Privacy and Electronic Communications Regulations

Introduction

The Privacy and Electronic Communications Regulations 2003 regulate direct marketing activities by electronic means (by telephone, fax, email or other electronic methods). They also regulate the security and confidentiality of such communications, with rules governing the use of cookies and 'spyware'.

Consent and direct marketing

Under the Regulations you need to have a positive indication of consent before sending direct marketing materials and must provide suitable means of opting out in your marketing communications.

Direct marketing is defined as "the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals". This covers a wide range of activities: not only the offer for sale of goods or services, but also to the promotion of an organisation's aims and ideals. This would, for example, include a charity or a political party making an appeal for funds or support.

Relationship to Data Protection

The Regulations complement the Data Protection Act and General Data Protection Regulation in the regulation of organisations' use of personal data and in ensuring appropriate safeguards for individuals' rights and privacy.

Where personal data are being processed (e.g. mailing lists of named individuals, cookies containing personal data) the University must also comply with Data Protection legislation and have lawful bases for processing. The Regulations do not override Data Protection law, which covers the collection of personal data and its use for direct marketing more generally (section 11). For instance, Data Protection governs direct marketing by postal mailings.

Marketing by email

Rule 1

Applies to all marketing messages sent by electronic mail, regardless of who the recipient is (i.e. corporate or individual)

(a) the sender must not conceal or disguise their identity, and (b) must provide a valid address for opt-out requests

Rule 2

Only applies to unsolicited marketing messages sent by email to individual subscribers.

(a) Senders cannot send such messages unless they have the recipient's prior consent to receive such communications. This rule is relaxed if three exemption criteria are met:

The recipient's email address was obtained in the course of a sale or negotiations for the sale of a product or service to that recipient
The sender only sends promotional messages relating to their own similar products and services, and
When the address was collected, the recipient was given the opportunity to opt out, which they didn't take

(b) The opportunity to opt-out must be given with every subsequent message/communication.

N.B. The above exemption, which allows a 'soft opt-in', only applies where you are you are promoting commercial goods and services. It would not apply to charities, political parties or organisations promoting their aims as opposed to a product. If you do satisfy the criteria, you would not need prior consent to send marketing by electronic mail to individual subscribers (which would otherwise be required).

Marketing by fax

Do not send, or instigate the sending of, an unsolicited marketing fax to the line of an individual subscriber without that individual subscriber's prior consent.
Do not send, or instigate the sending of, an unsolicited marketing fax to the line of a corporate subscriber where that subscriber has asked you not to fax on that line.
Do not send, or instigate the sending of, an unsolicited marketing fax to any number listed on the Fax Preference Service register.
Provide your identity (i.e., the name of the business being promoted) and a valid business address or freephone telephone number at which you can be contacted on each fax you send.

Security and confidentiality of communications

The Regulations also govern issues of security, the confidentiality of electronic communications (including the taking of cookies and personal data), and the collection, retention and processing of traffic, location and billing data.

Electronic communications service providers must take appropriate technological and organisational measures to safeguard the security of their services. An "appropriate" measure is one which having regard to the state of technological development and the cost of their implementation, is proportionate to the risks against which it would safeguard. (These provisions compare with the obligations on a data controller under the seventh data protection principle).

The Regulations are also concerned with the use of electronic communications networks to store information or gain access to information stored in the terminal equipment of a subscriber or user. The use of devices such as cookies, for example, has for some time been commonplace and cookies are important to the provision of many online services. The use of such devices is not, therefore, prohibited by the Regulations but they do require that subscribers and users should, to some extent, be given the choice as to which of their online activities are monitored in this way.

Cookies

Where the use of a cookie type device does involve the processing of personal data, service providers will be required to ensure that they comply with the additional requirements of the Data Protection Act 1998. This includes the requirements of the third data protection principle which states that data controllers shall not process personal data that is excessive.

Systems providers should always consider the extent to which data can be processed anonymously. Where cookies or similar devices are needed, they should only be used where the subscriber, visitor or user of the website/terminal:

a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

b) is given the opportunity to refuse the storage of, or access to, that information.

The Regulations are not prescriptive about the sort of information that should be provided but the text should be sufficiently full and intelligible to enable individuals to gain a clear appreciation of the potential consequences of allowing storage and access to the information collected by the device should they wish to do so. This is comparable with the transparency requirements of the first data protection principle.

The mechanism by which a subscriber/user may exercise their right to refuse continued storage should be prominent, intelligible and readily available to all - not just the most computer literate or technically aware. Where the relevant information is to be included in a privacy policy, for example, the policy should be clearly signposted at least on those pages where a user may enter a website. The relevant information should be appear in the policy in a way that is suitably prominent and accessible and it should be worded so that all users and subscribers are capable of understanding, and acting upon it, without difficulty.

There are exemptions from the right to refuse a cookie where that device is to be used

a) for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or

b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

Users/subscribers include staff, and the regulation of cookies would apply equally to cookies within internal systems that collected data on employees as users, as it would to external facing systems collecting data on visitors/subscribers.