Spam & Cookies
Unsolicited Communications to (Persons) I
A person may not use or cause to be used any publicly available electronic communications service to send to a subscriber or user who is a natural person an unsolicited communication for the purpose of direct marketing by means of
- an automated calling machine,
- a facsimile machine, or
- electronic mail,
unless the person has been notified by that subscriber or user that he or she consents to the receipt of such a communication.
“Consent” by a user or subscriber means a data subject’s consent in accordance with the Data Protection Acts and the Regulations. An “unsolicited communication” means a communication that is not requested by the contacted party. “Electronic mail” means any text, voice, sound or image message including an SMS message sent over a public communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient;
Unsolicited Communications to (Persons) II
“Communication” means any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service, but does not include any information conveyed as part of a broadcasting service to the public over the electronic communications network except to the extent that the information can be related to the identifiable subscriber or user receiving the information;
The use of electronic mail to send an unsolicited communication for the purpose of direct marketing to a natural person does not include an electronic mail to an email address that reasonably appears to the sender to be an email address used mainly by the subscriber or user in the context of their commercial or official activity and the unsolicited communication relates solely to that commercial or official activity.
Identifying Sender
The E-Commerce Directive requires EU States to ensure that any unsolicited commercial communication by e-mail must clearly and unambiguously identify the sender. The Irish Regulations provide that an unsolicited commercial communication, by a “relevant service” provider established within the State to be clearly and unambiguously identified as such, by stating that it is an unsolicited commercial communication.
A “relevant service” is a service provided for remuneration at a distance by electronic means at the individual request of the recipient. The communication must be identified as being part of a relevant service. The persons on whose behalf they are sent, must be clearly identifiable.
The provider must display prominently on its website, and in other places such as on key documents and registration forms, details of how natural persons can register their choice regarding unsolicited commercial communications.
Particulars to be Given in Direct Marketing Communications
A person who uses, or causes to be used, any publicly available electronic communications service to make a call or send a communication for the purpose of direct marketing shall—
- in the case of a call, include the name of the person making the call and, if applicable, the name of the person on whose behalf the call is made,
- in the case of a communication by means of an automated calling machine or a facsimile machine include the name, address and telephone number of the person making the communication and, if applicable, the name, address and telephone number of the person on whose behalf the communication is made, or
- in the case of a communication by electronic mail, include a valid address at which that person may be contacted.
A person shall not send or cause to be sent electronic mail for the purposes of direct marketing, which—
- disguises or conceals the identity of the sender on whose behalf the communication was made,
- encourages recipients to visit websites or otherwise contravenes Regulation 8 of the European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003, or
- does not have a valid address to which the recipient may send a request that such communication shall cease.
Direct Marketing of own Products or Services to Customers
A person who, in accordance with the Data Protection Acts, obtains from a customer the customer’s contact details for electronic mail, in the context of the sale of a product or service, shall not use those details for direct marketing unless
- the product or service being marketed is the person’s own product or service,
- the product or service being marketed is of a kind similar to that supplied to the customer in the context of the sale by the person,
- the customer is clearly and distinctly given the opportunity to object, in an easy manner and without charge, to the use of those details at the time the details are collected, and if the customer has not initially refused that use, each time the person sends a message to the customer, and
- the sale of the product or service occurred not more than 12 months prior to the sending of the direct marketing communication or, where applicable, the contact details were used for the sending of electronic mail for the purposes of direct marketing within that 12-month period.
Requirements for Marketing Mail (Details and Opt-Out)
An information society service is any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service.
An unsolicited commercial communication by an information service provider established within the State shall be identified clearly and unambiguously as such as soon as it is received by the recipient by stating that it is an unsolicited commercial communication.The natural or legal person on whose behalf the commercial communication is made shall be clearly identifiable.
Details of how natural persons can register their choice regarding unsolicited commercial communications shall be provided; these should be prominently displayed on the relevant service provider’s website and at every point where natural persons are asked to provide information at the provider’s website (for example a registration form).
