Home » Topics » Cybersecurity » Keep it private

Keep it private

Avatar photoby Ben Rossi

Back in the early days of email – and it was only in the mid-1990s – spam was not a problem. Unsolicited, unwanted email was rare, and any ‘spammers' were ‘flamed' (blasted with retaliatory hate mail) by the new, community-minded citizens of cyberspace.

But that was too good to last. Spammers not only learned tricks to prevent identification and retaliation, but they also benefited from the compelling economics of mass email marketing. Legitimate businesses could not ignore the opportunity, and added to the weight of email.

 
 

The e-Privacy Directive

The Directive on Privacy and Electronic Communications (e-Privacy Directive), was adopted by the European Parliament and the Council in July 2002. It sets EU-wide rules for the protection of privacy and personal data in mobile and fixed communications.

These rules were to be written into national law by October 2003; the UK implemented the Directive by statutory instrument within that deadline. The Directive says that service suppliers or businesses must:

  • Delete or ‘anonymise' personal traffic data after it is no longer needed; give users rights to keep details private
  • Obtain subscriber consent before marketing by email
  • Tell customers how their data is going to be processed
  • Obtain permission before using location data, and only use that data to provide an agreed service; allow users to block location data
  • Ensure security of user's behaviour and data
  • Inform customers of the use of cookies, of possible security risks, and advise how they can address these risks; give subscribers the right to deny the use of cookies

In the UK, the Information Commissioner enforces the law; failure to comply is criminal offence, and businesses can be fined or be forced to pay compensation if they do not comply.

 

 

By 2003, spam was ubiquitous, and was costing European businesses $2.5 billion a year to deal with, according to Ferris Research, a US-based research company.

With technology struggling to control spam, both the European Union and the US government banned the practice. In the US, the Can Spam Act is clearly targeted at cynical spammers and pornographers (see page 30), and scarcely affects legitimate businesses.

But in Europe, the Directive on Privacy and Electronic Communications is much broader, and affects all businesses that use electronic media for direct marketing – even those communicating to their own customers. The law covers phone calls as well as emails and interactions between web sites and their visitors.

The law, enforced in the UK from October 2003, requires service providers to secure personal and behavioural data (such as location, or caller IDs), and gives recipients the right to refuse cookies from being installed on their machines. Most controversially, however, it forces email senders to secure the permission (‘opt in') of the recipient before sending them unsolicited direct marketing email. This is the case even when the sender has a previous relationship with that individual.

The law is having a significant impact on the way legitimate businesses gather and record data on customers, and how they interact with them through email and the web. This has made it unpopular, and in some European states, there is clearly little inclination among governments to enforce the law.

In the UK, the Direct Marketing Association views the directive as an onerous law that will do more to restrict European businesses' marketing practices than reduce the flow of spam. It points out that 90% of spam comes from outside the EU region, the majority from the US.

Most of the controversy centres on the use of email data. Many businesses communicate to their customers and partners by email, but the law now makes it difficult for them to email these individuals and cross-sell them services from other parts of their business. According to law firm Eversheds, businesses can target customers who have bought products or services from them in the past, subject to a handful of provisos. For example, a customer's details must have been collected in the context of a ‘sale', and at that time, they must have been told about the possible use of their data for marketing.

In addition, there is also a legitimate direct marketing industry that sells customer data, including emails, that has effectively been outlawed. Researchers report that ‘opt in' rates for receiving promotional emails are below 10%. These businesses are now seeking ever more creative ways of circumnavigating the law – such as offering free goods or services in return for marketing permissions.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Related Stories

Cybersecurity

How AI will shift the security landscape in 2024

The impact of AI within cybersecurity is expected to grow significantly this year, says Alex Holland, senior malware analyst at HP

AI & Machine Learning

NCSC releases guidelines for secure AI development

New guidance from the National Cyber Security Centre (NCSC) aims to help businesses securely innovate with AI and minimise risks

Cybersecurity

3 cybersecurity compliance challenges and how to address them

Earning those trust seals can strengthen relationships with board members and prospective customers, but it sure isn’t easy.

Cybersecurity

70% of UK firms reported cyber insurance changes in past year

According to research from Databarracks, seven in 10 UK businesses have seen changes to their cyber insurance in the past 12 months, as requirements rise