Posted by: Malcolm Jarvis CIPP/E
While the GDPR continues to grab all the headlines, another, more targeted piece of legislation is slowly making its way through the labyrinth of EU lawmakers. The new ePrivacy Regulation is just as relevant to cold calling as the GDPR itself, and while its target date of 25th May 2018 is looking increasingly unlikely, it’ll still be upon us within the next year or so.
Before we crack on, please bear in mind the usual disclaimer that I’m neither a solicitor nor a legal expert. All information below is from my own research and interpretation, and I’ve included links wherever possible so you can check my reasoning and form your own opinion.
What is the ePrivacy Regulation?
The ePrivacy Regulation is what’s known as a lex specialis to the GDPR. If you can’t be bothered looking up a legal terms dictionary, the gist is that it clarifies and extends parts of the GDPR in relation to a particular subject. In this case, the special subject is electronic communication, which includes email marketing, SMS messages, voice broadcasting and live direct marketing calls, amongst other things.
The ePrivacy Regulation is the new version of the 2002 ePrivacy Directive, which was last revised back in 2009. The change in name from “Directive” to “Regulation” is not a coincidence. Within the EU, a “directive” is effectively a set of end goals that are left to individual nations to decide how they’ll implement them within their borders. In the UK, the ePrivacy Directive was materialised in the Privacy and Electronic Communications Regulations 2003 (the PECR) which is where the current laws around the Telephone Preference Service (TPS) and consent for voice broadcasting and SMS marketing and so on currently reside.
A “regulation” on the other hand is a different beast. Like the General Data Protection Regulation, the ePrivacy Regulation, when enacted, immediately becomes law in all member states of the EU, without the need for any additional laws to be enacted within the states themselves. That doesn’t mean that there can’t be national enhancements or interpretations of a regulation. For example, the Data Protection Bill currently going through parliament in the UK will lead to a new Data Protection Act. While this will be largely based on the GDPR, it will also add additional rules and definitions just for application in the UK.
While the “Great Repeal Bill” means that the GDPR will be adopted into UK law in full when Britain leaves the EU, depending on when the new ePrivacy Regulation is finalised, it may or may not be automatically adopted in the UK in full on completion. It’s important to remember though that the ICO is deeply involved with the construction of the ePrivacy Regulation and the UK government seems set on following the majority of EU regulations after departure from the EU. If there are any changes in the UK’s adoption of the rules, they’ll likely be very minor variations.
And just so we’re all clear, “electronic communication” is just that - any means of communicating with an individual or company that doesn’t work without electricity. This means it applies to manually dialled phone calls, but not postal mailshots or carrier pigeons. Have a look at paragraph 14 on page 14 of the Regulation to see just how broad the scope of the definition is.
So, in short, the ePrivacy Regulation is an extension of the GDPR focused specifically on the rules about privacy that relate to all forms of electronic communication. While it covers a number of different aspects in this field, in this article we’re just going to look at it from the point of view of cold calling.
What Does the ePrivacy Regulation Say About Cold Calling?
Article 16 of the ePrivacy Regulation is where we find the section on “Unsolicited Communications”. There are seven paragraphs here, and the ones that are of most interest are the first, third and fourth. Let’s have a look:
- Natural or legal persons may use electronic communications services for the purposes of sending direct marketing communications to end-users who are natural persons that have given their consent.
Pretty straight forward, and you can see the cause for concern among companies looking to promote their products and services through direct marketing. Essentially this says that individuals (natural persons) and companies/organisations (legal persons) may use electronic communication for the purposes of direct marketing provided they have the consent of the individual.
As you’ll no-doubt already know, the rules for consent are becoming much more strict under the GDPR (if you’re not fully up to speed, you can have a look at my earlier post for an overview). This means that if consent is required for all forms of marketing then that would indeed be an end to cold calling as we know it. This might seem like good news for Joe Public, but not so good when you consider the impact on businesses. Let’s move on.
- Without prejudice to paragraphs 1 and 2, natural or legal persons using electronic communications services for the purposes of placing direct marketing calls shall:
(a) present the identity of a line on which they can be contacted; or
(b) present a specific code/or prefix identifying the fact that the call is a marketing call.
This is all about CLIs, the outbound numbers that companies doing direct marketing calls display when calling out. The opening of “without prejudice” just means that this rule applies in addition to the rules in paragraph 1 (legal dictionary at the ready).
