How to guide: Email and cookies legislation

From 26 May 2011 additional measures came into effect in the UK as part of an update of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) (“the Regulations”). The revised law covers any technology that stores data on or uses data from a person’s “terminal device” such as computer, laptop, smart phone, web enabled TV, etc. This includes technology that is used to track the activity of a user’s terminal online.

This paper provides guidance and good practice in relation to email tracking. Virtually all the comment, analysis and guidance so far published about the Regulations in the UK has focused on the use of cookies and similar technology by websites. Although it is not in any way exempted, very little, if at all, has been said about the use of such technology by emails

The revised law – implementing the revised EU ePrivacy Directive – replaces the existing ‘notice and opt out’ provisions with a requirement to obtain consent for the storing of information or the gaining of access to information stored in the terminal equipment of a subscriber or user… having been provided with clear and comprehensive information.

Although the new regulations do not mention “blank gifs” or “web beacons”, whether or not open tracking in emails falls under the regulations is still unclear at this point. Regardless of whether a type of tracking is affected or not by the regulations, best practice indicates that information regarding the use of all types of tracking employed on your email campaigns and website is informative and easily accessible by consumers, regardless of why you are communicating with them.

Email is often different from a user visiting a website. With email, the user has agreed to receive the marketing email they are being sent. If at the point of recruiting a customer to email communications the marketer gives clear and concise information about the kind of data and how it will be used to serve emails, then it is likely that the recipient will have some expectation of measurement and tracking of their actions. This is known as “implied consent”.

If, however, the data is being used for more intrusive purposes, such as being combined with other data and used in a way that the recipient is unlikely to know about, understand or expect then it will be affected by the new Regulations.

This guidance from the DMA and the IAB seeks to provide clear and transparent communications with consumers about the use of cookies and similar technology by email marketing. It also identifies potential approaches to good practice in obtaining informed consent to the use of such technology, as the law now requires. As the email marketing industry is still very much in learning mode on these issues and the Information Commissioner’s Office (“ICO”) has not yet published any guidance in this area, this How to Guide is not set in stone and will evolve over time.

This document does not constitute legal advice, but is informed guidance. This document was revised and re-issued in July 2013.

How to guide: Email and cookies legislation