Promotional offers, such as discounts, premiums and gifts shall be clearly identifiable as such, shall comply with any enactment for the time being in force relating to such activities and the conditions which must be satisfied in order to qualify for them shall be easily accessible and be presented clearly and unambiguously, and
Promotional competitions or games, where permitted under the law of the State, shall be clearly identifiable as such, and the conditions for participation shall be easily accessible and be presented clearly and unambiguously.
Unsolicited Marketing Offences
A person who contravenes the above requirements commits an offence. This applies to electronic communications, faxes and calling machines. It is an offence to use any publicly available electronic communication service to make an electronic unsolicited call for the purpose of direct marketing to corporations or State institutions, where the sender has been notified that the subscriber does not consent and this is recorded in a national directory database.
The sending of each unsolicited communication or electronic mail or the making of each unsolicited call constitutes a separate offence.
If, in proceedings for an offence under the Regulation, the question of whether or not a subscriber or user consented to receiving an unsolicited communication or call is in issue, the onus of establishing that the subscriber or user concerned unambiguously consented to receipt of the communication or call lies on the defendant.
A person who commits an offence under the Regulation is liable—
- on summary conviction, to a class A fine, or
- on conviction on indictment in the case of a body corporate, to a fine not exceeding €250,000, or in the case of a natural person, to a fine not exceeding €50,000.
Forfeiture of Data on Conviction
Where a person is convicted of an offence under the Regulation, the court may order any data material or data, which appears to the court to be connected with the offence, to be forfeited or destroyed and any relevant data to be erased.
The court shall not make the above order in relation to data material or data where it considers that some person other than the person convicted of the offence concerned may be the owner of, or otherwise interested in, the data material or data unless such steps as are reasonably practicable have been taken for notifying that person and giving him or her an opportunity to show cause why the order should not be made.
For the purpose of the Regulation, personal data shall be deemed to include a phone number or an e-mail address of a subscriber or user.
Right of Damages for Breach
A person who suffers loss and damage as a result of a contravention of any of the requirements of the Regulations by any other person shall be entitled to damages from that other person for that loss and damage.
In legal proceedings seeking damages against a person under the Regulations, it is a defence for a person to provide that he or she had taken all reasonable care in the circumstances to comply with the requirement concerned.
Unsolicited Telephone Call
A person shall not use or cause to be used any publicly available electronic communications service to make an unsolicited telephone call for the purpose of direct marketing to a subscriber or user, where—
- the subscriber or user has notified the person that the subscriber or user does not consent to the receipt of such a call, or
- the relevant information is recorded in the National Directory Database.
A person shall not use or cause to be used any publicly available electronic communications service to make an unsolicited communication for the purpose of direct marketing by means of a telephone call or automated calling machine to the mobile telephone of a subscriber or user unless—
- the person has been notified by that subscriber or user that he or she consents to the receipt of such communication on his or her mobile telephone, or
- the subscriber or user has consented to receiving such communication and such consent stands recorded on the date of such communication in the National Directory Database in respect of his or her mobile phone number.
Unsolicited SMS
A person shall not use or cause to be used any publicly available electronic communications service to send to a subscriber or user an SMS message for a non-marketing purpose which includes information intended for the purpose of direct marketing unless the person has been notified by that subscriber or user that he or she consents to the receipt of such a communication.
A subscriber or user shall be able to make a notification or make a request to record relevant information in the National Directory Database without charge. A person will not contravene the above requirement if the unsolicited communication concerned is made during the period of 28 days after a request or notification received and recorded in the National Directory Database by the operator (now Eir) in respect of the subscriber or user concerned
Data Protection and Marketing Communications.
The Data Protection Act and GDPR have a profound impact on the lawfulness of marketing communicaitons. Direct marketing includes direct mailing (including in particular, e-mail) , other than direct mailing carried out in the course of political activities by a political party or its elected members. They effectively prohibit unsolicited marketing communications to natural persons without consent in almost all cases. See the extensive sections of the regulation of personal data.
Both the E-Privacy Regulations and the EU wide General Data Protection Regulation must be complied with in relation to marketing communications. The fact that a particular communication is permissible under one of them only, is not sufficient.
