More boxes to tick (possibly quite literally)


Data protection is big news right now. There's been plenty of media coverage over the new EU/US Privacy Shield and numerous column inches filled by the forthcoming General Data Protection Regulation (due to replace the UK Data Protection Act 1998 in May 2018). But there's even more to come.

The European Commission is now looking at reforming the ePrivacy Directive (implemented in the UK as the Privacy and Electronic Communications Regulations, known affectionately as "PECR"). PECR covers a number of topics. It sets out the rules which require those annoying (sorry "informative") cookie pop-ups, rules on the use of location data and special rules for telecoms companies regarding billing etc. But the thing it's most famous for is its rules on direct marketing by electronic means. PECR is essentially our anti-spam law. So if PECR is reformed and those direct marketing rules are changed, businesses will have to sit up and take notice.

Currently PECR establishes a general rule for electronic direct marketing to individuals: their prior consent is required unless (and this is crucial) you can rely on the "soft opt-in". The soft opt-in allows businesses to send marketing emails to their customers, without getting their express permission, provided that certain conditions are met, an important one being that customers must be given the opportunity to opt out of direct marketing at the point at which the data is collected and in every marketing email.

Although the European Commission has not yet said how the ePrivacy Directive is to be reformed, it's possible that the soft opt-in may go or be restricted. The latter is the recommendation of the Article 29 Working Party and European Data Protection Supervisor. That opinion (linked below) recommends that the exception for existing customers should "be limited to a reasonable level of marketing communication. Parties should not be allowed to bombard users with an excessive number of marketing calls or messages". But who is to say what the threshold is?

They also recommend that the opt-in consent regime should be extended to apply to all types of unsolicited electronic communications, whatever the means of communication (EG electronic mail, behavioural advertising, voice or video calls, fax, text and direct-messaging).

It remains to be seen whether the European Commission will follow these recommendations and the effect on PECR is not yet clear- especially in light of the UK recently ticking the EU "OPT OUT" box.

Quote mark icon

Opinion 03/2016 on the evaluation and review of the ePrivacy Directive