Online Marketing UK - The Privacy and Electronic Communications (EC Directive) Regulations, 2003

The Regulations, Statutory Instrument 2003 No. 2426, were laid before Parliament on 18 September 2003. The final text of the Regulations is available on the HMSO Website. The Regulations have a coming into force date of 11 December 2003.

These notes are taken directly from the Guidance to The Privacy and Electronic Communications (EC Directive) Regulations, 2003

LiaiseOnline Limited have extracted a number of the points and FAQs which we feel are particularily significant... You can access the full document at www.dti.gov.uk/industry_files/pdf/ico_guidance_dpec_part1.pdf

For a Summary of Changes to the EC Privacy and Electronic Communications Regulations, click here...

The new Directive:

replaces existing definitions for telecommunications services and networks with new definitions for electronic communications and services to ensure technological neutrality and clarify the position of e-mail and use of the internet;

enables the provision of value added services based on location and traffic data, subject to the consent of subscribers (for example, location based advertising to mobile phone users);

removes the possibility for a subscriber to be charged for exercising the right not to appear in public directories;

introduces new information and consent requirements on entries in publicly available directories, including a requirement that subscribers are informed of all the usage possibilities of publicly available directories - e.g. a reverse searching from a telephone number in order to obtain a name and address;

extends controls on unsolicited direct marketing to all forms of electronic communications including unsolicited commercial e-mail (UCE or Spam) and SMS to mobile telephones; UCE and SMS will be subject to a prior consent requirement, so the receiver is required to agree to it in advance, except in the context of an existing customer relationship, where companies may continue to email or SMS to market their own similar products on an 'opt-out' basis;

specifies that Member States may introduce provisions on the retention of traffic and location data for law enforcement purposes;

introduces controls on the use of cookies on websites. Cookies and similar tracking devices will be subject to a new transparency requirement - anyone that employs these kinds of devices must provide information on them and allow subscribers or users to refuse to accept them if they wish.

This is what the law requires:

1. You cannot transmit, nor instigate the transmission of, unsolicited marketing material by electronic mail to an individual subscriber unless the recipient of the electronic mail has previously notified you, the sender, that he consents, for the time being, to receiving such communications. There is an exception to this rule which has been widely referred to as the "soft opt-in" (Regulation 22(2) refers).

2. A subscriber shall not permit their line to be used to contravene Regulation 22(2). (Regulation 22(4) refers)

3. You cannot transmit, nor instigate the transmission of any marketing by electronic mail (whether solicited or unsolicited) to any subscriber (whether corporate or individual) where a. the identity of the sender has been disguised or concealed; or b. a valid address to which the recipient can send an opt-out request has not been provided. (Regulation 23 refers)

What is the difference between a "solicited marketing message" and an "unsolicited marketing message that you consent to receiving"?
Put simply, a "solicited message" is one that you have actively invited. We accept that this invitation can be given via a third party (see below Third Party Electronic Mailing Lists). An "unsolicited marketing message that you have opted into receiving" is one that you have not invited but you have indicated that you do not, for the time being, object to receiving it. If challenged, marketers would need to demonstrate that you have positively opted into receiving further information from them.

What is "soft opt-in" (Regulation 22(3))?
This is what the law goes on to state: You may send or instigate the sending of electronic mail for marketing purposes to an individual subscriber where

1. you have obtained the contact details of the recipient in the course of a sale or negotiations for the sale of a product or service to that recipient;

2. the direct marketing material you are sending is in respect of your similar products and services only; and

3. the recipient has been given a simple means of refusing (free of charge except for the cost of transmission) the use of his contact details for marketing purposes at the time those details were initially collected and, where he did not refuse the use of those details, at the time of each subsequent communication.

We did a marketing exercise by sending unsolicited text/picture/video messages before these Regulations came into force and only received a few opt-outs. Does this mean that we have consent to contact those other members because the subscribers didn't opt-out first time round?
No, it does not mean you have consent to send further messages in this way. Provided you obtained the details in accordance with existing privacy law and used them recently, you can use them again. However, you must provide an opportunity for an opt-out with each subsequent message that is free of charge to exercise, except for the cost of transmission.

(See below Mailing Lists Compiled before 11 December 2003). For the avoidance of doubt, the use of premium or national rate lines for opt-out requests will not satisfy this requirement.

