In brief…
If you want to compile a telephone, fax or email directory or offer a directory enquiry service, you must tell individuals and give them the chance to opt out. You must also get express opt-in consent for reverse searches (eg using a phone number to look up a name).
In more detail…
- What kind of directories are covered?
- What do we need to do to comply?
- What information must we provide?
- Do we need consent to put people in our directory?
- Who should we leave out?
What kind of directories are covered?
There is no definition of directory, but the regulations refer to:
“a directory of subscribers, whether in printed or electronic form, which is made available to members of the public or a section of the public, including by means of a directory enquiry service”.
This means any directory or service whose main function is to allow someone with a minimum amount of information (such as name and approximate address) to look up phone, fax or email contact details (including mobile phone numbers).
In our view, this does not cover types of directory that are not solely or mainly to provide a comprehensive list of subscribers’ contact details, even if they include some contact details of a particular group of people. For example, trade directories whose main purpose is to provide detailed information about certain types of businesses would not be covered, nor would church or club membership contact lists. Similarly, we do not consider that WHOIS look-up services are covered. The main purpose of WHOIS is to search for information about the identity of the person who has registered a website, rather than to search for contact details of subscribers.
What do we need to do to comply?
The rules on directories are in regulation 18. In brief, if you want to compile a directory, you must:
- tell individual subscribers;
- give them the chance to choose whether to be included;
- get their express consent for reverse searches; and
- correct or withdraw entries on request.
You cannot charge for opt-outs or corrections.
What information must we provide?
Before you can include an individual in a directory, you must explain its purposes to them. In particular, your explanation should include:
- what the directory is and what information is included;
- that people who know their name and approximate address will be able to look up their phone number;
- whether people with their phone number will be able to look up their name and address (reverse searches); and
- how to opt out.
If you offer a range of ex-directory options, you must explain how each of them works. The individual must understand the consequences of choosing particular options.
There is an established competitive market in telephone directory information services and products. A core set of minimum information is needed for a directory to work, but you can decide what additional personal data is relevant to your particular directory. The more the information differs from what directories traditionally publish (name, address and phone number), the more information you will need to give people to ensure they understand what you are doing with their personal data.
This also ties in with the transparency requirements of the UK GDPR. See our separate Guide to UK GDPR for more information.
You do not have to provide this information to companies or other corporate subscribers (limited liability partnerships, Scottish partnerships and government bodies).
Do we need consent to put people in our directory?
You must give individuals the chance to decide whether they want to be included.
PECR do not say this needs to be opt-in consent. However, you must at least give individuals a clear chance to opt out. The person must fully understand they have made a choice and will be included in the directory unless they opt out, and it must be simple to opt out. You must have given clear and prominent information about how to opt out and specifically drawn the person’s attention to this – it is not enough to rely on ‘small print’ on your website or on a bill.
However, you will need express opt-in consent if your directory includes reverse searches that allow people to look up a name and address from a phone number. Consent must always be freely given, specific, and fully informed, and will not be valid if it is buried among terms and conditions. The clearest way to obtain consent for reverse searching will be to provide a specific opt-in box and a clear and concise explanation of how searches work.
This does not apply to companies or other corporate subscribers (limited liability partnerships, Scottish partnerships and government bodies) – although they still have the right to opt out.
Who should we leave out?
You cannot include any individual if you have not yet given them the relevant information or the chance to opt out.
You cannot include any individual or business who has told you they want to opt out.
You must also remove or correct someone’s details on request. This only applies to future editions of your directory. In other words, you do not need to recall existing editions of printed directories – but you must amend future printed editions, and you must update online versions as soon as possible.