Internet Newsletter for Lawyers
January/February 2004, by Delia Venables

Privacy and Electronic Communications - Ten Tricky Questions Answered
by Eduardo Ustaran

The Privacy and Electronic Communications (EC Directive) Regulations came into force in the UK on 11 December 2003. These Regulations represent a complete U-turn in the law applicable to direct marketing by electronic means and regulate the use of cookies and location-based services for the first time. Here are some of the tricky questions answered.

1. What is the distinction between B2B and B2C marketing e-mails?

"B2B" and "B2C" are the commonly used abbreviations for "Business to Business" and "Business to Consumer" respectively. This is an important distinction because the bulk of the new regime dealing with direct marketing by e-mail only applies where the recipient of the e-mail is an "individual subscriber" i.e. essentially when that individual pays for the use of the electronic communications services.

Therefore, e-mail marketers can distinguish between communications sent to individual subscribers and communications sent to corporate subscribers (i.e. limited companies in the UK, limited liability partnerships in England, Wales and Northern Ireland and partnerships in Scotland). The latter can be lawfully targeted provided that those sending marketing e-mails do not conceal their identities and provide a valid address to which the recipients can send their opt-out requests. No matter how personal a corporate address is (e.g. it will still be regarded as a corporate subscriber.

2. What is the difference between opt in, soft opt in and opt out?

The Regulations do not refer to opt in or opt out. They simply require – as a general rule – the prior consent of the recipients of promotional e-mails. Such consent may be obtained by means of a so-called opt in box (i.e. a mechanism that requires ticking a box to indicate someone's consent to receiving marketing e-mails) but it can also be obtained by other means as long as the individual takes some positive action to express his or her willingness to receive marketing materials.

The Regulations do permit the sending of unsolicited e-mails about similar products or services to those individuals with whom you have a commercial relationship, provided that they have not opted out in the past and are given the opportunity to opt out in future e-mails. This exception is often known as "soft opt in", since it is not strictly regarded as obtaining consent, but allows individuals to exercise an element of control over the direct marketing they receive.

3. Can you lawfully buy or rent e-mail addresses from third parties?

The way the Regulations are drafted means that an individual can only notify his or her consent regarding marketing e-mails to the sender of such e-mails. Therefore, the only lawful way in which a list of e-mail addresses can be compiled by one party and used by another is if the individuals actually solicit the information.

If you wish to use e-mail addresses compiled by a third party for your direct marketing campaigns, you must ensure that the individuals to whom the addresses relate have specifically requested the information that you wish to send.

4. Legacy mailing lists – can you continue to use them?

The Regulations do not establish any transitional period to bring existing e-mail lists in line with the new regime – so after 11 December 2003, it will be in breach to use e-mail lists which were not originally compiled in accordance with the new requirements. However, the Information Commissioner has said that he is prepared to take a pragmatic view on pre-existing lists for the time being, as long as opt out requests are acted upon promptly.

5. Will the new regime make any difference to the flood of spam reaching our mailboxes?

The new regime will apply throughout the European Union, so marketing e-mails sent from any EU Member State will be subject to the law of each country (e.g. the Regulations in the UK). E-mails sent from non-EU Member States will not be covered and as a result, much of the spam flooding the Internet will be unaffected. Nevertheless, the Regulations and the equivalent laws being adopted across Europe will prevent the development of spam havens within the EU and are likely to be a model that will be followed in other countries as part of the international fight against spam.

6. Cookies – how are they regulated?

The Regulations require that web site operators provide clear and comprehensive information about the use of cookies on their sites. According to the guidance provided by the Information Commissioner, such information should be included in a clearly signposted privacy policy or cookie statement. In addition, web site users must be told how to reject cookies.

7. Location based services – how will they affect individuals?

From 11 December, the use of information about the geographical location of an individual as pinpointed by mobile equipment is subject to strict information and consent requirements. Whilst using location data for direct marketing purposes is still a while off, providers of services that rely on this information (such as child and employee location services) must come up with practical ways of making individuals understand the implications of this technology and facilitating their acceptance.

8. How do you obtain consent from children?

UK data protection law does not distinguish between adults and children – all have the same rights under the law. However, given the increasing use of electronic communications by children and the number of instances where the new regime requires the consent of individuals before processing their data, e-businesses and mobile services providers must ensure that they take the right steps to allow minors to decide whether to give their consent or not.

This means that the wording of statements seeking consent to e-mail and SMS marketing or allowing others to locate a mobile phone user must be particularly clear and simple. In most cases, parental consent will not actually be required, given that when it comes down to privacy, it will be up to the real users of the technology (even if they are children).

As a parent (rather than a lawyer), my advice is that we should all take an interest in what our kids are up to when using electronic communications.

9. How is the Information Commissioner going to police compliance?

Practice will show where the regulator's priorities lie. At this stage, organisations relying on electronic means to collect personal data and promote their products, services or causes must make a special effort to respect individuals' wishes, as the Information Commissioner has openly stated that he will be paying particular attention to those businesses that fail to honour opt out requests.

10. How do you comply with the new law on an international basis?

It is quite obvious that global data protection law is far from being harmonised. Even on a pan-European basis it is virtually impossible to adopt a "one size fits all" approach. Business with EU-wide operations must therefore identify the key privacy issues affecting their operations and assess how the law of each country where they operate affects them.

Eduardo Ustaran is the Head of the Data Protection and E-privacy Unit at Berwin Leighton Paisner ( and is responsible for the firm's data protection mini-portal ( He is chairman of the Society for Computers & Law Internet Interest Group.

Eduardo was one of the speakers in the recent conference on "Successful E-Marketing" put on by Privacy Law & Business ( which took place on 11th December - the date that the new regulations came into force. This is where Delia asked him to write this article!

The new regulations can be found as Statutory Instrument 2003 No. 2426 at

Guidance from the Information Commissioner can be found in pdf form at

Back to Contents.