On June 25 2002, the Council of the European Union formally adopted the Electronic Communications Privacy Directive, which concerns the processing of personal data and the protection of privacy in the electronic communications sector. The directive updates and extends the scope of the Telecommunications Privacy directive, introduces restrictions on the use of cookies and direct marketing by email and SMS and introduces new standards of privacy for communication by email, SMS and other electronic formats.

Goodbye Spam?

The directive makes it unlawful to send unsolicited emails and SMS messages – known as spam – for direct marketing purposes without the recipient’s prior consent (opt-in). This covers not only sales messages from unknown third parties but also broader promotional messages from organisations to known contacts and customers. This will put direct marketing by email on the same footing as direct marketing by fax or automated calling machines. It will also harmonise the current discrepancy in regulation between member states of the European Union, some of whom already require direct marketers to obtain an opt­-in for these communications and others (notably the UK) who regard an opt-out approach as sufficient.

This is likely to be the most significant aspect of the directive for companies – especially those who rely n direct marketing as a key means by which to develop their customer base and sell new service offerings. To comply with the new regulation, such companies may need to make fundamental changes to the way they use electronic messaging as a marketing tool. This will be particularly difficult if that marketing is reliant on addressed gathered or mailings hosted by third parties, as obtaining an opt-in consent in that situation is likely to be much more difficult than where there is a direct relationship with the recipient of their message.

The directive does not permit some use of direct marketing by email and SMS without an opt-in, provided the sender:

  • Limits the marketing to its own actual customer base (not contacts);
  • Limits the marketing to its own range of products and services (not unconnected products or services and not those of group companies);
  • Has obtained the relevant email address/SMS number direct from the recipient;
  • Has explained that messages may be sent to the address/number for direct marketing purposes; and
  • Has provided (both at that time of collecting the address/number and on an ongoing basis) a simple means by which the recipient can opt out of receiving further messages.

Direct marketers will also need to pay heed to specific provisions in the directive that make it unlawful to disguise or conceal the identity of the sender of a direct marketing email. Any email must include the sender's name and return address. It must also include details of how the recipient may opt out of further email communications.

Other forms of unsolicited electronic communication are not subject to the same degree of regulation as email and SMS. Member States will be entitled to retain their preferred approach to regulation in relation to direct marketing by such means.

Cookie Cutters

A cookie is a piece of software that downloads from the internet onto a computer terminal that, once resident, can access and store information about the way the computer is used (e.g. keeping a log of websites visited). The cookie then passes this information over the internet to a central database. The user will often be unaware of the cookie's existence or the way it operates.

The directive includes a provision making it unlawful to use the internet as a means of obtaining information in this way. In particular, the user must be told in advance about the existence of any cookie and the purposes for which it will gather any information and have the opportunity to reject it.

There remain both technical and legal concerns about how this provision will be implemented. The Direct Marketing Association has been vocal in pointing out the adverse effect the regulations will have on e-commerce, disabling many of the user-friendly features that make websites an attractive place to do business. Lawyers also have their reservations, not least because most cookies, like email spam, come from countries outside the EU. It is hard to see how the directive will be enforced in such countries.

In this regard, the directive is more likely to achieve an EU privacy standard than put in place safeguards capable of ensuring privacy is upheld. That is more likely to be achieved through the development of privacy-enhancing tools in common software applications - an approach the European Commission both acknowledges and supports.

Providers of voice telephony services are currently required to comply with certain privacy standards under the Telecommunications Privacy Directive. These include obligations to keep transmission data secure and confidential and to erase data relating to the transmission (traffic data) after it has taken place.

The new directive extends these requirements to providers of all types of electronic communication services over a public network, including providers of email, SMS messaging and data-packet transmission services. As a result, an ISP will be under a legal duty to keep email transmissions secure and not to store or intercept those transmissions unless expressly authorised by the relevant subscriber or as permitted by law.

The directive creates obligations applicable to all types of service provider:

  • To inform subscribers about the circumstances in which traffic data will be retained
  • To inform subscribers about the existence of any specific security risks relevant to the service (e.g. susceptibility to attack by hacking or a virus); and
  • To collect, use, store or process information that may be used to locate the geographical position of an individual user only with their prior informed consent to provide a specific service to them (e.g. a mapping service). Where location data is collected, the service provider must provide a simple means by which the user can disengage the function.

In light of these provisions all service providers and, in particular, non-voice telephony providers, will need to reassess their privacy-compliance programmes and if relevant change the way in which they are handling electronic communications and associated traffic and/or location data.

If and When...

Member States are required to implement the directive into national law within 15 months of the date on which it is formally published. Although publication has yet to take place, it is expected in early autumn 2002. Assuming this timetable is followed, the provisions of the directive can be anticipated to take effect at the end of 2003 or early in 2004.

Written by Ruth Boardman and Andrew Dyson. First published in the October 2002 issue of MIS UK.