The Department of Trade and Industry on 27 March published its consultation paper and draft Regulations concerning the EU's Directive 2002/58/EC on Privacy and Electronic Communications (the "Directive") under the press release "Red Light for Spam".
The Directive will replace the existing Telecommunications (Data Protection and Privacy) Regulations 1999 and is planned to be implemented by 31 October 2003. Businesses have until 19 June 2003 to submit their views to the DTI.
Please view our analysis below,
What do the new rules mean for e-mail and SMS/MMS marketing campaigns?
The Regulations introduce new controls on unsolicited email and SMS/MMS marketing which will mean that, except in limited circumstances (where businesses have a pre-existing relationship with recipients) marketing communications may only be sent with the prior consent of the individual concerned.
The practice of disguising or concealing the identity of the sender of unsolicited communications, or failing to provide an address to request that such communications cease, will also be prohibited.
A key problem remains unresolved regarding the prevention of non-EU originated spam, and certain loopholes present themselves in the drafting of the Regulations as regards matters of jurisdiction and, in particular, which party should and can be held to account in relation to spamming.
Businesses using electronic marketing methods will wish to:
How will marketing by telesales, voicemail, fax, and automated calling systems be affected?
- consider pushing for as broad a definition in the Regulations as possible of the concepts of "customer relationship" and "similar products" to provide flexibility for future cross-selling campaigns;
- consider carefully the consultation's proposals for sanctions (see below) to ensure a sensible balance between tough deterrents against persistent offenders and protecting the legitimate interests of reputable marketers;
- use the time before planned implementation of the Regulations (31 October 2003) as effectively as possible:
- to review and redraft privacy policies and online collection notices;
- to audit existing customer databases with a view to purging certain customer data or limiting its future use; and
- to plan ahead to ensure compliance of future product and marketing strategies;
The Directive gives the UK a choice as to whether to regulate direct marketing using the telephone by way of the Telephone Preference Service (as it is currently regulated under the Telecommunications (Data Protection and Privacy) Regulations 1999) or whether to give individual subscribers stronger statutory protection, in the form of an opt-in consent requirement.
The position with regard to marketing by fax and automated calling system remains unchanged. This means that: fax may only be used to send messages to an individual or company where they are not registered with the Fax Preference Service or have exercised a right to opt out of receiving fax marketing; automated calling systems may only be used with their prior consent.
The definition of automated calling system has been clarified however and the consultation states that the use of power dialling will now be dealt with under the new proposals in the Communications Bill to be regulated by Ofcom.
Businesses wishing to preserve the status quo will wish to respond to the consultation to:
Will the new rules prevent marketing calls and e-mails to individuals in the workplace?
- resist the body of opinion (supported by Oftel) that supports stronger statutory rights for individual subscribers.
The draft Regulations propose to give corporate subscribers the right to register on the Telephone Preference Service, and to opt out on a case by case basis from receiving telesales calls. This would bring calls in line with corporate subscribers' existing rights in relation to fax marketing under the 1999 Regulations.
The approach in the draft Regulation is very much the middle ground and the consultation recognises that there are, broadly, two alternative options open for discussion:
- A more radical solution to grant corporate subscribers the same rights as individuals (including prohibiting fax, email and SMS/MMS marketing without prior consent). If implemented in its entirety such a regime would have the effect of barring businesses from making unsolicited contact with individuals at other businesses by telephone, and prior consent would be needed to contact them by fax, email or SMS/MMS. A restriction on business-to-business marketing in this way would have a substantial impact on the cost for any business (irrespective of sector) which currently uses such marketing methods.
- To leave the rights of corporate subscribers as they currently are.
Businesses will therefore wish to review and respond to this proposal with particular consideration to:
- lobbying to enable a continuing right to cold-call companies without specific consent;
- the potential for loss of a significant resource and means of generating business;
- the co-ordination (or lack of it) in the approach of other Member States to the issue of spam sent to employees, and the particular impact this could have on multinational companies;
and (on the other hand)
- the internal impact in terms of reduced efficiency of employees receiving increasing volumes of unsolicited marketing materials at work.
(a) provided with clear and comprehensive information about the purposes of storage and access to such information; and
(b) given the opportunity to review such storage or access.
The draft Regulations provide that these requirements need be met only in respect of the first use by a marketer of such devices, thus adopting the position in the recitals in the Directive.
The draft Regulations stop short of prescribing the practical means by which website operators and other users of cookies may meet its requirements. The consultation paper ventures the opinion that information about cookies could be provided in "clearly sign-posted privacy or cookie statements on the service provider's website".
Website operators should now also begin to consider the circumstances in which they may refuse cookie-free access to their services, under the proposed Regulation 5(4)(b), which imposes a test of "strict necessity".
Consultees will wish to consider the merits of lobbying the Information Commissioner at the earliest opportunity for more specific guidance on how to meet these information and refusal requirements, or whether to focus their efforts on the nature of the sanctions that would apply (see below) and adopt a wait and see approach to best practice in meeting these requirements.
Other key areas where businesses may wish to respond to the consultation are as follows:
How will mobile location-based services be affected?
