By Ruth Boardman


On 25th June 2002, the Council of the European Union formally adopted the Electronic Communications Privacy Directive[1](“Directive”). The Directive updates and extends the scope of the Telecommunications Privacy Directive[2], introduces restrictions on the use of cookies and direct marketing by e-mail and SMS, and introduces new standards of privacy for communication by e-mail, SMS messaging and other electronic formats (“electronic communication”).

Direct marketing by e-mail

The Directive makes it unlawful to send unsolicited e-mails and SMS messages for direct marketing purposes (so called “spam”) without the recipient’s prior consent (“opt-in”). This does not just cover sales messages from unknown third parties, but broader promotional messages from organisations to known contacts/customers. This will put direct marketing by e-mail on the same footing as direct marketing by fax or automated calling machines. It will also harmonise the current discrepancy in regulation between Member States of the European Union, some of whom already require direct marketeers to obtain an “opt-in” for these communications and others (notably the UK) who regard an “opt-out” approach as sufficient.

This is likely to be the most significant aspect of the Directive for companies – especially those who rely on direct marketing as a key means by which to develop their customer base and sell new service offerings. To comply with the new regulation, such companies may need to make fundament changes to the way in which they use electronic messaging as a marketing tool. This will be particularly difficult if that marketing is reliant on addresses gathered by, or mailings hosted by third parties, as obtaining an “opt-in” consent in that situation is likely to be much more difficult than where there is a direct relationship with the recipient of the message.

The Directive does permit some use of direct marketing by e-mail / SMS messaging without an opt-in, provided that the sender:

  • limits the marketing to its own actual customer base (not contacts);
  • limits the marketing to its own range of products and services (not unconnected products or services and not those of group companies);
  • has obtained the relevant e-mail address / SMS number direct from the recipient;
  • has explained that messages may be sent to the address / number for direct marketing purposes; and
  • has provided (both at that time of collecting the address / number and on an ongoing basis) a simple means by which the recipient can “opt-out” from receiving further messages.

Direct marketeers will also need to pay heed to specific provisions in the Directive that make it unlawful to disguise or conceal the identity of the sender of a direct marketing e-mail. Any e-mail must include the senders name and return address. It must also include details of how the recipient may opt out of further e-mail communications.

Other forms of unsolicited electronic communication, are not subject to the same degree of regulation as e-mail / SMS. Member States will be entitled to retain their preferred approach to regulation in relation to direct marketing by such means.

Use of cookies

“Cookies” are pieces of software that download from the internet onto a computer terminal. Once resident, the cookie can access and store information about the way in which the computer is used (e.g. keeping a log of websites visited). The cookie then passes this information, over the internet, to a central database. The user will often be unaware of the cookie’s existence or the way in which it is operating.

The Directive includes a provision making it unlawful to use the internet as a means of obtaining information in this way. In particular, the user must be told, in advance, about the existence of any cookie and the purposes for which it will gather any information, and have the opportunity to reject the cookie.

There remain both technical and legal concerns about the way in which this provision will be implemented. The Direct Marketing Association have been vocal in pointing out the adverse effect the regulations will have on e-commerce, disabling many of the user friendly features which make websites a welcoming place to do business. Lawyers too have their reservations, not least because most cookies, like e-mail spam, derive from countries located outside the EU; it is hard to see how the Directive will be enforced in such countries.

In this regard the Directive is likely to achieve more as setting a standard of privacy within Europe, rather than putting in place the safeguards that will ensure that privacy is upheld. In truth, that is more likely to be achieved through the development of privacy enhancing tools in common software applications - an approach that the European Commission both acknowledge and support.

Electronic communications services

Providers of voice telephony services are currently required to comply with certain privacy standards under the Telecommunications Privacy Directive. These include obligations to keep transmission data secure and confidential and to erase data relating to the transmission ("traffic data") after it has taken place.

The Directive extends these requirements to providers of all types of electronic communication service over a public network (including providers of e-mail, SMS messaging and data packet transmission services) (“service provider”). As a result, an ISP will be under a legal duty to keep e-mail transmissions secure and not to store or intercept those transmissions unless expressly authorised by the relevant subscriber or as permitted by law.

The Directive also creates obligations (applicable to all types of service provider),

  • to inform subscribers about the circumstances in which traffic data will be retained;
  • to inform subscribers about the existence of any specific security risks relevant to the service (e.g. susceptibility to attack by hacking or a virus); and
  • to collect, use, store or process information that may be used to locate the geographical position of an individual user (“location data”) only with their prior informed consent to provide a specific service to them (e.g. a mapping service). Where location data are collected, the service provider must provide a simple means by which the user can disengage that function.

In light of these provisions all service providers and, in particular, non-voice telephony providers, will need to reassess their privacy compliance programs and if relevant change the way in which they are handling electronic communications and associated traffic and / or location data.


Member States are required to implement the Directive into national law within fifteen months of the date on which the Directive is formally published. Although publication has yet to take place, it is expected in early autumn 2002. Assuming this timetable is followed, the provisions of the Directive can be anticipated to take effect at the end of 2003 or early in 2004.

Written by Ruth Boardman and Andrew Dyson. Also published in the October 2002 issue of MIS UK.


[1] Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector 2002/[ ]/EC
[2] Directive concerning the processing of personal data and the protection of privacy in the telecommunications sector 97/66/EC