The Privacy and Electronic Communications Regulations 2003

13 October 2003

Ruth Boardman

In July 2002 the EC’s Directive on Privacy and Electronic Communications [1] (the "Directive") was adopted for transposition into the laws of Community Member States by 31 October 2003. The new Directive replaced the Telecommunications Data Protection Directive [2], principally to apply the new Directive’s rules to all forms of electronic communications and not just to telephone calls and services. The new Directive has also added specific new rules and controls over the use of cookies (software loaded onto a user’s hard disk by a website controller when that user visits and searches the website) and on unsolicited electronic communications (SPAM or UCE).

The new Privacy and Electronic Communications (EC Directive) Regulations 2003 (the "Regulations") transpose the Directive into UK law and will replace the existing Telecommunications (Data Protection and Privacy) Regulations [3] which transposed the Telecoms Data Protection Directive into UK law. The new Regulations will come into force on 11 December 2003.

2 Principal Changes Introduced by the New Directive

The principal differences between the new Directive/Regulations (the new "Legislation") and the earlier Telecoms Data Protection Directive/Regulations are:

(a) the new Legislation regulates all forms of electronic communication, including messaging through the internet, SMS and mobile telecommunications and not just telephone calls over fixed line networks (Articles 1, 2 and 3; Regulation 2(1));

(b) the new Legislation is not limited to processing of personal data related to living individuals but allows Member States to redefine the split between individual and corporate subscribers to communications services, so giving corporate subscribers the possibility of protection which may vary from Member State to Member State (see particularly Article 12 & Regulation 18 in relation to directories and Article 13 & Regulation 21 in relation to unsolicited communications);

(c) the new Legislation does not apply to broadcasting or broadcasting services unless the identity of the subscriber or user of the service can be traced;

(d) the new Legislation introduces controls over the use of cookies, which may be used by a website controller to identify a user’s preferences (Article 5(3); Regulation 6)(see further paragraph 6 below);

(e) the new Legislation sets new or re-stated controls over traffic data, value added services, itemised billing, calling line identification, location data services and call tracing and forwarding (Articles 6 to 10; Regulations 10 to 17);

(f) the new Legislation includes changed rules on subscriber directories (Article 12; Regulation 18); and

(g) the new Legislation sets extended controls over unsolicited communications, whether by telephone, fax or e-mail (Article 13; Regulations 19 to 23).

This note looks at the restrictions relating to unsolicited communications and on the use of cookies.

The obligation on the UK under the new Directive to restrict unsolicited electronic communications (SPAM and UCE) in accordance with the new Directive’s terms extends and reflects the provisions of Article 14(b) of the Framework Data Protection Directive [4]. This latter Article requires Member States to grant to the data subject the right to object, on request and free of charge, to the processing for the purposes of direct marketing of personal data relating to him. These rights are in addition to the obligations on Member States to require that personal data be processed fairly and lawfully, collected for specified explicit and legitimate purposes and not further processed in a way incompatible with those purposes. These provisions are already given effect in the UK under Section 11 of the Data Protection Act 1998 (the "Data Protection Act") (right to prevent processing for purposes of direct marketing) and Schedule 1 (the first and second data protection principles).

3 Individual Subscribers

The Regulations give most protection to individual subscribers. However, this does not mean that the focus of the Regulations is on direct marketing to consumers. The Regulations define "individual" as either a living individual or an unincorporated body.

Accordingly, individual subscribers will include private individuals, but will also include sole traders (living individuals) and partnerships (which are, in England and Wales, unincorporated bodies of individuals). The provisions in the Regulations relating to corporate subscribers only apply to subscribers who are:

"a. a company within the meaning of Section 735 (1) of the Companies Act 1985;

b. a company incorporated in pursuance of a royal charter or letters patent;

c. a partnership in Scotland;

d. a corporation sole; or

e. any other body corporate or entity which has a legal person distinct from its members".

The effect of this is that organisations that solely carry out B2B marketing will still have to consider the impact of the Regulations if their marketing databases contain details of sole traders or partnerships. As there are quite substantial organisations that trade through partnerships (e.g. professional services firms) it is likely that the Regulations will apply to many organisations that only conduct B2B marketing.

4 Opt-in and Opt-out

Under an opt-out requirement, it is sufficient that an individual has not ticked a box to show that they object to receiving direct marketing. However, under the opt-in approach, the individual must tick a box to signify their agreement to receiving the relevant material.

Use of e-mail for direct marketing purposes (Regulation 22)

The biggest change to direct marketing practices introduced by the Regulations is the restriction on e-mail marketing set out at Regulation 22. The Regulation also applies to direct marketing communications sent by SMS.

The Regulation only applies to unsolicited commercial communications sent to individual subscribers (see paragraph 3). Consideration had been given to extending the provisions of this Regulation to corporates and this area is being kept under review by the DTI.

Regulation 22 (2) provides that direct marketing material may not be sent by e-mail unless the recipient has previously notified their consent. In other words, the regulation introduces an opt-in regime.

