EC Directive on Privacy and Electronic Communications 2002

The EC Directive on Privacy and Electronic Communications 2002 was brought into force in the UK on 11 December 2003 under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“the Regulations”).

The Regulations set out requirements for EU Member States to introduce new laws regulating the use of:

• unsolicited commercial communications, which includes spam
• cookies
• location and traffic data, and
• publicly available directories.

Those affected by the Regulations are:

• providers of public communications networks and services
• businesses operating their own web sites
• pure e-commerce companies.

Breach of the Regulations can result in regulatory investigations, fines, civil damages actions and criminal liability. Criminal sanctions may be imposed on company directors, as well as the company.

The Areas of concern for companies and entities active in the UK market are:

1. Unsolicited Communications & the Opting In

The sending of unsolicited electronic commercial communications, such as email, SMS or MMS communications is prohibited under the Regulations if the recipient has not previously specifically “opted in” to receive such communications. Consent may be obtained by, for example, the ticking a box, clicking an icon during a registration process or by way of a specific email request for information.

However, if there is a pre-existing customer relationship, the “opt in” requirement may be disregarded, provided that three criteria are filled:

• The sender has obtained contact details of the recipient in the course of sale or negotiations for the sale of a product or service to the individual.
• The communication is made regarding the sender’s similar products and services only.
• The recipient has access to a simple means of declining the use of their contact details for the purposes of sending such communications, both at the time of the initial collection of the details, and at the time of each subsequent communication.

2. Opting Out

Individuals have a perpetual right to “opt out” of receiving further communications at any time. Senders of unsolicited commercial communications are under an obligation not to disguise their identity and to provide a valid contact address for the recipient to contact the sender. The process provided to do so must not be complicated.

3. Corporate Subscribers

The Regulations aim to protect individuals from direct marketing and also seeks to a lesser extent corporate subscribers. Sole traders and non-limited liability partnerships fall within the definition of corporate subscribers. It is unclear whether the Regulations apply to individuals at corporate entities; it may be difficult to know whether an email address is that of an individual or a corporate subscriber.

4. Cookies

The Regulations introduces controls on the use of cookies or similar devices on web sites and individuals must be:

• provided with clear information about the purposes of the specific information being collected; and
• is given the opportunity to refuse the storage of, to access to, that information.

A guide for business can be found on http://www.allaboutcookies.org/, and includes: a compliance statement template, a compliance checklist and a template to help web sites develop their statement on cookie policy.

5. Faxes

There is a distinction between faxes to businesses and those to private members of the public. The Regulations give private individuals the right to opt in, and businesses the right to opt out. Contact details should be attached to each fax sent out. Unsolicited faxes may not be sent to those registered with OFCOM.

6. Telephone calls

Private individuals and businesses are both given the option of opting-out. Caller details must be supplied each time a call is made; the name of the caller must be given and if the individual requests, the address of the caller of a free-phone telephone number. As with faxes, those registered with OFCOM cannot be contacted.

7. Automated calls and Dialling Machines

The Regulations provide that the only permitted use of such systems is when the person called has previously notified the caller for consent to being called. The individual must be given the option of opting-out of such communications.

Considerations for Business: Direct Marketing

Businesses which participate in direct marketing must take into account:

• What activities they are undertaking and how information is obtained from customers
• The content of their privacy or data protection notices
• What information is obtained from and given to customers and potential customers via online registration forms, or arising from telephone or fax contact. Furthermore, they must consider whether the information has been fairly obtained, in accordance with the Data Protection Act 1998. The provisions relating to the protection of personal data in the Data Protection Act have not been replaced by these Regulations, so direct marketing activities should be considered in light of both the Act and the Regulations.
• Whether the company are properly registered under the Data Protection Act 1998.
• Whether the individuals contact details have been obtained from list renters. This is primarily a concern for unsolicited emails, and businesses must check that the individuals opted in to contact thorough such means, to prevent any unlawfulness.
• Checks should be made with the Mailing Preference Service, Telephone Preference Service, or Fax Preference Service, in order to establish whether the customer has registered with any of these services.

The Privacy and Electronic Communications (EC Directive) Regulations 2003 are one of the sets regulations introduced to accommodate the expansion of the so called "Information Society". These Regulations are fundamental to conducting business in the online environment and with the use of telecommunications networks.