Where a business collects personal e-mail addresses the individuals concerned must be informed of, and consent to how it is proposed to use their data. This includes e-mail addresses which contain the name of a living individual and refer to him, even if they relate to a non- personal use The GDPR requires the consent to be specific, free, informed and explicit. The data subject must consent to the particular entity that uses the data. A general consent to unspecified third parties is insufficient.
Data Subject Right
Where personal data are processed for the purposes of direct marketing, the data subject has had the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. This right must be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
The collector / data controller must erase data kept for marketing, within 30 days of request from the data subject to whom it relates. If it is kept for other purposes, it may be retained, but may not be processed for direct marketing after that date. The controller must give the individual a notice in writing.
Legitimate Interest
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. The existence of a legitimate interest needs careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
Cookies (E-Privacy Directive)
The ePrivacy Directive provides that Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with the Data Protection Act / GDPR. The user must be offered the opportunity to refuse such use of his terminal equipment (computer, device etc)
This covers so called cookies which are data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing.
This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
Cookies (Irish Regulations)
The Irish Regulations provide that a person shall not use an electronic communications network to store information, or to gain access to information already stored in the terminal equipment of a subscriber or user, unless
- the subscriber or user has given his or her consent to that use and
- the subscriber or user has been provided with clear and comprehensive information in accordance with the Data Protection Acts which is both prominently displayed and easily accessible, and includes, without limitation, the purposes of the processing of the information.
The methods of providing information and giving consent should be as user-friendly as possible. Where it is technically possible and effective, having regard to the relevant provisions of the Data Protection Acts, the user’s consent to the storing of information or to gaining access to information already stored may be given by the use of appropriate browser settings or other technological application by means of which the user can be considered to have given his or her consent.
The above prohibition does not prevent any technical storage of, or access to, information for the sole purpose of carrying out the transmission of a communication over an electronic communications network or which is strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
Data Protection Commissioner Guidance on Cookies
In order to meet the legal requirements, the minimum requirement is that clear communication to the user as to what he/she is being asked to consent to in terms of cookies usage and a means of giving or refusing consent is required. The Regulations do not prescribe how consent to drop cookies is to be obtained but envisage that, where it is technically possible and effective, such consent could be given by the use of appropriate browser settings, as long as reliance is not placed on the default browser settings.
It is particularly important that the requirements are met where so called ‘third party’ or ‘tracking’ cookies are being deployed, such as when advertising networks collect information about websites visited by users in order to better target advertising. For cookie usage, this Office would be satisfied with a prominent notice on the homepage informing users about the website’s use of cookies with a link through to a Cookie Statement containing information sufficient to allow users to make informed choices and an option to manage and disable the cookies.
Not all cookies require consent to be used. These are cookies essential to delivering the service requested by the user – session cookies, authentication cookies (for the duration of the session,) and user security cookies. This will generally be the case where the cookie is stored only for as long as the “session” is live and will be deleted at the end of the session.
Consent re Cookies
Practically, for Irish website operators the DPC suggests the following for minimum compliance with the regulations.The consent of the user must be captured. Consent may be obtained explicitly through the use of an opt-in check box which the user can tick if they agree to accept cookies.
Consent may also be obtained by implication where it is specifically notified that by continuing to use the site the user consents to the use of cookies in accordance with the cookies policy. As best practice, a positive action may be deployed to dismiss the notification. Many websites have addressed this issue by providing a ‘hide’ button which dismisses the notification.
Consent should be sought as part of a “prominent notification” displayed on entry to a web site (this might be the home page of the site but may also be via a ‘deep link’ to an inner page, which a user has found from a search result, for example).
Cookie Statement
The notification should contain a link to a Cookie Statement which will outline in greater detail how the site makes use of cookies.The Cookie Statement should contain clear and comprehensive information on
- how cookies are used,
- types of cookies used
- details on how to remove them
- description of their purpose
- thier expiry dates
Clear and comprehensive information should be provided including Itemised cookie types, including their purpose e.g. preferences such as language or, font, browsing & search history, tracking, session security and any third party cookies.
