Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

The position of the Communications (Personal Data and Privacy) Regulations 2006 on unsolicited electronic marketing is clear, as a party may not transmit such marketing material unless the individual receiving it has previously notified the sender that he or she consents to receiving it (for the time being). This is known as the ‘opt-in’ regime.

The regulations provide for a limited number of circumstances in which a service provider can send unsolicited electronic marketing communications to an individual where there has been deemed to be a kind of implied consent, also referred to as a ‘soft’ opt-in:

  • The direct marketer has obtained the contact details of the individual in the course of the negotiations or sale of good or services;
  • The direct marketing relates to similar goods or services to those purchased by the individual; or
  • The direct marketer gives an individual a simple means at the time the data is collected, free of charge, to opt-out of the use of his or her data for direct marketing purposes.

Whether the opt-in has been explicit or soft, in each subsequent direct marketing email to an individual, the service provider must provide an option to opt out of future marketing emails (eg, an unsubscribe link).


Are there rules governing the use of cookies?

Regulation 5 of the Communications (Personal Data and Privacy) Regulations 2006 was initially the law which specifically governed the use of cookies by Gibraltar-based service providers. It obliged service providers to tell individuals:

  • how they used cookies to collect and store information; and
  • how the individual could opt out if he or she did not wish the information to be collected and stored in this way.

The current rules in force in Gibraltar are now essentially that cookies can only be placed on computer equipment where the individual has given consent. Before giving consent, the individual must be provided with clear and comprehensive information about the purposes of the storage of, or access to, that information.

In addition to the Communications (Personal Data and Privacy) Regulations, service providers must comply with the requirements in the Data Protection Act 2004, paying particular attention to the third data protection principle that data controllers must not process personal data in such a way so as to be excessive.

Click here to view the full article.