e-Communications directive: MEPs vote on cookie compromise

The outcome of the vote is something of a mixed bag for online businesses: the draconian restrictions on cookies originally proposed have been tempered, but companies will still need to adapt to new constraints on the way they collect web users' data and use e-mail and SMS to target customers. The new legislation will be formally adopted at EU level over the next few months, and should be implemented by Member States by the end of 2003. Summary
In brief, the implications of Thursday's vote are as follows:
Cookies: website operators will need to give provide users with "clear and comprehensive information" about devices such as cookies used to collect their data including the purpose of any processing, and must give users the opportunity to reject them. Earlier proposals that this information must be given "in advance" have been dropped, but it remains unclear at what point, and exactly how, business are expected to make this information available to users. "Soft opt-in" for spam: an EU-wide "opt-in" approach is to be adopted, meaning that businesses will only be permitted to send marketing e-mails and SMS messages to individuals who have previously consented to the use of their details in this way. Existing customers may be targeted, provided certain conditions are met, although there is still some uncertainty about the precise scope of this carve-out. Data retention: telcos and ISPs could be required to retain traffic and billing data for fixed periods for national security and law enforcement purposes under national legislation, but only where such measures are "necessary, appropriate and proportionate" and consistent with Community legislation, including human rights law. The key issues in more detail
The new Directive is designed to give a technology-neutral face-lift to the existing telecoms data protection regime. Although it was not intended to create major changes of substance, many aspects of the wide-ranging proposal have proved controversial. Cookies: in its controversial vote last November, the European Parliament had originally voted to make the use of cookies subject to users' prior consent. One suggestion was that, effectively, this would have meant site users being greeted with pop up boxes as a means to give the requisite consent or be given the requisite information "in advance" (the approach favoured by the European Council) every time they clicked on a site. The compromise now reached by the different EU institutions, though far from ideal from a business perspective, represents a less disruptive and more commercially workable solution. The use of cookies is permitted, provided users are provided with "clear and comprehensive" information, inter alia, about the purposes of the processing, and are given the right to refuse such processing. Arguably, this merely confirms the existing UK legal position under the Data Protection Act 1998 which already requires data controllers to inform people about the purposes for which their details are to be processed, unless this is obvious from the context.

Spam e-mail and SMS: in relation to unsolicited marketing communications, the debate has centred on whether the approach should be "opt-in" (meaning that marketers may only target those individuals who have given express prior consent) or "opt-out" (whereby marketers would be free to target individuals unless they had registered their wish not to be contacted, e.g. by signing up to an opt out register).

Thursday's vote means that all EU Member States must implement opt-in legislation. Different EU countries currently have a variety of regimes, the UK being opt-out. The opt-in approach is softened somewhat by a provision which allows companies to target customers who have bought products or services from them in the past. This is, however, subject to a number of provisos:

Firstly, the customer's details must have been collected in the context of a "sale" -- on a strict interpretation, this could rule out the use of contact details of potential customers who have merely registered an interest in a service or product. Just how much scope there is to lobby the UK government for a flexible approach on this issue remains to be seen.

Secondly, the customer must have been told about the possible use of his or her data for future marketing at the time it was collected -- i.e. at the time of the initial purchase -- and given the chance to object. The opportunity to opt-out must then be given with each subsequent marketing message.

Thirdly, the customer's details may only be used by the same entity to whom they were given originally. This clearly has implications for transfers of customer lists between group companies and trading partners (although these restrictions already apply under the UK's existing data protection regime.)

Finally, at the time of writing it was still not clear whether these provisions would be subject to a further requirement that the marketing be for a "similar product" to that in relation to which the customer's details were originally gathered. If this restriction is included, it will undoubtedly lead to uncertainty for businesses about just how "similar" the new product advertised needs to be to avoid breaching the legislation. The practice of disguising or concealing the identity of the sender of unsolicited communications , or failing to provide an address to request that such communications cease, will also be prohibited. Telesales, fax and automated calling systems: the status quo with regard to marketing by these methods remains unchanged, i.e, they may only be used to contact an individual with his or her prior consent. Data retention: the Directive will allow Member States to pass national laws obliging service providers to retain communications data -- such as traffic and billing information -- for fixed time periods for law enforcement purposes. This aspect of the Directive also proved controversial, with both the privacy lobby and the telecoms industry pressing for restrictions on governmental powers in this regard. The compromise position means that any national data retention measures must be "necessary, appropriate and proportionate" to safeguard national security or combat crime. In practical terms, service providers in the UK must wait for the draft Code of Conduct under the Anti-Terrorism, Crime and Security Act 2001, expected to be release for consultation this summer, to have a clear picture of exactly what data they will be required to hold on to, and for how long. Other issues: the wide-ranging Directive also gives individuals the right to determine the extent to which their personal details appear in public directories. Sanctions: at this stage, it remains to be seen what the deterrent for breaching these provisions will be. It will be left to Member States to set the sanctions for breaches of the new legislation. Next steps for online businesses
Arguably, the new Directive represents a change of emphasis rather than a change in the substance of data protection obligations. The Directive still needs to be formally adopted by the European Council (this expected to happen during the summer) and Member States will then have until the end of 2003 in which to implement the new measures. There may be some scope to lobby the UK government for a business-friendly interpretation of some of the detailed points in the Directive, and for any sanctions to be moderate. Nevertheless, businesses need to address the changes now, both to ensure their channels are compliant and to ensure that valuable customer databases are not rendered worthless for future campaigns. If you would like a more detailed analysis of how the new legislation will impact upon your business, please contact Marc Dautlich The information contained in this bulletin is intended as a general overview of the subjects featured and detailed specialist advice should always be taken before taking or refraining from taking any action.

---