The New Privacy and E-Commerce Regulations

November 1, 2003

On 11 December 2003 the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the Regulations) will come into force. They will implement European Directive 2002/58/EC on the processing of personal data and the protection of privacy (the Directive), and follow an extensive consultation exercise by the DTI. As well as dealing with marketing by e-mail and with cookies, the draft regulations expand previous regulations applicable only to telecoms, and adapt many of the provisions to reflect the growing use of new technology. However, I deal only with spam and cookies here.

Unsolicited commercial emails (aka Spam)

The E-commerce Directive (implemented in the UK as the Electronic Commerce (EC Directive) Regulations 2002) also dealt with spam (by providing in Regulation 8 that an “unsolicited commercial communication .. is clearly and unambiguously identified as such”) and, hot on its heels, spam is being tackled again. There is no denying that genuine spam is a growing probem. It is estimated by the DTI that spam accounts for as much as 40% of global e-mail traffic. They also recognise that unsolicited SMS (text) messages sent to mobile phones are a potential and growing problem as businesses begin to use them for marketing purposes.

The Regulations (as required by the Directive) attempt to address this issue by introducing an ‘opt in’ requirement for “individual subscribers”.

Opt-in

Regulation 22(2) provides that (with an exception for existing customers, dealt with below) “a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.” The definition of “electronic mail” expressly covers SMS.

The requirement that the recipient has “previously notified” the sender of their consent is taken to mean that passive consent (ie not complaining by means of, say, a tick in a box to a notice which states that e-mails will be sent) is not enough. Rather, a positive tick in a box (or some equivalent device) needs to be given to indicate that the individual agrees to allow the marketer to send them direct marketing communications electronically.

Existing customer relationship exception

Regulation 22(3) provides an important exception to the basic opt-in rule. Limited direct marketing by e-mail is permissible without an express opt-in, subject to compliance with three requirements. First the marketer must have obtained the electronic mail address in the course of the “sale or negotiations for the sale of a product or service to that recipient”. It should be noted that this applies only to the person who obtained the e-mail address and sold the product.

There was much lobbying on this issue during the DTI consultation. The requirement for a sale or negotiation with an individual would appear to exclude marketing to individuals who voluntarily provided details during, say, a Web site registration process. Ultimately, however, the DTI was constrained by the wording in the Directive (although it has, perhaps justifiably, widened the Directive’s terms “in the context of a sale” (Article 13(2)) and “existing customer relationships” (Recital 41) to encompass also negotiations for a sale.

More positively, the DTI is taking the view that the Information Commissioner, who has responsibility for enforcing the legislation, will take a reasonable and pragmatic approach in doing so.

Secondly, the direct marketing which is permitted is only in respect of the marketer’s “similar products and services”. This formulation lends itself to fine distinctions but is very similar to the position under existing data protection law. Under this, it was always arguable that there was an implied consent to the marketing of similar products to existing customers without a specific notice having to be given to that effect (which was consistent with the Information Commissioner’s guidance on direct marketing, albeit that was issued under the Data Protection Act 1984). For example, buying groceries from an online retailer allows the retailer to send e-mail marketing materials in respect of other groceries, but not in respect of financial services.

The last requirement of this exception is that the recipient must be given a simple means of refusing the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication. Notwithstanding that this also needs to be done “at the time the details were initially collected” this is to be distinguished from the opt-out required generally. Here a tick box is likely to be sufficient. Indeed, as there is a requirement that the means should be free of cost other than “the costs of the transmission of the refusal”, an instruction at the bottom of subsequent marketing communications to send an e-mail refusing further use of the details (to “unsubscribe”) should be sufficient.

Legacy Mailing Lists

Another issue under the new Regulations is that legacy mailing lists (of e-mail address only), put together before these rules had effect, may become legally unusable. If a person appears on that mailing list other than because that person bought or negotiated for the sale of goods or services (eg because they registered on the Web site subscribing for a newsletter or they simply feature on a bought-in list) and that person has not given a proper “opt-in” (even if they rejected an “opt-out” at the time of data submission) then unsolicited commercial communications should not be sent to those persons. The DTI recognised this difficulty but felt constrained by the words of the Directive. Again, the DTI is hoping that a pragmatic approach for enforcement will be taken by the Information Commissioner. Indeed, the Information Commissioner, who will enforce the Regulations, has said that discretion will be exercised here. Provided that data was collected in accordance with the Data Protection Act 1998 and had in fact been used prior to these Regulations then no action is likely to be taken. The Information Commissioner will also want to see swift compliance with the requirement to include a “simple means of refusing” further e-mails on each such communication.

Individual subscribers

Regulation 22(1) provides however that the relevant rules apply only to “individual subscribers”, but this expression presents a problem. A subscriber is defined as a person who is a party to a contract with a provider of “public electronic communications services” for the supply of such services.

In respect of any use of e-mail there are a number of services which are relevant. First, there is the contract with a Web service providing the e-mail address (for example, Hotmail or AOL). Secondly, there is a contract with the ISP which provides Internet access (not necessarily, but often the same contract) (for example, Freeserve). Lastly, unless this second provider also supplies a link (broadband, say) the user will need a BT (or other) telephone line for a modem dial-up. “Public electronic communications services” is defined sufficiently widely (with reference to the Communications Act 2003) to encompass all these services. Regulation 22(1) does not say to which of the two (or three) services an individual (as opposed to a corporate entity) must be subscribed for the rules to apply.

