New Privacy Regulations

25 September 2003

Ruth Boardman

On 18th September 2003, the DTI published the new Privacy and Electronic Communications (EC Directive) Regulations 2003 (the "E-Privacy Regulations"). These will be relevant to anyone who carries out direct marketing by e-mail, SMS, fax or phone or who operates a website that uses cookies, web bugs or similar devices. The new Regulations come into force on 11th December 2003.

The E-Privacy Regulations introduce new rules for anyone who carries out direct marketing by e-mail or SMS. The Regulations effectively introduce an opt-in scheme for anyone who sends spam to individual subscribers. Under the Regulations "individuals" does not just mean consumers, but also sole traders and partnerships. Organisations sending business to business marketing e-mails will, therefore, have to comply with the Regulations if they have any sole traders or partnerships in their marketing databases. There is a limited exception for direct marketing to contacts whose details were obtained in the course of a sale or negotiations for a sale. However, an opt-out must have been offered at the time the person's details were collected and this must be included in each new direct marketing contact. Further, only similar products or services may be marketed.

The E-Privacy Regulations also restate the current (often overlooked) rules on direct marketing by phone, fax and automated calling systems. These rules:

  • provide everyone (individuals and corporates) with a right to object/opt-out of direct marketing by phone
  • require opt-in consent from individuals for fax marketing
  • require opt-in consent from everyone for marketing by automated calling systems
  • establish the telephone and fax preference services as central registers of persons to whom direct marketing material may not be sent

The Regulations also require specific information to be provided in direct marketing material.
The Regulations are retrospective and will apply to data collected before December 2003. Organisations will, therefore, need to check their current and historic data collection methods and obtain actual consent to continue some forms of marketing.

The Regulations also introduce restrictions on organisations who use cookies or similar devices. Anyone whose website uses cookies must inform users of this (e.g. via a cookie statement in a privacy policy) and provide a right to refuse the cookie. There are exceptions for cookies that are solely used to facilitate a communication or that are strictly necessary to provide an e-commerce service at the request of the end user/subscriber.

There are additional provisions in the Regulations affecting telecoms service providers and ISPs. To a large measure these re-state existing legislation, although new provisions have been introduced relating to use of location data and reverse searchable directories of subscribers.

We are preparing a detailed briefing note on the Regulations. To obtain this, or for other information on the Regulations or data protection, please contact Ruth Boardman or Hazel Grant.