We don’t subscribe to the idea that it’s impossible to understand privacy law. But you do need to understand how terms are used, especially when they have more than one definition. Here we aim to clarify the meaning of ‘subscriber’ as it is used in the UK’s Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).
Ever subscribed to a magazine, or are you too millennial for paper nowadays? Perhaps you’ve agreed to receive updates from your favourite retailer, only to realise your inbox has become saturated with promotion after missing an important message from a friend or family member. Unsubscribe — click.
So in relation to the publishing and marketing worlds, we know what subscribing and unsubscribing are. We know that Adobe and Microsoft along with many others now offer their software on a monthly payment basis rather than up front purchase. They call this a “subscription model”.
The more tech-savvy amongst us may be aware of another use of the word “subscriber” that forms part of the abbreviation DSL. DSL stands for Digital Subscriber Line, and is used in the telecommunications industry to refer essentially to several types of internet connection over a telephone line. To a telco, their customer is the “subscriber”, as they’re renting a digital line.
PECR implements the EU’s Directive 2002/58/EC into UK law, and covers a number of electronic communication methods including internet connectivity, SMS and email. The vast majority of the legislation relates to telcos, but marketers — which could be just about anyone — have to pay particular attention to how digital direct marketing is regulated and what the restrictions are. Words like “consent” are redefined by new data protection law, and a raft of clarifications and guidance documents have been published by the Information Commissioner’s Office (ICO) to assist businesses and organisations in the private, public and third sectors to comply.
In our experience as data protection consultants however, nothing in PECR attracts more confusion than the word “subscriber”. Regulation 22 is partly to blame, regulating as it does the delivery of email marketing to individuals as distinct from corporations, or individuals within corporations. The terms “individual subscriber” and “corporate subscriber” are used to differentiate, and which category a recipient is in determines what lawful basis may be permitted under data protection law for processing their personal data. Not to be scoffed at in relation to compliance, of course.
But the problem is that as soon as you mention the word “subscriber” in the same breath as email marketing, you slam into all those associations marketers and even the general public have in relation to “subscribing” and “unsubscribing”. Even those less au fait with digital marketing may equate “subscriber” with “subscriptions” in publishing.
Thankfully, lawmakers did clarify the definition in Regulation 2 (Interpretation), so while it may not be easy, it is possible to understand:
“subscriber” means a person who is a party to a contract with a provider of public electronic communications services for the supply of such services
The distinction becomes even more important when we discuss “corporate subscribers,” defined even more explicitly in Regulation 2, but suffice to say it’s a subscriber per the above meaning that is incorporated, such as a public or private limited company, a Scottish partnership or a limited liability partnership, who are considered a “legal person”. The ICO have gone to great lengths to clarify that this doesn’t extend to sole traders or unincorporated partnerships.
The reason this is important, is that Regulation 22 doesn’t apply to corporate subscribers. So what if an “individual” has an email address at work with their name in it? Precisely why the word “subscriber” needs to be understood. The email service itself is contracted by and for the company that person is working at, so the individual is not the subscriber, even if they have “subscribed” to a mailing list, including for personal reasons. Unlike a generic corporate email address, however, a personal corporate email address featuring a name or distinctive job title will identify a “natural person” as well, and is considered personal data under the General Data Protection Regulation (“GDPR”). You therefore have two parallel compliance burdens in relation to a single act of marketing, and don’t expect the recipient to understand if you didn’t at first.
Getting it right requires an overview of how these terms and pieces of legislation mesh together — or don’t — to create the compliance landscape you fit into, whether you’re a data subject looking to exercise your rights or right a wrong, or a marketer looking to do things by the book.
If you’re stuck between subscriptions and subscribers and need a way out, Privada may be able to help.