The Privacy & Electronic Communications regulations came into force on 11th December 2003. The Government was required to make these regulations in order to comply with an EC Directive on the subject. These regulations add to and do not replace existing legal requirements.
Minor amendments were made to correct a couple of errors in 2004; and significant changes were made in 2011.
An annotated copy of the regulations showing them in their current amended state (as of 25-5-11) can be found here.
These regulations may be regarded as sweeping up a variety of points which many would regard as necessary, to take account of relatively recent technological developments. I intend in this FAQ to summarise the key points relating to email and the internet; there are other provisions relating to phone and fax, which are outside the scope of this FAQ.
Definitions (reg 2):
"location data" means any data processed in an
electronic communications network indicating the geographical position of the
terminal equipment of a user of a public electronic communications service,
including data relating to -
(a) the latitude, longitude or altitude of the terminal equipment;
(b) the direction of travel of the user; or
(c) the time the location information was recorded
‘public electronic communications network’ means an electronic communications network provided wholly or mainly for the purpose of making electronic communications services available to members of the public” – in this FAQ I refer to this as a PECN – the internet may generally be thought of as a PECN
‘public electronic communications service’ means any electronic communications service that is provided so as to be available for use by members of the public - in this FAQ I refer to this as a PECS – a website may generally be thought of as a PECS
‘subscriber’ means a party to a contract with a provider of a PECS
"traffic data" means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication and includes data relating to the routing, duration or time of a communication
‘user’ means an individual using a PECS
Security (reg 5):
A service provider (ie a provider of a PECS) must take appropriate measures to safeguard the security of that service, if necessary in conjunction with the provider of the PECN. The 2011 regulations extend this and impose minimum requirements in the case of personal data, and give the Information Commissioner powers to audit and to impose penalties for breach.
‘appropriate’ means having regard to cost, and the state of technological developments
If notwithstanding such measures there remain significant risk to the security of the PECS, subscribers must be told (without charge)
Ø The nature of the risk
Ø The appropriate measures that the subscriber may take to safeguard against that risk
Ø The likely costs to the subscriber of taking such measures
Confidentiality and cookies (reg 6)
This regulation was substantially amended in 2011. The requirement now is:
Information (‘cookies’) must not be stored on the terminal of a subscriber or user without first obtaining consent from the subscriber or user which is prior, express, and informed,
Such consent only needs to be obtained once in respect of the same cookie used for the same purpose.
The ICO has issued guidance in connection with this regulation.
Whilst the regulation contains provision for consent to be obtained via browser settings, the guidance makes clear that at the present time, browser technology is not sufficient to rely on this provision.
This restriction does not apply where the storage / access is for the sole purpose of carrying out or facilitating the transmission of a communication, or where the storage / access is strictly necessary for the provision of a service requested by the subscriber or user; we suggest it would be advisable to interpret ‘strictly necessary’ objectively, perhaps as ‘strictly and technically necessary’.
Traffic data (reg 7 & 8)
Traffic data must be erased (or modified so that they cannot identify the subscriber or user) when no longer required for the purposes of transmitting a communication
Such data required for billing purposes may be retained for so long as required for that purpose, provided that the subscriber or user has been provided with information regarding the types of traffic data that are to be processed and the duration of processing
Such data may be processed and stored if
Ø Required for marketing or value added services in relation to that subscriber / user, AND
Ø that subscriber / user has consented, AND
Ø the processing an storage is for no longer than necessary for the purpose of marketing or value added services in relation to that subscriber / user, AND
Ø the subscriber or user has been provided with information regarding the types of traffic data that are to be processed and the duration of processing BEFORE consent was obtained.
Such data may only be processed for
Ø management or billing of traffic
Ø customer enquiries
Ø fraud prevention or detection
Ø marketing of electronic communications services
Ø provision of a value added servcie
Location Data (reg 14)
[Location data may be considered to include reference to tracking of IP addresses.]
Location data (excluding traffic data) may only be processed
Ø where the user or subscriber cannot be identified, or
Ø where necessary for the provision of a value added service AND with the consent of that user or subscriber
Before giving consent a user or subscriber must be told
Ø types of location data that will be processed
Ø purpose and duration of processing
Ø whether the data will be transmitted to a third party for the purpose of providing the value added service
Consent can be withdrawn at any time, and must be given a simple and free of charge means of doing so every time (s)he connects.
Processing may only be carried out by or on behalf of the service provider or value added service provider, and (where for providing a value added service) must be restricted to that purpose.
Spam (regs 22 & 23)
[Spam for direct marketing allowable if ‘opt in’ only]
Unsolicited email for the purposes of direct marketing is prohibited unless the recipient has previously notified the sender that he consents to such communications being sent by the sender.
Direct marketing email may be sent where
Ø sender has obtained contact details in the course of negotiations for a sale to the recipient, AND
Ø the direct marketing is in respect of that or similar products / services, AND
Ø the recipient is given a simple and free means of refusing when the details were first collected, and (if (s)he consented then) at the time of each subsequent communication.
Email for the purposes of direct marketing is prohibited
Ø where the sender’s identity is disguised or concealed, or
Ø where a valid address to which the recipient may send a request that communications cease is not provided
The 2011 regulations add to the above
Ø where the email (or a website to which the email encourages a visit) contravenes regulation 7 of the Electronic Commerce (EC Directive) Regulations 2002 - which in essence provide
Commercial Communications (regs 7 & 8)
An SP must ensure that any form of commercial communication
Ø is clearly identifiable as such
Ø clearly identifies on whose behalf it is made
Ø clearly identifies as such any promotional offer and any conditions thereof
Ø clearly identifies as such any promotional competition or game and any conditions thereof
Where the commercial communication is unsolicited, it must also be ‘clearly and unambiguously identifiable as such as soon as it is received’.
I'd really appreciate your feedback on this FAQ - so mail me and tell me what you think of it, if it's been useful to you, or let me know of any specific problem you have where I may be able to help.
This page was last updated on 22nd August 2012
No liability is accepted for any inaccuracy in the information in these pages - see full disclaimer
The information on these pages is provided free and for information only, and is provided 'as is'. Whilst believed to be correct, it is in no way comprehensive. It is provided for your interest only and is not intended to be relied on as formal legal advice. The posting of information on these pages is not intended to create a lawyer-client relationship, and you should not act or rely on this information without seeking professional advice. No liability is accepted therefore for any errors, or for any losses that may be incurred if it is relied on.
You may read these pages
on-line, and download them to read later, for your own personal use.
This copyright notice must appear on every page that you print from here.
You must not redistribute these pages or any part of them in any form or medium without first obtaining my consent.
You are welcome to set up links to this website from others.