Guidance on e-mail marketing and cookies law

The Privacy and Electronic Communications Regulations implement an EU Directive of last year. By the Directive's timetable, they should have been in force across the EU by 31st October, but most Member States missed the deadline.

In summary, the Regulations:

• Require businesses to gain prior consent before sending unsolicited advertising e-mail to individuals.
• Require that the use of cookies or other tracking devices is clearly indicated and that people are given the opportunity to reject them. Cookies are small text files used on most commercial web sites. The files are sent from a web server to a web site user's computer and are stored on the hard drive, so that when the user visits the web site again, the site will remember him.
• Network operators and their partners will be able to provide subscription and advertising services based on location and traffic data to their customers. There is no restriction on the type of services that may be provided as long as subscribers give their consent and are informed of the data processing implications.
• Ensure stronger rights for individuals to decide if they wish to be listed in subscriber directories. Clear information about the directory must also be given, e.g. whether further contact details can be obtained from just a telephone number or a name and address.

The Office of the Information Commissioner will enforce the regulations by issuing enforcement orders to those who do not comply with the new rules. A breach of these orders will be a criminal offence carrying a fine of up to £5,000 in a lower court, or an unlimited fine if the trial takes place before a jury.

In addition, anyone who has suffered damages because the regulations have been breached has the right to sue the person responsible for compensation.

The Information Commissioner's new guidelines are intended to clarify the Regulations. Because there was insufficient time for proper consultation on the guidelines, these will be subject to review.

William Malcolm, a data protection expert with Masons, the law firm behind OUT-LAW.COM, commented:

"Organisations using electronic contact details need to assess their existing processes and procedures against this new guidance. They may need to re-think their strategy on marketing by e-mail – do they have the permissions they need to continue their marketing practices?"

"Fortunately, the Regulations and the new guidance are not as restrictive on e-mail marketing as many commentators have suggested, and provide a number of routes by which organisations can comply."

The guidance currently appears in two parts. The first part deals with marketing by electronic means. The second part covers the security and confidentiality of services, the processing of traffic and location data, CLI, directories and the enforcement mechanism. Comments are invited.