It has been suggested that the concept of “individual subscriber” is to distinguish between work and personal e-mail addresses: in my case, between renzo.marchini@dechert.com and renzomarchini@hotmail.com. If this is the intention then it is only the first of the services just mentioned (that for the e-mail address itself) which is relevant. E-mails sent to “work” addresses (provided by a corporate employer) will always be outside reg 22 even if the recipient is a homeworker, accesses e-mail (at their work server) from their own PCs, does so over their own BT line and uses that e-mail address for private use. On the other hand, if a Hotmail address is only accessed from work, it would nonetheless always be within reg 22.

Clearly, it will be impossible for e-mail marketers to make any determination as to where a recipient is when accessing e-mail (home or work), or indeed to determine whether an e-mail address is personal or not. (Is thomas@smith.co.uk a private email address of a Mr Thomas Smith – individual subscriber – or the work address of Mr Thomas at Smith Limited?) The reality therefore is that all e-mail addresses featuring names will probably need to be treated in the same way.

On the other hand, “individual subscriber” may in fact be wider in this context than the distinction between home and work address. Perhaps the distinction to be made is between an individual’s email address and that generally sent to a corporate address; for example, between Thomas@business.co.uk and between marketing@business.co.uk. However, as a business could be a sole trader or partnership (which falls within the definition “individual”) that isn’t safe either!

The Directive sheds a little light on this but is not conclusive. Article 13(1) gives “subscribers” the right to opt-out, with no distinction between individuals and corporates. However, Article 13(2) (the exception to opt-in for existing customers) avoids the term “subscriber” and refers instead to “electronic contact details for electronic mail” obtained in accordance with the data protection Directive. This suggests that that exception (and perhaps all the rules) applies to any personal data (which would include an individual’s work address).

Cookies

The Regulations also address worries that have arisen from the surreptitious use of cookies.

Regulation 6 (tracking the Directive) attempts to address this by imposing a transparency requirement on Web servers that use cookies and other Internet tracking devices. The use of cookies and similar devices is now prohibited unless subscribers and users are clearly told that they are being used and are given the chance to refuse their use.

The Regulations do not set out when, where or how this information and switch off opportunity should be communicated to the user, but the DTI is currently envisaging a clearly signposted “cookie statement”, perhaps as part of a privacy policy, being adequate.

As for the means for a user to refuse cookies, the DTI envisages two broad options: service providers could provide their own switch-off options, or could inform users how to use facilities commonly available in standard Internet “browsers” (such as Explorer), but in the draft regulations none is specified.

A limited exception to these rules will arise if the cookie is used only to facilitate the transmission of a Web site, or other online content, or is a “strictly necessary” part of an online service (for example, to enable the processing of a financial transaction). In those circumstances, acceptance of the cookie can be made a condition of access without adherence to these rules.

Enforcement

Enforcement has two main aspects. Regulation 30 provides for a civil action for damages against any person who contravenes any of the requirements in the Regulations (and not just the Regulations on spam and cookies). It will be a defence for the defendant to show that such care had been taken in all the circumstances as was reasonably required to comply with the relevant requirement.

Given the inevitable difficulty of proving damages for the contravention of regs 22 and 6, the most important enforcement regime, for the time being, will be under the Data Protection Act 1998. Regulation 31 extends the enforcement provisions of the Data Protection Act 1998 to contravention of these Regulations, but with some amendments tailored to the specific circumstances of the Regulations.

To summarise the main points. The Information Commissioner can serve an “enforcement notice” when he considers there to be a contravention of the Regulations. Ignoring an enforcement notice will be a criminal offence with a possible maximum penalty of a fine on summary conviction not exceeding £5,000 and on indictment to an unlimited fine. However, on being served with an enforcement notice, there is a right of appeal (to the Information Tribunal). To support that function, the Information Commissioner can also serve “information notices” requesting information from a person believed to be in contravention. Again, ignoring the information notice, or knowingly or recklessly giving false information, will be an offence.

Conclusion

UK businesses should already be starting to change their practices. Data gathering screens on websites which collect email addresses for direct marketing purposes should be adopting an “opt-in” mechanism. Decisions need to be made as to whether or not to clean up legacy lists. Direct marketing e-mails, especially those addressed to recipients on legacy lists or to existing customers, need to contain simple opt-out mechanisms. Cookie statements need to be included. All of which will cause effort and cost to UK businesses.

In a number of areas there is uncertainty. In reality, there was little that the DTI could have done about the uncertainties given the constraints of the Directive. Formal guidance is promised soon; but that will not of course be legally binding. Also to be welcomed is the likely pragmatic approach of the Information Commissioner, who is to produce what should be helpful guidance soon (expected this autumn). However, it is not ideal that businesses, as often happens in this area, are having to breach legal requirements to carry out legitimate business practices (such as will have to happen with legacy lists, at least) on the basis of non-binding assurances of a benign enforcement policy.

As frequently noted, however, much spam originates from outside of Europe, and that of course is not even touched upon by the Directive and Regulations.

Renzo Marchini is a solicitor in the London office of Dechert, the international law firm, specialising in IT and e-commerce law. He can be contacted at +44 (0)20 7775 7563 (Renzo.Marchini@dechert.com).