Unwanted mail about competitions, credit cards and changing careers is no longer limited to just falling through your postbox, reports Marcus Turle.

Cookies - information planted by Web sites on visitors' computers for marketing purposes - has meant everyone at some time has suffered from a bombardment of junk e-mail, otherwise known as spam

Rules came into force on 11 December that add a further layer of regulation to the way companies use electronic communications in their marketing.

The use of cookies and location data will also be regulated.

The Data Protection Act 1998 already governs the way we use information that identifies people, but the new rules go further.

One fundamental change, intended to assuage consumers and privacy advocates, is that for some types of information, even non-personally identifying data will be caught.

This presents a significant challenge for companies which market to consumers, while the rules for cookies will affect even those who operate on an exclusively business-to-business basis.

The Privacy and Electronic Communications Regulations 2003 implement in the UK the directive of the same name.

The regulations apply to the sending of direct marketing messages by 'electronic means' - the term being deliberately technology-neutral so that it will cover new developments in electronic communications as and when they become established.

'Direct marketing' covers a wide range of activities, applying not just to the offer for sale of goods and services, but also to the promotion of an organisation's aims and ideals.

'Unsolicited' direct marketing should also be distinguished from solicited marketing.

The latter is marketing that you have actively invited, the former is not - it is marketing that you have positively indicated you do not mind receiving.

In essence, the regulations require that organisations must have advance consent for any kind of electronic marketing to individuals.

'Consent' means some positive indication, which must be freely given and informed - individuals must fully appreciate that they are consenting and fully appreciate what they are consenting to.

There is one exception to the rule about having advance consent, known as the 'soft opt-in'.

Under this, organisations are allowed to send direct marketing electronically to existing customers (or to recipients with whom the company has negotiated for a sale in the past), provided:

- The marketing in question is for similar products or services;

- The target was given a chance to refuse marketing material at the time the details were originally collected;

- The target has been given an opt-out in each subsequent marketing communication.

What are similar products and services? The Information Commissioner is taking a purposive approach to this, on the basis that the intention is to ensure that individuals do not receive promotional material about products and services that they would not reasonably expect to receive.

The regulations attempt to prevent the conventional practice by spammers of disguising junk mail with tempting and irrelevant subject headings, and of disguising their identity by including a dud e-mail address in the 'From' field.

You now have to make it clear that your unsolicited material is just that - without the recipient having to open the message to see it - and give a valid address and a simple means by which to unsubscribe.

How does this apply to text, picture and video messaging? The short answer is that it applies exactly as it does to e-mail.

The practical limitations of standard mobile screens do not mean that marketers can ignore the rules.

Assuming the recipient has clearly consented to the receiving of messages, each message must identify the sender and provide a valid suppression address.

For those relying on the soft opt-in exemption, then there is the additional obligation to provide a simple means of refusing further marketing with every message.

The Regulations sit next to the Data Protection Act 1998, with which everyone must continue to comply.

However, the important point to note is that whereas the Data Protection Act only applies to marketing using contact information that actually identifies the individual, for the purposes of the regulations, marketers do not need to know individuals' names to conduct a direct marketing exercise.

Regardless of whether the Act applies to the marketing in question, the regulations will apply if the organisation is using electronic means to send unsolicited direct marketing.

Importantly, the new rules do not extend to companies that receive electronic marketing, so business-to-business marketers are free to continue as they were, at least for now.

However, there is one striking anomaly in that companies are excluded but partnerships and sole traders are not (the same rules apply to these as to consumers).

This is something of a mystery, particularly since the government recognised the inconsistency (which was in the draft regulations) when it responded last September to the public consultation.

It left it in, saying it might point to further rights for corporates in the longer term.

On its face, it seems sensible that companies should be allowed to market to one another (and this includes sending e-mails to their employees) without everyone becoming obsessed with privacy concerns.

It is still open for companies to put up firewalls to block a good proportion of what they don't want, and to participate in the Direct Marketing Association's e-mail preference service, administered by the Direct Marketing Service in the US (see www.dma.org.uk).

Nevertheless, the all-party parliamentary internet group has already called for the Department of Trade and Industry to ban the sending of spam to business addresses when it changes the rules on business-to-business cold calling (probably next year).

It has made this recommendation in the light of it not being clear what constitutes business spam.

What is the position in relation to cookies? Regardless of whether a cookie collects data that identifies individuals, from 11 December it is mandatory before installing any cookie to tell the terminal user what its purpose will be, and allow the user to refuse it.

In fact, the rules extend to any kind of device or 'spyware' which may be installed on a user's terminal via a public telephone network with the object of collecting information about them.

This is a significant development and extends the arm of privacy considerably farther than the Data Protection Act.

There are exceptions for the storage of or access to information required merely to send or to enable a communication over a public network or where strictly necessary for providing a service at the user's request.

The regulations will present significant challenges to organisations that market to individuals or partnerships using e-mail or other electronic media.

Marketers clearly need to consider the implications for the future, but also whether mailing lists compiled before 11 December 2003 are still usable (in light of the new consent requirements) and how the new rules might affect the use for marketing of bought in and rented lists.

And every organisation with a Web site needs to consider the implications of the new rules for using cookies.

Marcus Turle is an assistant solicitor in the technology law group at City law firm Field Fisher Waterhouse