Websites – Privacy Rules
Cookies and Spam
Over the last few years the question of how the Data
Protection Act 1998 applies to new technologies and the
online world has vexed lawyers and business alike.
New European laws
Does the law just apply to cookies?
The new requirements are not technology specific so they
apply to any future developments which act as software
tracking devices to access and store data, not just cookies.
Spam
As a result the European Commission belatedly adopted a
Directive on the protection of personal data in the electronic
communication sector. On 27 March 2003 the Department
of Trade and Industry issued draft regulations which
implement the Directive and which are due to come into
force in the UK by the end of October of this year. For the
first time we will have laws specifically governing the use of
cookies and spam.
What is it?
Spam is the practice of sending unsolicited emails and text
messages. The European Commission has recognised that
these forms of communication can cause annoyance and
difficulties for networks and terminal equipment therefore
they are now subject to specific legal requirements.
What does the law require?
Cookies
What are they?
In the context of the internet cookies are pieces of software
sent by a service provider and stored on a user's terminal.
The device then acts as a marker and can be recognised
automatically by the service provider. Cookies can be used
for a wide range of purposes, for example, to log how a user
navigates around a website and to monitor repeat visits
from the same terminal. The information captured can then
be used in a number of ways, for example, to tailor banner
adverts to the user.
Can they be used lawfully?
The Directive acknowledges that cookies can be used in a
legitimate and useful way and recognises that some internet
functions would be impossible or difficult to use without
them. As a result, it permits service providers to use cookies
provided that the user is given clear and precise prior
information about the cookie's purpose and the opportunity
to reject the cookie. The approach is essentially opt-out.
For many months there has been heated debate in Europe
about whether an opt-in or opt-out regime should apply.
The general rule is to prohibit the use of spam for the
purposes of direct marketing unless individuals have already
given their prior consent to receiving such communications.
This is an opt-in system.
An exception applies to the situation where an individual
already has a customer relationship with the entity wishing
to send the spam, for example, if the individual has already
purchased goods or services from the sender. In those
circumstances an opt-out is sufficient provided that the
opportunity to object to spam was given to the individual at
the time his data was collected Further, the individual must
continue to be given the opportunity to opt-out free of
charge on each occasion that an unsolicited message is sent,
in case the individual changes his mind.
The Directive prohibits the use of false identities or false
return addresses when sending spam.
Websites - Privacy Rules Cookies and Spam
Page 1 of 2
Traffic Data
What is traffic data?
By traffic data the Directive means the sort of data an online
entity accumulates for the purpose of transmitting email
messages or for billing its customers. Specific examples are
cited in the draft regulations and these include data relating
to routing and the duration or time of a communication.
How can this data be used?
The customer must always be told the purposes for which its
data is being processed but there is no need to obtain
consent if the data is only being used for billing purposes. If
the data is going to be used for any other purpose then the
data will have to be anonymised or the individual's consent
must be sought.
DIRECTORIES
One further important right is being bestowed on individuals
in the new Directive; an individual now has the right to
object to being included in an electronic directory of
subscribers that is publicly available.
Security
Online businesses must ensure compliance with the general
obligation to safeguard the security of their services having
regard to the state of the art and the cost of implementation
of such measures. For example, if you accept payments
online, make sure that you (and any third parties you use to
process data) have appropriate security in place to keep
data confidential.
British Code of Advertising, Sales Promotion and Direct
Marketing (‘CAP Code’)
On 4 March 2003 new provisions were introduced into the
CAP Code so that new rules are already in place to regulate
the use of unsolicited communications for direct marketing
purposes. The provisions in the new section on Database
Practice in the CAP Code reflect the opt-in and opt-out
provisions of the Directive.
Does this mean immediate compliance is necessary?
The answer is ‘yes’. The Advertising Standards Authority
(‘ASA’) oversees the Cap Code and although it operates a
system of self-regulation, it can impose sanctions on noncompliant marketers. The bad publicity arising from an
adverse ASA ruling is often good reason enough to comply
with the Code.
Websites - Privacy Rules Cookies and Spam
Page 2 of 2
Action plan to ensure compliance
1.
Draft cookie statements to explain what they do
and how they can be rejected.
2.
Look at the data you hold and how you collect it on
and off line; draft opt-outs and seek consent where
necessary.
3.
Redraft your privacy statements to take into
account the new rules.
4.
Comply with the principles in the Data Protection
Act 1998 which will continue to apply and
remember to notify your activities to the
Information Commissioner. It is an offence not to
do so.
If you require further information or assistance, please
contact Gillian Akerman at Wedlake Bell on 020 7395 3024
or email her at [email protected]
This information has been reproduced with the kind
permission of Wedlake Bell, 16 Bedford Street, Covent
Garden, London WC2E 9HF, tel: 020 7395 3000, fax: 020
7836 9966, from its information sheet entitled ‘New privacy
Rules: Cookies and Spam’.
© Wedlake Bell 2003. All rights reserved.