New EU Directive on Electronic Privacy Targets Cookies and Spam

New EU Directive on Electronic Privacy Targets Cookies and Spam


Privacy protections are about to be expanded still further in the European Union. The new requirements will affect a wide range of businesses involved in network service provision, Internet services, subscriber directories, mobile telephone services and direct marketing, and must be implemented by October 31, 2003. Companies with EU operations are planning now to prepare for the new rules. All EU Member States will need to enact implementing legislation by that date.

The Directive on the Privacy and Electronic Communications Directive (2002/58/EC) (DEPC) goes beyond the EU's Directive on Data Protection, which was discussed in our June 24, 1999, April 18, 2000 and December 27, 2001 Internet Alerts. While the Directive on Data Protection focuses on the processing of personal data, the DEPC targets specific technical methods of collection and the sort of data that can be obtained by such devices.

A key change is a new restriction on the use of cookies and similar tracking devices on websites. Article 5 of the DEPC requires that, when personal information stored on the user's terminal is accessed, or when personal information about users is stored on a network (other than purely for technical reasons or under strict necessity to provide a requested service), the user must be clearly and fully informed about the purposes of such access or storage of his personal information, and then be allowed to prevent it by opting out.

The user's terminal includes not only personal computers, but also other devices used to access public telecommunications networks.

The DEPC specifically refers to and covers the use of cookies, as well as "spyware, web bugs, hidden identifiers" and "other similar devices" that can enter the user's terminal without the user's knowledge to access information, store hidden information or trace the user's activities (Recital 24).

Users must be provided with "clear and precise information" about the purpose of such devices and the information being placed on their terminals. This notice and opportunity to opt out may be offered once during a connection for the various devices to be installed and any future use of those devices during subsequent connections (Recital 25).

When information is stored automatically or on an intermediate or transient basis solely to permit the network transmission, the information may be retained only so long as is necessary for that purpose and only to the extent that confidentiality remains guaranteed (Recital 22).

Apart from the rule on tracking devices, the DEPC contains some other changes:

  1. Except in case of existing customer relationships (where opt-outs will prevail), prior consent will be needed before sending unsolicited commercial email, or "spam," and unsolicited short message service (SMS) text. This spam restriction was previously discussed in our August 12, 2002 Internet Alert;

  2. Subscribers will have increased rights to control the inclusion of their data in directories and to acquire information about the purposes to which such directory-listed data may be put; and

  3. There is a clearer freedom for service providers to use location-based information to provide value-added services. Location data may only be processed either if it is anonymous, or with the permission of the data subject. In the U.S., consumers must affirmatively opt in before their wireless location data may be used for most services. For a further discussion of the U.S. requirements with respect to use of wireless location data, see our April 26, 2001 Internet Alert.

The Directive also requires that penalties be set and imposed on those who do not comply with Member States' requirements.

These changes are part of the European Union's continuing effort to establish a common set of laws and regulations with respect to electronic communications and the commercial use of personal information.

Mark Haftke
[email protected]