Third Party Cookies
Where third party cookies are being used, it is not sufficient to simply refer the user to third party websites. In such situations or where there are many cookies being created or read by the site (or its partners) , the DPC recommends the inclusion in the Cookies Statement of a tabulated explanation of all cookies with the following details:
- type
- name
- a description of their purpose
- their expiry dates
- links to advertising networks’ opt-out mechanisms for third party cookies
In terms of who is the data controller when third party cookies are deployed, the website operator is regarded as a joint data controller alongside the advertising network because even though the cookies are created by the third party site, the website operator has chosen to host these 3rd party cookies on its website.
Unsolicited Communications by Automated Calls or Faxes (Corporate Opt-Out)
A person shall not use or cause to be used any publicly available electronic communications service to send an unsolicited communication for the purpose of direct marketing by means of an automated calling machine or a facsimile machine to a subscriber or user, other than a natural person, where—
- the subscriber or user has notified the person that the subscriber or user does not consent to the receipt of such a communication, or
- the relevant information is recorded in respect of the subscriber or user in the National Directory Database.
A person shall not use or cause to be used any publicly available electronic communications service to send an unsolicited communication for the purpose of direct marketing by means of electronic mail, to a subscriber or user other than a natural person, where the subscriber or user has notified the person that the subscriber or user does not consent to the receipt of such a communication.
Offences
A person who breaches the Regulations is guilty of an offence. Where a person is convicted of an offence, the court may order any data material which appears to the court to be connected with the offence to be forfeited or destroyed and any relevant data to be erased.
The court shall not make an order in relation to data material or data where it considers that some person other than the person convicted of the offence concerned may be the owner of, or otherwise interested in, the data unless such steps as are reasonably practicable have been taken for notifying that person and giving him or her an opportunity to show cause why the order should not be made.
References and Sources
Legislation
Data Protection Act 1988
Data Protection (Amendment) Act 2003
Data Protection Act 2018
Communications (Retention of Data) Act 2011
Criminal Justice (Surveillance) Act 2009
Criminal Justice (Surveillance) Act 2009 (Written Record of Approval) (An Garda Síochána) Regulations 2009, S.I. No. 275 of 2009
Criminal Justice (Surveillance) Act 2009 (Written Record of Approval) (Revenue Commissioners) Regulations 2009, S.I. No. 290 of 2009
Criminal Justice (Surveillance) Act 2009 (Written Record of Approval) (Defence Forces) Regulations 2010, S.I. No. 80 of 2010
EU Legislation
Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (Official Journal L 8 of 12.1.2001, pp. 1-22)
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending (declared invalid by Court of Justice ruling, see below).
Directive 2002/58/EC (Official Journal L 105 of 13.4.2006, pp. 54-63)
Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009
Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (Official Journal L 173 of 26.6.2013, pp. 2-8).
European Communities (Directive 2000/31/Ec) Regulations 2003
European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, S.I. No. 336 of 2011
Irish Books
EU Data Protection Law Kelleher & Murray 2018
Information & Technology Communications Law Kennedy & Murphy 2017
Social Networking Lambert 2014
Law Society PPG Hyland Technology & Intellectual Property Law 2008
Information Technology Law in Ireland 2 Kelleher & Murray 2007
Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016
Privacy & Data Protection Law in Ireland Kelleher 2015
Data Protection: A Practical Guide to Irish & EU Law Carey 2010
Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003
Privacy and Data Protection Law in Ireland 2nd ed Denis Kelleher 2015
EU and UK Texts
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015
Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014
Cloud Computing Law Christopher Millard 2013
Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013
Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013
A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013
Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012
Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012
Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011
Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011
Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011
Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010
Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008
The Law of Personal Privacy David Sherborne, Mark Thomson, Hugh Tomlinson Due August 2019
Tort Law and the Protection of Privacy John Hartshorne April 2019
The Privacy, Data Protection and Cybersecurity Law Review The Privacy, Data Protection and Cybersecurity Law Review 5th ed Edited by: Alan Charles Raul 2017
International Cybersecurity and Privacy Law in Practice International Cybersecurity and Privacy Law in Practice Charlotte A. Tschider 2017
Determann’s Field Guide to International Data Privacy Law 3rd ed Lothar Determann
The Law of Privacy and The Media 3rd ed Edited by: Nicole Moreham, Mark Warby 2016