Legislation update
Your guide to the latest EU legislation on spam, cookies, location data and user directories.

By David Naylor, partner, Technology Transactions Group at global technology and finance law firm, Morrison & Foerster.

The Directive on Privacy and Electronic Communications 2002 introduces new laws across Europe controlling the use of:

• unsolicited commercial communications (spam)
• cookies and other tracking technology used on websites
• publicly available subscriber directories
• location-based data.

These laws were brought into force in the UK on 11 December 2003, under the Privacy and Electronic Communications (EC Directive) Regulations 2003. Companies and other data controllers that ignore these laws may be subject to regulatory investigation and fines, civil liability and, in some circumstances, criminal liability. In certain circumstances, criminal sanctions may be imposed for breaches of data protection laws not only against a company that acts as a data controller, but also against its directors.

The The Electronic Commerce (EC Directive) Regulations 2002 includes regulations as what information should be included in email footers.

Links to other relevant information are available on the Department of Trade & Industry’s website.

Below are some of the questions which frequently come up, along with some outline guidance.

Can we send unsolicited commercial communications to potential / existing customers?

Generally speaking, you can now only send unsolicited electronic commercial communications (for example, email or SMS) to individuals, if the recipient has previously specifically ‘opted-in’ to receive such communications. It makes no difference whether the recipient is an existing or a potential customer. The new regulations only provide one exception to the requirement for specific ‘opt-in’: you may also send unsolicited electronic commercial communications if:

• you have obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or service to the recipient;
• the direct marketing is in respect of your similar products and services only; and
• the recipient is given a simple means of refusing (free of charge) the use of his / her contact details for the purposes of such direct marketing, both at the time of the initial collection of his details, and, where he / she did not initially refuse the use of the details, at the time of each subsequent communication.

As a result of the new laws, you should now be reviewing your direct marketing activities and determining whether you need to revise your operations to bring them into line with the new regime. As a starting point, you should be considering the question of whether your customer databases include customer contact details gathered only in the course of a sale or negotiations for a sale of a product or service. If not, such contact details may not be usable (without consent) for unsolicited marketing purposes.

If we send unsolicited commercial communications, do we need to provide a mechanism for recipients to unsubscribe?

Yes, you do. The Regulations provide that you cannot transmit, nor instigate the transmission of any marketing by electronic mail to any subscriber where the identity of the sender has been disguised or concealed, or a valid address to which the recipient can send an opt-out request has not been provided.

Can we use cookies?

In summary, cookies or similar devices may not be used unless the subscriber or user:

• is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
• is given the opportunity to refuse the storage of, or access to, that information.

You should note that the regulations apply to all cookies and tracking devices, whether or not they are used to store personally identifiable data.

We’re collecting personal data through a ‘recommend a friend’ promotion. Do the new laws permit this?

The new Regulations have very much tightened up the law in this area, and it will generally be much less easy to run these types of promotions and comply with the law. As a rule of thumb, it may be possible to run a non-incentivised program, as long as you have a legitimate belief that the third party would have consented to receiving the communication, you do not disguise your identity, and you provide an opt-out mechanism. It may also be possible to construct incentivised schemes which are compliant with the Regulations, but you should seek legal advice. This is an area on which the Information Commissioner has not yet published any guidance.

We want to run an international emarketing campaign. Which jurisdiction’s rules do we need to comply with?

Unfortunately, the law in this area is complex. Your ability to use personal data will generally be governed by the laws of the jurisdiction in which you are based. In addition, you may be subject to the laws and regulations in the country of the recipient.

In addition, as the UK’s Information Commissioner notes, you should bear in mind that when implementing the EU Directive, each EU member state was given the option to decide whether the rights given to individual subscribers should extend to corporate subscribers. Some jurisdictions have chosen to do so to a greater extent than the UK has done. You may create a negative impression about your business if you don’t respect the laws of the country to which you are sending your messages.

In addition, you should be aware that the contents of any communication may be subject to the laws of the countries in which the recipients are based. For example, countries may prohibit certain forms of marketing to children or prohibit or regulate the sale or marketing of certain goods or services generally — for instance, gambling services, financial services, and the sale of alcohol, prescription medicines and tobacco are all regulated in this country. If you wish to avoid legal exposure, you should take legal advice.

Top