Point (a) is nothing new - that’s the law as it stands. Point (b), however, is new, certainly within the UK. This gives companies the choice to either present a number that they can be called back on, or present a number with a specific prefix that makes sure that the individual being called knows that it’s a marketing call. In other words, all marketing calls would go out with a prefix of, say, 0399. This would mean that individuals could either choose whether to accept calls knowing in advance that its a marketing call, or just block all 0399 calls completely.
Significantly. the Article 29 Working Party (the group of data protection experts drafting this legislation) have already commented (page 22, point 31) that they didn’t intend these two rules to be an either/or scenario, rather that both should apply.
Personally, I feel this somewhat misses the point. Companies that provide genuine, valuable goods and services who present a number identifying all their marketing calls as such will find their marketing efforts substantially less effective under this rule. Companies that provide poor goods and services, or those who are looking to scam people, will just ignore the rule. Sure, a world where no-one receives any interrupt-based marketing sounds great to a lot of people, but it’s also essential to a lot of businesses that directly or indirectly employ many of those same people.
Whether or not this paragraph is amended to remove the “or” remains to be seen, but it’s two letters that will be worth keeping an eye on in future versions as they have significant meaning for outbound call centres.
For the moment though, the way I’d interpret the two rules together is that companies carrying out direct marketing calls from a number identified as being for marketing purposes don’t need to use a number that allows the recipient to call back. If you do provide a number allowing the recipient to call back, then you won’t need to use a marketing-specific prefix.
Either way, this doesn’t do anything to address the blanket requirement for consent for any form of marketing by electronic means. Fortunately, we have paragraph 4:
- Notwithstanding paragraph 1, Member States may provide by law that the placing of direct marketing voice-to-voice calls to end-users who are natural persons shall only be allowed in respect of end-users who are natural persons who have not expressed their objection to receiving those communications.
This is perhaps the most difficult of the paragraphs to comprehend. Firstly, we need to look up “notwithstanding” in the context of legal jargon (or, as I did, check with your solicitor). “Notwithstanding” clauses can replace or overrule the clause that they refer to, under the given circumstances. So in this case, individual countries may decide to swap the need for consent for live direct marketing calls and instead use an opt-out system. Sound familiar?
Basically this means each country in the EU may choose not to require consent for live direct marketing calls (this doesn’t apply to voice broadcasting), and instead implement an opt-out system. In other words, the TPS will still apply should the government choose to keep it. It seems logical that the reason this flexibility needs to exist in the regulation is that different countries already have their own versions of the TPS in place. For example, France, Spain and Ireland have TPS for landlines, but not for mobiles, which already need consent. In Germany, Portugal and Austria, all marketing calls already require consent.
Whether the UK government decides to bin the TPS and instead move to a consent-only system for live marketing calls, we don’t know yet. There haven’t been any indications thus far, but that’s understandable when you recall that this legislation isn’t even finished yet.
One possible indication is contained in the recitals to the ePrivacy Regulation (page 20):
(36) Voice-to-voice direct marketing calls that do not involve the use of automated calling and communication systems, given that they are more costly for the sender and impose no financial costs on end-users. Member States should therefore be able to establish and or maintain national systems only allowing such calls to end-users who have not objected.
Note that the definitions listed in the regulation (Article 4) define “automated calling and communication systems” as "systems that automatically initiate calls then transfer sounds that aren’t live speech", so this excludes voice broadcast systems, but not diallers that immediately connect calls to live agents.
This seems to indicate that the authors of the ePrivacy Regulation acknowledge that employing people in a call centre and investing in those individuals’ training and development, paying for their taxes, holiday, sick pay, office space and management is very different to initiating bulk communication via email, SMS, voice broadcast or any other electronic communication mechanism. There’s a real cost to the company carrying out the direct marketing and a much more substantial and distributed benefit to the individuals employed. Hopefully this won’t be forgotten as the legislation moves through its final stages.
So far, it looks like the ePrivacy Regulation might just squeeze through without putting an end to all cold calling as we know it. In combination, the GDPR, ePrivacy and the many other regulations that call centres are subject to will provide substantial protection to EU citizens giving them swathes of new rights and protections. Provided these rules are properly enforced and companies ignoring them are reformed or removed, cold calling has a good chance of renewing its public image over the years to come. Let’s hope the baby doesn’t get thrown out with the bath water in the process.