Anti-Spam Legislation: EUROPE
[NOTE: The information below should not be considered legal advice; contact your own legal counsel for specific direction.]
E-Privacy Directive

The Electronic Privacy Directive has been drafted specifically to address the requirements of new digital technologies and ease the advance of electronic communications services. The Directive complements the Data Protection Directive and applies to all matters which are not specifically covered by that Directive. In particular, the subject of the Directive is the “right to privacy in the electronic communication sector” and free movement of data, communication equipment and services.
Data retention and other issues
The directive obliges the providers of services to erase or anonymize the traffic data processed when no longer needed, unless the conditions from Article 15 have been fulfilled. Retention is allowed for billing purposes but only as long as the statute of limitations allows the payment to be lawfully pursued. Data may be retained upon a user’s consent for marketing and value-added services. For both previous uses, the data subject must be informed why and for how long the data is being processed.
Subscribers have the right to non-itemised billing. Likewise, the users must be able to opt out of calling-line identification.
Where data relating to location of users or other traffic can be processed, Article 9 provides that this will only be permitted if such data is anonymized, where users have given consent, or for provision of value-added services. Like in the previous case, users must be informed beforehand of the character of information collected and have the option to opt out.
Data retention and other issues
The directive obliges the providers of services to erase or anonymize the traffic data processed when no longer needed, unless the conditions from Article 15 have been fulfilled. Retention is allowed for billing purposes but only as long as the statute of limitations allows the payment to be lawfully pursued. Data may be retained upon a user’s consent for marketing and value-added services. For both previous uses, the data subject must be informed why and for how long the data is being processed.
Subscribers have the right to non-itemised billing. Likewise, the users must be able to opt out of calling-line identification.
Where data relating to location of users or other traffic can be processed, Article 9 provides that this will only be permitted if such data is anonymized, where users have given consent, or for provision of value-added services. Like in the previous case, users must be informed beforehand of the character of information collected and have the option to opt out.

Unsolicited e-mail and other messages
Article 13 prohibits the use of email addresses for marketing purposes. The Directive establishes the opt-in regime, where unsolicited emails may be sent only with prior agreement of the recipient. A natural or legal person who initially collects address data in the context of the sale of a product or service, has the right to use it for commercial purposes provided the customers have a prior opportunity to reject such communication where it was initially collected and subsequently. Member States have the obligation to ensure that unsolicited communication will be prohibited, except in circumstances given in Article 13.
Two categories of emails (or communication in general) will also be excluded from the scope of the prohibition. The first is the exception for existing customer relationships and the second for marketing of similar products and services. The sending of unsolicited text messages, either in the form of SMS messages, push mail messages or any similar format designed for consumer portable devices (mobile phones, PDAs) also falls under the prohibition of Article 13.
Cookies
The Directive provision applicable to cookies is Article 5(3). Recital 25 of the Preamble recognizes the importance and usefulness of cookies for the functioning of modern Internet and directly relates Article 5(3) to them but Recital 24 also warns of the danger that such instruments may present to privacy. The change in the law does not affect all types of cookies. For cookies that are deemed to be ‘strictly necessary for the delivery of a service requested by the user’ the consent of the user is not needed. An example of a ‘strictly necessary’ cookie is when you press ‘add to basket’ or ‘continue to checkout’ when shopping online. It is important that the browser remembers information from a previous web page in order to complete a successful transaction.
The article is technology neutral, not naming any specific technological means which may be used to store data, but applies to any information that a website causes to stored in a user's browser. This reflects the EU legislator’s desire to leave the regime of the directive open to future technological developments.
The addressees of the obligation are Member States, who must ensure that the use of electronic communications networks to store information in a visitor's browser is only allowed if the user is provided with “clear and comprehensive information”, in accordance with Data Protection Directive, about the purposes of the storage of, or access to, that information; and has given his or her consent.
The regime so set-up can be described as opt-in, effectively meaning that the consumer must give his or her consent before cookies or any other form of data is stored in their browser. The UK Regulations allow for consent to be signified by future browser settings, which have yet to be introduced but which must be capable of presenting enough information so that a user can give their informed consent and indicating to a target website that consent has been obtained. Initial consent can be carried over into repeated content requests to a website. The Directive does not give any guidelines as to what may constitute an opt-out, but requires that cookies, other than those "strictly necessary for the delivery of a service requested by the user" are not to be placed without user consent.
Source: Wikipedia
Article 13 prohibits the use of email addresses for marketing purposes. The Directive establishes the opt-in regime, where unsolicited emails may be sent only with prior agreement of the recipient. A natural or legal person who initially collects address data in the context of the sale of a product or service, has the right to use it for commercial purposes provided the customers have a prior opportunity to reject such communication where it was initially collected and subsequently. Member States have the obligation to ensure that unsolicited communication will be prohibited, except in circumstances given in Article 13.
Two categories of emails (or communication in general) will also be excluded from the scope of the prohibition. The first is the exception for existing customer relationships and the second for marketing of similar products and services. The sending of unsolicited text messages, either in the form of SMS messages, push mail messages or any similar format designed for consumer portable devices (mobile phones, PDAs) also falls under the prohibition of Article 13.
Cookies
The Directive provision applicable to cookies is Article 5(3). Recital 25 of the Preamble recognizes the importance and usefulness of cookies for the functioning of modern Internet and directly relates Article 5(3) to them but Recital 24 also warns of the danger that such instruments may present to privacy. The change in the law does not affect all types of cookies. For cookies that are deemed to be ‘strictly necessary for the delivery of a service requested by the user’ the consent of the user is not needed. An example of a ‘strictly necessary’ cookie is when you press ‘add to basket’ or ‘continue to checkout’ when shopping online. It is important that the browser remembers information from a previous web page in order to complete a successful transaction.
The article is technology neutral, not naming any specific technological means which may be used to store data, but applies to any information that a website causes to stored in a user's browser. This reflects the EU legislator’s desire to leave the regime of the directive open to future technological developments.
The addressees of the obligation are Member States, who must ensure that the use of electronic communications networks to store information in a visitor's browser is only allowed if the user is provided with “clear and comprehensive information”, in accordance with Data Protection Directive, about the purposes of the storage of, or access to, that information; and has given his or her consent.
The regime so set-up can be described as opt-in, effectively meaning that the consumer must give his or her consent before cookies or any other form of data is stored in their browser. The UK Regulations allow for consent to be signified by future browser settings, which have yet to be introduced but which must be capable of presenting enough information so that a user can give their informed consent and indicating to a target website that consent has been obtained. Initial consent can be carried over into repeated content requests to a website. The Directive does not give any guidelines as to what may constitute an opt-out, but requires that cookies, other than those "strictly necessary for the delivery of a service requested by the user" are not to be placed without user consent.
Source: Wikipedia