New rules on electronic direct marketing finally introduced

The new Regulations contain a variety of new rules applying to a range of areas relating to electronic communications, including the use of such commmunications for marketing purposes. They also include rules regarding direct marketing by telephone and fax, use of traffic and location data, caller line identification and directories, which are not covered in this newsletter.

Opt-in

Regarding email and SMS, as anticipated in the draft rules, the default requirement is that unsolicited direct marketing e-mail and SMS must only be sent to an individual recipient who has previously notified the sender that they consent to the e-mail or SMS being sent (and that certain information about the sender - whose identity must be clear - has been provided to the recipient). This means that recipients must "opt in". The term "Individual" means here a natural person such as an individual, sole trader or partner rather than a legal person like a limited company, so the new rules do not cover direct marketing to limited companies. This somewhat arbitrary distinction does not however provide a blanket get-out as the general law (under the Data Protection Act 1998) will still apply and recipients within limited companies will generally be entitled to a right to "opt out".

There is an exception to the "opt in" requirement where there is an existing customer relationship with recipients, in which case a marketer may continue to market their own similar products and services to them on an "opt out" basis. For the exception to apply the following is required:

• a direct relationship must exist with the recipient arising from a previous sale or negotiations for a sale of a product or service to that recipient;
• the intended marketing is only for that business's own similar products or services; and
• the recipient has been given a valid, simple way to "opt out" at the point their details were collected and at each time they are subsequently used. This has to be free of charge except for the costs of transmission.

Prohibited acts

It is not permitted to send or instigate the sending of any marketing e-mail where:

• the identity of the person on whose behalf the e-mail has been sent has been disguised or concealed; or
• a valid address to which the recipient may send a request for such e-mails to stop has not been provided.

Effect on existing online recruitment and other databases

Although the new rules will also apply to e-mail marketing databases compiled before 11 December 2003, the regulator has stated that, for the time being, it is prepared to allow e-mail mailing lists compiled before 11 December to continue to be used, except where recipients have already "opted-out" and provided that:

• the list was complied in accordance with data protection law in force before 11 December 2003 (in other words their details were collected in accordance with the Data Protection Act generally including at the very least an "opt-out" facility);
• the list has been used recently;
• an opportunity to opt-out is included with every message; and
• any request to opt-out of further mailings is acted upon promptly.

However the above view is only guidance and does not yet have the backing of the courts. Also, it may only be temporary and may therefore only provide a grace period rather than a permanent exception. Those in the online recruitment sector should therefore consider the extent to which their databases include records about individuals who do not qualify for the "existing customer relationship" exception outlined above and look to obtain an "opt-in" from at least those individuals some time in the near future. It may be that the new Regulations accelerate the introduction of a general "opt in" culture and as such recruiters may decide to move to purely permission based marketing in the future anyway.

Cookies

The Regulations also include rules restricting the extent to which cookies (and equivalent technologies) can be used. In summary, the rules prevent either:

• storing any information in a user's computer;
• accessing any information stored in a users computer.

unless the user on whose computer it is intended to store a cookie is given:

• clear and comprehensive information about the purposes of the storage of, and access to, the information;
• and an opportunity to refuse the storage of, or access to, the information.

Where it is intended to store or access a cookie on a user's computer more than once, it is only necessary to comply with the above requirements, the first time. The Regulations do not set out how the information should be given or exactly when, but the regulator has stated that the explanation should be "prominent, intelligible and readily available to all." When using a privacy policy, this should be accessed by an easy to follow link to the relevant part of the privacy policy to explain everything that the user needs to know about it. As a minimum requirement the user should be given a clear choice as to whether to allow the continued storage of information in their computer on the first occasion that the cookie is used. This may mean that many online recruitment sites will need to examine and update their privacy policies, terms and conditions and other content.

The Regulations do allow the storage of cookies which are "strictly necessary" to provide the service requested by the user but, even then, the terms on which the user subscribes to the service ought to be clearly explained.

Enforcement

It is not permitted to contract out of the Regulations and any provision in a contract that is inconsistent with the requirements of the Regulations is automatically void. For example, it is not permitted to contract with someone to the effect that marketing e-mails will be sent, without including a simple means for the recipient to opt out. The regulator (the UK Information Commissioner) can issue enforcement notices against individuals or companies requiring compliance, and a breach of an enforcement notice is a criminal offence. In addition anyone who suffers loss or damage by reason of your breach of the Regulations can sue for compensation through the courts.

That said, most businesses will be most concerned about the potential damage to brand and reputation that could come with a public investigation and possible wrist slapping.

Further information

If you'd like to discuss any of these issues then please feel free to call Graham Hann of Taylor Wessing on 020 7300 4839 or email Graham
Information about Taylor Wessing's data protection services can be found by clicking here
A copy of the Regulations can be obtained by using this link
Copies of the Information Commissioner's guidance on the Regulations is available by clicking here