We have reported previously that the new ePrivacy Regulation (to replace the ePrivacy Directive behind PECR) was working its way through the European legislative process. It had been intended to introduce it at the same time as GDPR but it was only published in January 2018 so that timetable was far too ambitious.

Nevertheless we have watched the draft work its way through the various stages of amendment and approval towards a final decision by the EU parliament. Earlier this year progress was being made and commentators were expecting the final version to be approved early in 2020 for implementation after a period of grace.

However there was a knockout blow in October 2019 as a committee rejected the draft ePrivacy Regulation. Commentators are now saying that it will require a major rewrite and will probably start the whole process again. The reason it was rejected is that there is no agreement across EU Member States about how we notify users about cookies, how the marketing consents should work etc.

So, to recap: PECR regulates the use of cookies and requires cookie notices to end users whose devices are used to store cookies and report information back. The form of cookie notices has changed with interpretation over the years and currently no consent is needed for essential cookies (shopping baskets and other basic functionality of the website) but GDPR standard consent (informed, specific, positive, unambiguous and evidenced) is required for non-essential cookies. For the avoidance of any doubt, Google Analytics has been classified as “non-essential” by the Information Commissioner’s Office.

PECR also rules that marketing by text or email is only permissible if:

• They have given positive or opt-in, time-limited, consent that can be evidenced or
• They are corporate subscribers, meaning that a company pays the broadband or mobile fees to receive the communication or
• They have bought or almost completed a purchase of the same or largely similar goods from the marketer previously (the “soft opt-in”).

These are the rules that currently apply in the UK. Note that other EU Member States will have implementd the ePrivacy Directive differently and so different rules will apply. If your business is using email to market internationally it will need to be up to date with current ePrivacy rules in each jurisdiction it trades with.

Direct marketing code of practice – Draft

The draft ePrivacy Regulation was rejected in the Autumn and will need a significant rewrite before it can be represented in the EU.  As such it will not be binding on the UK as we will no longer be part of the EU.  However it is likely to continue to influence our national direct marketing law.

The ePrivacy Directive is behind the Privacy and Electronic Communications Regulations 2003 (amended) which impacts on cookie notices and cookie consents and the rules around direct marketing by electronic means.

In the absence of an update from the EU, the Information Commissioner is reviewing the Code of Direct Marketing and has published a document for  public consultation here https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-consultation-on-the-draft-direct-marketing-code-of-practice/

Businesses are encouraged to provide feedback.

If you would like help understanding how personal data can be used for marketing, get in touch.