law of each country where they operate affects
them.
Eduardo Ustaran is the Head of the Data Protection and E-privacy Unit at Berwin Leighton Paisner
(www.blplaw.com) and is responsible for the
firm's data protection mini-portal
(www.blp-dataprotection.com).
He is chairman of the Society for Computers
& Law Internet Interest Group.
Email eduardo.ustaran@blplaw.com.
Eduardo was one of the speakers in the recent conference on "Successful E-Marketing"
put on by Privacy Law & Business
(www.privacylaws.com) which took place on 11th
December - the date that the new regulations came into force. This is where Delia asked
him to write this article!
The new regulations can be found as Statutory Instrument 2003 No. 2426 at
www.hmso.gov.uk/si/si2003/20032426.htm.
Guidance from the Information Commissioner can be found in pdf form at
www.informationcommissioner.gov.uk/eventual.aspx?id=96
Back to Contents.