There is a limited exception to this, referred to by the DTI as the "soft opt-in". This is set out at Regulation 22 (3) and allows unsolicited emails to individual subscribers where:

(i) there has been a sale or negotiation for a sale with the individual (this therefore does not include pure contacts);

(ii) the direct marketing is to be carried out by the same person (i.e. legal entity) who obtained the original details;

(iii) the direct marketing relates to similar products and services; and

(iv) the individual was offered an opt-out when their details were first obtained.

In any event organisations should have been offering opt-outs for many years in order to comply with the provisions of the Data Protection Act 1998 and before that Act, the Data Protection Act 1984. It is, therefore, perhaps the other restrictions that may prove more limiting. Marketing departments will, understandably, wish to create value from their marketing lists by cross-marketing broader ranges of products and services, by marketing group company services and perhaps by host marketing third party products and services. None of these activities will be permitted on the basis of the soft opt-in. If this kind of marketing activity is of substantial significance to an organisation, then it may be forced into the hard opt-in approach, notwithstanding the exception.

The Regulations are significantly narrower on this point than they had been in earlier drafts. Previous wording had attempted to expand the rights of organisations to use the soft opt-in. However, concerns were raised that such drafting could result in an action being brought against the UK government for failing to properly implement the terms of the Directive. Therefore, the wording was tightened up so that it replicates that of the Directive.

Direct Marketing by Telephone (Regulation 21)

Regulation 21 (1) grants all subscribers, individuals and corporates, rights to object to unsolicited calls for direct marketing purposes. This is a change from the earlier Regulations, where rights to opt-out were only granted to individual subscribers.

Fax Marketing (Regulation 20)

Regulation 20 (1) (a) prohibits organisations from sending direct marketing faxes to individual subscribers unless the individual subscriber has opted-in. Corporate subscribers are given a right to object to receiving direct marketing faxes (Regulation 21(b)) but their prior consent is not required. These provisions replicate those in the earlier Regulations.

Automated Calling Systems (Regulation 19)

Regulation 19 replicates provisions in the earlier Regulations in having an opt-in requirement for both individuals and corporates before automated calling systems may be used for direct marketing.

Under the previous Regulations there was some uncertainty as to what was meant by an automated calling system. This term has now been defined in the new Regulations in Regulation 19 (4). It is therefore now clear that the provisions relating to automated calling systems do not apply to faxes or SMS (as these do not transmit sounds, which is a requirement under the new definition). Nor would the regulation apply to voice transmissions over the internet as the regulation only applies to calls, which are defined as connections: "established by means of a telephone service available to the public allowing two-way communication in real time".

The Regulation will, however, continue to catch forms of technology which, so far, have been more prevalent in the US, whereby entirely pre-recorded direct marketing calls are made by telephone. These calls have caused a particular problem in the US as the person receiving the call is unable to hang up until the recorded message has ended (as the person called cannot hang up while the caller remains on that line). This has led to some difficulties in the US when individuals have been unable to make calls to emergency services.

Preference Services

Regulations 25 and 26 continue the existence of the Telephone and Fax Preference Services. These allow subscribers who object to receiving direct marketing to register. Subsequent transmission of direct marketing material to these people is then a breach of the Regulations.

Whilst both individuals and corporates can register with the Fax Preference Service ("FPS"), the Telephone Preference Service ("TPS") is currently only available to individual subscribers (Regulation 26). However, this is an area that will change. The DTI has publicly committed to amending this so as to extend opt-out rights to corporates. However, before it does this, it needs to re-negotiate the contract with the TPS. This is anticipated to take place in April 2004.

As with the earlier Regulations, registration with the TPS or FPS does not immediately ban direct marketing to that person. Instead, organisations have a 28 day grace period, during which it is permitted to directly market to that person. The net effect of this provision is that organisations that conduct regular direct marketing campaigns need only screen their lists against the TPS and FPS on a monthly basis.

Regulation 20 (in relation to fax marketing) and Regulation 21 (in relation to telephone marketing) clarify that registration with the FPS and TPS does not override any opt-in or opt-out based permissions given to an organisation by a particular marketing prospect. For example, Mrs Smith has registered at home with the Telephone Preference Service. If Mrs Smith takes out insurance and does not tick the direct marketing opt-out box, then the insurance company will be entitled to telephone Mrs Smith at her home for direct marketing purposes notwithstanding that she has registered with the TPS. Mrs Smith is, however, entitled to give a subsequent opt-out to her insurance company under Regulation 21 (5).

Information Requirements (Regulation 24)

Regulation 24 requires specified information to be provided with direct marketing sent over a public electronic communications service. Where an organisation makes a direct marketing call by telephone, then it must provide its name. In addition, if the person called so requests, it must provide details either of its address or a freephone number at which the organisation can be reached free of charge. All of this information must be provided when direct marketing is sent by fax or via an automated calling system.

In the case of direct marketing by e-mail then there is a prohibition on disguising the identity of the sender in Regulation 23 (a). Organisations are also required to include a valid unsubscribe address.

5 Cookies

The Regulations state that organisations are not allowed to use cookies unless the subscriber or user of the relevant terminal equipment is:

(a) provided with clear and comprehensive information about the purposes for which the cookie is used; and

(b) given the opportunity to refuse the cookie (Regulations 6(1) and (2)).

