27 May 2011

ePrivacy Regulations: Key changes and new penalties


Kenneth Mullen
Partner | UK

Marketing teams, website owners and communications businesses should be taking immediate action to comply with the new UK Privacy and Electronic Communications (EC Directive) Amendment Regulations 2011 which have come into force on the 26th May 2011.

These new UK Regulations amend the 2003 ‘e-Privacy' Regulations and set out specific data privacy rules for communications businesses collecting ‘personal' or location-based data as well as rules for all organisations using personal information for email, text, phone or fax marketing.

Key points to note are as follows:

  • Mandatory Data Breach Notice for Communications Providers: Telecoms and internet service providers (ISPs) are now under a positive duty to notify the UK Information Commissioner (ICO), and in serious cases, affected subscribers/users where personal data has been lost or subscriber/user data security has been compromised;
  • Use of Cookies: the rules governing use of 'cookies' on websites have been amended to require positive ‘consent' from a website user before a cookie can be sent to that users' computer. Cookies are used by most publicly available websites. A cookie is a small text file which is sent to a user's computer to, for example, track a user's browsing pattern on the website or to remember that user when they return to the site. There are no rules on how consent is to be legally achieved although we note that the ICO on its own website is using a pop-up box to notify and ask users to 'accept' cookies. Despite the rules coming into force, the UK Government and ICO have said they will allow organisations a grace period of 12 months to get their ‘house in order' to comply with this particular requirement but have also warned against organisations taking a ‘wait and see' approach;
  • New Powers to Fine up to £500,000: Perhaps even more significantly, the ICO has been given new powers to penalise organisations up to £500,000 (GBP) for serious breach of the ePrivacy Regulations. This extends the powers granted last year under the Data Protection Act and in particular means that restrictions on the sending of unsolicited email, phone and text marketing to individuals needs to be given much greater scrutiny.

While telecommunications businesses and ISPs are hardest hit by the new ePrivacy Regulations, all organisations need to take note. Specifically sales and marketing teams, fundraisers and any business engaged in public communication needs to be aware that the consequences of playing fast and loose with privacy rules on email and phone marketing are now much more serious.

The new ePrivacy Regulations only apply to UK organisations although since they are based on an EU Directive, equivalent rules should be coming into force though national law in other parts of the European Union.

Category: Article