Unnoticed by the vast majority of digital law pundits, the potential impact of the 25 May 2011 website and email cookie law reforms on mobile Bluetooth and nearfield communication applications could be significant. Nick Johnson reveals his find and the implications.
Topic: Mobile marketing
Who: European Commission, UK Department for Culture, Media and Sport
When: 25 May 2011
Law stated as at: 6 June 2011
A subtle change to the wording of Regulation 6(1) of the Privacy and Electronic Communications Regulations 2003 (the "PEC Regs") may have significant implications for Bluetooth and near-field communications ("NFC") activities.
Here is a mark-up showing how the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 – best known for its changes to the law on "cookies" – has changed that provision:
Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
The previous language did not catch Bluetooth and NFC activity as such: these technologies use radio waves to transmit and receive information locally on mobile devices, rather than routing the information via a telecoms network. But the new language is much broader and is not tied to storage or access via an electronic communications network.
(It is clear from other existing provisions in the Regulations that "terminal equipment" must for these purposes include phones and other mobile devices: see for instance the definition in the Regulations of "electronic mail", which "includes messages sent using a short message service".)
Why this matters:
The change means that those working with Bluetooth and NFC technologies now need to ensure they comply with the same disclosure and user choice rules that apply with online cookies. However, the guidance published to date by government and the Information Commissioner's Office does not give any indication as to how the Regulations (as amended) should be interpreted and applied in this context.
Does this mean that any Bluetooth or NFC communication with a user's device will require a "clear and comprehensive" prior disclosure and consent from the user? Until there is official guidance on this, the position remains somewhat unclear, but:
- It seems strongly arguable that the initial "handshake" with a user's device would not require any special disclosure or consent. The "handshake" is what happens when a service provider detects a Bluetooth/NFC enabled device, and exchanges information with it to establish the device's identity and other basic information. The argument goes that, by putting their Bluetooth setting to "on", the user has requested the "information society service" of being visible to and identifiable by other Bluetooth devices. On that basis, the handshake may fall within the exception at Regulation 6(4).
- The new Regulations raise significant questions over whether the compliance requirements for unsolicited marketing messages sent by Bluetooth have changed. Does the user's "on" setting give adequate consent for these purposes under Regulation 6? Or are we now in a position where signage (or other prominent disclosure) and some affirmative step by the user (eg holding their device up to an identified transmitter) are required?
Those engaged in "push" marketing by Bluetooth or NFC may wish to review their practices in light of this change in the law.