The Privacy & Electronic Communications regulations came into force on 11th December 2003. The Government was required to make these regulations in order to comply with an EC Directive on the subject. These regulations add to and do not replace existing legal requirements.
The full text of the regulations can be found at http://www.legislation.hmso.gov.uk/si/si2003/20032426.htm
These regulations may be regarded as sweeping up a variety of points which many would regard as necessary, to take account of relatively recent technological developments. I intend in this FAQ to summarise the key points relating to email and the internet; there are other provisions relating to phone and fax, which are outside the scope of this FAQ.
Definitions (reg 2):
"location data" means any
data processed in an electronic communications network indicating the
geographical position of the terminal equipment of a user of a public electronic
communications service, including data relating to -
(a) the latitude, longitude or altitude of the terminal equipment;
(b) the direction of travel of the user; or
(c) the time the location information was recorded
‘public electronic communications network’ means an electronic communications network provided wholly or mainly for the purpose of making electronic communications services available to members of the public” – in this FAQ I refer to this as a PECN – the internet may generally be thought of as a PECN
‘public electronic communications service’ means any electronic communications service that is provided so as to be available for use by members of the public - in this FAQ I refer to this as a PECS – a website may generally be thought of as a PECS
‘subscriber’ means a party to a contract with a provider of a PECS
"traffic data" means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication and includes data relating to the routing, duration or time of a communication
‘user’ means an individual using a PECS
Security (reg 5):
A service provider (ie a provider of a PECS) must take appropriate measures to safeguard the security of that service, if necessary in conjunction with the provider of the PECN.
‘appropriate’ means having regard to cost, and the state of technological developments
If notwithstanding such measures there remain significant risk to the security of the PECS, subscribers must be told (without charge)
Ø The nature of the risk
Ø The appropriate measures that the subscriber may take to safeguard against that risk
Ø The likely costs to the subscriber of taking such measures
Confidentiality and cookies (reg 6)
Information (‘cookies’) must not be stored on the terminal of s subscriber or user without first giving (the first time, not on every occasion)
Ø Clear and comprehensive information about the purposes of storage of / access to that information
Ø Being given the opportunity to refuse such storage / access
This restriction does not apply where the storage / access is for the sole purpose of carrying out or facilitating the transmission of a communication, or where the storage / access is strictly necessary for the provision of a service requested by the subscriber or user.
Traffic data (reg 7 & 8)
Traffic data must be erased (or modified so that they cannot identify the subscriber or user) when no longer required for the purposes of transmitting a communication
Such data required for billing purposes may be retained for so long as required for that purpose, provided that the subscriber or user has been provided with information regarding the types of traffic data that are to be processed and the duration of processing
Such data may be processed and stored if
Ø Required for marketing or value added services in relation to that subscriber / user, AND
Ø that subscriber / user has consented, AND
Ø the processing an storage is for no longer than necessary for the purpose of marketing or value added services in relation to that subscriber / user, AND
Ø the subscriber or user has been provided with information regarding the types of traffic data that are to be processed and the duration of processing BEFORE consent was obtained.
Such data may only be processed for
Ø management or billing of traffic
Ø customer enquiries
Ø fraud prevention or detection
Ø marketing of electronic communications services
Ø provision of a value added servcie
Location Data (reg 14)
[Location data may be considered to include reference to tracking of IP addresses.]
Location data (excluding traffic data) may only be processed
Ø where the user or subscriber cannot be identified, or
Ø where necessary for the provision of a value added service AND with the consent of that user or subscriber
Before giving consent a user or subscriber must be told
Ø types of location data that will be processed
Ø purpose and duration of processing
Ø whether the data will be transmitted to a third party for the purpose of providing the value added service
Consent can be withdrawn at any time, and must be given a simple and free of charge means of doing so every time (s)he connects.
Processing may only be carried out by or on behalf of the service provider or value added service provider, and (where for providing a value added service) must be restricted to that purpose.
Spam (regs 22 & 23)
[Spam for direct marketing allowable if ‘opt in’ only]
Unsolicited email for the purposes of direct marketing is prohibited unless the recipient has previously notified the sender that he consents to such communications being sent by the sender.
Direct marketing email may be sent where
Ø sender has obtained contact details in the course of negotiations for a sale to the recipient, AND
Ø the direct marketing is in respect of that or similar products / services, AND
Ø the recipient is given a simple and free means of refusing when the details were first collected, and (if (s)he consented then) at the time of each subsequent communication.
Email for the purposes of direct marketing is prohibited
Ø where the sender’s identity is disguised or concealed, or
Ø where a valid address to which the recipient may send a request that communications cease is not provided
I'd really appreciate your feedback on this FAQ - so mail me and tell me what you think of it, if it's been useful to you, or let me know of any specific problem you have where I may be able to help.
This page was last updated on 2nd December 2003
No liability is accepted for any inaccuracy in the information in these pages - see full disclaimer
Copyright © 2003 Roger Sinclair & Egos Ltd – roger@egos.co.uk All rights reserved - see full copyright details
The information on these pages is provided free and for information only, and is provided 'as is'. Whilst believed to be correct, it is in no way comprehensive. It is provided for your interest only and is not intended to be relied on as formal legal advice. The posting of information on these pages is not intended to create a lawyer-client relationship, and you should not act or rely on this information without seeking professional advice. No liability is accepted therefore for any errors, or for any losses that may be incurred if it is relied on.
You may read these
pages on-line, and download them to read later, for your own personal use.
This copyright notice must appear on every page that you print from here.
You must not redistribute these pages or any part of them in any form or medium
without first obtaining my consent.
You are welcome to set up links to this website from others.