- whether the Regulations should apply to all cookies or only those which involve the processing of personal data; and
- whether a user should have the right to override a subscriber's consent to a cookie.
Mobile operators and providers of value-added services (such as in-car telematics and entertainment listings) will be subject to new rules on the use of traffic and location data of subscribers and users. The legislation distinguishes between:
(a) traffic data, i.e. data processed for the purpose of conveying or billing a communication, including information on the routing, time and duration of a communication; and
(b) location data which indicates the user's geographic position.
Broadly speaking, mobile phone users and subscribers will need to be given clear information about the type of data processed, the purposes and duration for which it is used, and will need to give prior consent to such use.
In addition, users and subscribers must be given the opportunity to withdraw consent free of charge at any time and, in the case of location data, must be able to temporarily disable use of location data at any time. There are restrictions on the purposes for which such data must be used, and the parties to whom it may be disclosed by the service provider, i.e. businesses may not "list sell" location data.
The new rules will clear up certain ambiguities in the existing 1999 Regulations but will have important practical compliance ramifications. Providers of mobile location-based services will need to:
What rules specifically apply for network and service providers?
- review their procedures for obtaining users' and subscribers' consent to the use of mobile data and their policies on erasure/anonymising such data;
- review the terms on which they share such information with others in the value chain; and
- consider responding to the DTI regarding the practical means by which consent can be obtained via a mobile phone.
In addition to the rules on the use of traffic and location data set out above, there are a number of other provisions which are only of relevance to network and service providers (and in some circumstances equipment manufacturers). These concern service providers' obligations with regard to:
- calling line identification ("CLI") services;
- itemised billing;
- call tracing and forwarding;
- erasing and anonymising of communications data once it is no longer required for network management or billing purposes; and
- network security.
To a large extent the draft Regulations simply copy across the requirements of the Directive. However, one particular issue on which the DTI is seeking views is the extent to which a service provider should be obliged to provide subscribers with a fuller range of network blocking services (the approach favoured by the Information Commissioner and Oftel) as opposed to leaving it to subscribers to use CLI options on their handsets as a means to avoid unwanted calls. This is an issue of particular importance for mobile networks.
Another point worth noting is that under the draft Regulations, OFCOM and the Secretary of State would be obliged to have regard to privacy issues when exercising their wider policy functions. In practice this could impact upon the conditions imposed by OFCOM on the providers of e-communications services.
What are the sanctions for breach?
The sanctions provided for in the draft Regulations are substantially similar to those in the existing Regulations.
The existing enforcement of sanctions against breaches of the rules on unsolicited direct marketing communications does not appear substantially to have deterred hardened spammers. In particular, as the consultation paper points out, no fines have yet been imposed on a company for breaching the terms of an enforcement notice issued by the Information Commissioner, nor does the current regiment of enforcement notices offer speedy resolution or substantial publicity that increases subscribers' awareness of their rights.
This consultation is an important opportunity for businesses to influence the nature of the sanctions regime in significant respects.
Firstly, "stop now" orders (which may be issued by the Office of Fair Trading, Trading Standards Authorities and other nominated bodies) have been in operation for almost two years now and may offer a more direct, speedier and higher profile deterrent to protect the collective interests of consumers -- and at the same time also the interests of legitimate marketers -- against unscrupulous spammers.
Secondly, it is proposed under the draft Communications Act that Ofcom will have powers to impose direct administrative fines of up to £5,000 and/or seek injunctions to ensure that the terms of enforcement notices are complied with in respect of persistent misuse of electronic networks. Such a form of sanction could well be adapted for use in enforcing the Regulations.
Finally, there is an opportunity to close the significant loophole under which the principal remedy available to a person who suffers damage as a result of contravention of the Regulations is that of financial compensation. This has proved to provide very little practical deterrent to persistent offenders, given the disproportionate costs involved in a complainant bringing such an action as compared with the likely award of damages.
Consultees may wish to consider seeking:
Is there anything else I should be aware of?
- confirmation that the Regulations will include an express right to injunctive relief against spammers, as a more effective deterrent; and
- an express right for corporate as well as natural persons to pursue such relief as well as the existing remedy of financial compensation.
A further area of interest in particular regards the rights the rules will give to individuals the to determine the extent to which their personal details appear in public directories.
This summary sets out the key areas of contention and change presented by the draft Regulations, but is not a comprehensive summary of its complete provisions. If you would like further information then you can contact us as indicated below.
Although the Government can, to a large extent, only "copy out" the Directive into the UK statute book, there is considerable scope for businesses to influence the shape of the Regulations. Interested parties must submit responses to the DTI by no later than 19 June 2003. In the meantime, businesses need to review their privacy policies, databases, CRM systems and websites to ensure compliance with the new rules and plan ahead in terms of their marketing strategies and data policies or risk finding that valuable customer information is rendered worthless later this year when the new rules come into force.
The consultation document is available on the DTI website -- click here
If you are interested in responding to the DTI's consultation, or would like advice on compliance with the new e-communications regime, please contact Marc Dautlich
, Elle Todd
or another member of the Data Protection Team.