We will collect email address/mobile phone numbers as part of a competition, could this be considered as being "in the course of negotiations for the sale of a product and service"?
A great deal will depend on the context and on what you tell the person when you collect their details. Arguably, where a competition is part of an inducement to raise interest in a product or service, this constitutes part of the negotiations for a sale. However, where you are unclear about what you will do with a person's email address or mobile phone number when you collect those details or where this information is not readily accessible, you are less likely to be able to rely on the "soft opt-in". If you have collected a person's name with their email address and/or mobile phone number and you have not been clear about what you are going to do with that information, you may also be in breach of the First Data Principle. (See our leaflet "Be Open" which is available from our office or by clicking on www.dataprotection.gov.uk/dpr/dpdoc1.nsf and accessing our "Information Padlock/Signpost" page).

Mailing Lists Compiled before 11 December 2003 can we still use our own electronic mail mailing list that we compiled before 11 December 2003?
We recognise that this new legislation imposes upon marketers a higher standard for data collection than they were obliged to follow before 11 December 2003. For the time being, we take the view that where your own mailing lists were compiled in accordance with privacy legislation in force before 11 December 2003 and have been used recently, you can continue to use them unless the intended recipient has already opted out. You are reminded that it is our view that privacy legislation in force before 11 December 2003 did not permit the sending of unsolicited text/picture/video messages without prior consent.

When using our existing lists after 11 December 2003, do we need to provide and opt-out opportunity or do we just have to provide a valid address for opt outs?
If your existing lists were compiled on a clear prior consent basis, you only need provide a valid address with every message. In either case, you must always ensure that you do not conceal your identity.

However, if your existing lists were compiled in accordance with privacy legislation in force before 11 December but were not compiled on a clear prior consent basis, you must provide an opt-out opportunity with every message. This accords with the requirements of the "soft opt-in" criteria.

As best practice, companies may wish to provide an opportunity to opt-out in every message, even if they are not obliged to. This may alleviate any practical difficulties that may arise in using lists compiled both before and after 11 December 2003 for the same mailing exercise.
While we are prepared to take a pragmatic view on pre-existing lists for the time being, we will expect marketers to ensure that any opt-out requests received either before or after 11 December 2003 are acted upon promptly. Responding promptly to an opt-out request is not a new requirement and organisations should already have efficient systems in place to deal with such requests.
For the avoidance of doubt, contact details should be "suppressed" rather than deleted when an opt-out requests is received. This should ensure that a person's opt-out request is recorded, retained and respected until such time as that person provides consent which over-rides their previous opt-out request. It is our view that over-riding consent would only be valid where it is provided to the sender directly from the person concerned.

Must any consent or invitation to market by electronic mail always be provided directly to the sender? If so, does this mean that we can never use bought-in/rented lists after December 11 2003?
We are prepared to exercise some latitude in the use of mailing lists that were compiled before 11 December 2003 in acc with existing privacy legislation. However it is difficult to see how third party lists can be compiled and used legitimately after 11 December 2003 on any other basis than one where the individual subscriber expressly invites, i.e., solicits marketing by electronic mail.

How do the Regulations apply to business to business marketing by electronic mail?
Your obligations are as follows:

1. You must not conceal your identity when you send, or instigate the sending of a marketing message by electronic mail to anyone (including corporate subscribers) and

2. You must provide a valid address to which the recipient (including corporate subscribers) can send an opt-out request (Regulation_23 refers) Only individual_subscribers have an enforceable right of opt-out under these Regulations. This is where that individual withdraws the consent that they previously gave to receiving marketing by electronic mail (that consent only being valid "for_the_time_being " (Regulation 22(2) refers)). This right is not extended to corporate_subscribers. Although recipients who are corporate subscribers do not have an enforceable opt-out right under the Regulations, where the sending of marketing material to the employee of a company includes the processing of personal data (i.e. the marketer knows the name of the person they are contacting), that individual has a fundamental and enforceable right under DPA Section 11 to request that a company cease sending them marketing material (See www.dataprotection.gov.uk/dpr/dpdoc.nsf, Data Protection Act 1998: LegalGuidance, paragraph 4.3).

In our view, it makes no business sense to continue to send marketing material to a business contact who no longer wishes to hear from you. Arguably, by failing to respect a business to business opt-out request you may give the impression that you are unconcerned about your commercial reputation. You should note that persistent failure to comply with a Section 11 request, whether or not it relates to a business to business communication, may result in our taking enforcement action against you.