The DTI has deliberately not tried to be prescriptive as to how organisations comply with either of these requirements (see the Implementation of the Directive on Privacy and Electronic Communications, Government’s Response to Consultation, 18 September 2003. Available from www.dti.gov.uk).

There are some exceptions and limitations to the information and rejection provisions.

(i) If an organisation wishes to use cookies whenever an individual visits its site it must provide the visitor with the information and opportunity to reject a cookie only on the initial visit (Regulation 6(3)).

(ii) There is no need either to provide the information or the opportunity to reject a cookie where use of a cookie or similar technology is:

(a) for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or

(b) strictly necessary for the provision of an information society service requested by the subscriber or user.

The exception at paragraph (b) would cover cookies that are required for the provision of website services, for example, where a cookie is required in order to run an online shopping basket (Regulation 6(4)).

6 Enforcement and Compensation

The Regulations are enforced by the Information Commissioner (Regulation 31 which extends the provisions of Part V and Schedules 6 and 9 of the Data Protection Act). The Commissioner has a discretion under the Data Protection Act to use or not to use his enforcement powers under the Act. The Commissioner’s attention may be drawn to any particular wrongful act by a request for assessment made to the Commissioner under Regulation 32. A request may be made either by OFCOM or by a person directly affected by any processing of personal data and may be for an assessment as to whether it is likely or unlikely that any particular processing has been or is being carried out in compliance with the provisions of the Regulations. A Service Provider who has carefully complied with obligations imposed under the Regulations may be a person directly affected by the provision of electronic communication services by a competitor in a way which disregards the Regulations’ provisions, so that requests for assessment may come from organisations as well as from subscribers. A request from a Service Provider may be motivated by commercial disadvantage suffered as a result of non-compliant behaviour by a competitor.

During the consultation process consideration was given to the possibility of strengthening the Commissioner’s enforcement powers. However, this suggested approach was not followed and the Regulations have not altered his enforcement powers.

In addition and without prejudice to the Commissioner’s enforcement powers, any person who suffers damage as a result of a breach of the Regulations is entitled to bring proceedings for compensation against the person who breached the Regulations. It is a defence against such a claim to show that such care had been taken as is reasonable in all the circumstances to comply with the Regulations (Regulation 30).

7 Industry Codes of Practice

The Committee of Advertising Practice (CAP) has introduced a new version of its Code of Conduct which sets out rules relating to unsolicited commercial e-mails. The Code is administered by the Advertising Standards Authority which investigates complaints against companies sending SPAM or UCE without permission from recipients.

The Code requires that explicit consent is required before marketing by e-mail or SMS except when marketers market similar products to their existing customers without their explicit consent so long as an opportunity to object is given on each occasion.

The Federation of European Direct Marketing Associations (FEDMA) has also adopted a European Code of Practice for the use of personal data in direct marketing. This latter Code has been considered by the Article 29 Data Protection Working Committee established by the European Union pursuant to Directive 95/46/EC. The Committee’s opinion, given in June 2003, approved the FEDMA Code as being in accordance with the Data Protection Directive and national legislation in place.

Contravention of either Code may result in extra-legal sanctions and may be treated by the Information Commissioner as unfair processing in contravention of the first data protection principle under the Data Protection Act 1998 in addition to potentially being a breach of the new Regulations. Both Codes stand distinct from the new Legislation.

8 What Should Direct Marketers Do Now?

Direct marketers should establish practices and policies within their businesses which comply with mandatory terms of the new Directive/Regulations and with the new CAP code.

Direct marketers should also review their current practices and marketing lists on the following points:

(a) avoid infecting existing databases by adding other data of doubtful provenance where, for example, there is uncertainty as to the source of the data, the way in which the data were obtained, the purposes for which they were obtained and any restrictions which may apply to their use; once dirty data have been added to a clean database it may be difficult or impossible to identify and remove the dirty data which may accordingly infect the whole database;

(b) establish procedures which comply with the fair processing code under Schedule 1 Part II paras 1 to 3 of the Data Protection Act 1998 and with the CAP code;

(c) analyse existing marketing lists so as to distinguish "individuals" from "corporates" and to identify existing individual customers and contacts;

(d) take appropriate warranties from list renters and others providing data to the effect that the data so provided has been fairly and lawfully obtained and may be fairly and lawfully used for the purposes for which the marketer intends them;

(e) impose contractual obligations and limitations on others to whom lists of customers are disclosed so as to restrict the purposes for which those data may be used by others and the extent to which they may be further disclosed;

(f) identify available and relevant preference lists and clean existing marketing databases regularly against them;

(g) include opt-out opportunities with all documents, including electronic documents, sent to customers and in particular documents which the customer is likely to return (invoices, order forms etc) and carefully exclude from future mailings customers who opt-out; and

(h) take all available opportunities to obtain and record opt-ins from new customers.

[1] Directive 2002/58/EC

[2] Directive 97/66/EC

[3] SI 1999/2093

[4] Directive 95/46/EC