EU

ePrivacy: Directories of Subscribers

Directories of Subscribers [Art 12]

Rule: Subscribers must give informed consent before their personal data is included in public directories, and they must be able to verify, correct, or withdraw their data.

Core Requirements

RequirementDetailsCitation
Informed consentSubscribers informed of directory purposes before inclusionArt 12(1)
Opt-in controlSubscribers determine whether data is includedArt 12(1)
Category controlSubscribers can choose which categories of data to includeArt 12(2)
Verification rightsCheck, correct, or delete directory entriesArt 12(2)
Non-discriminationCharges not dependent on directory listing statusArt 12(3)

Article 12(1): Informed Consent for Inclusion

Member States shall ensure that subscribers are informed, free of charge and before they are included in the directory, about the purposes of the directory… and of any further usage possibilities.

Before inclusion, subscribers must be told:

  • What the directory is for (e.g., “public phone book”)
  • Who will have access (e.g., “available to general public online”)
  • How data may be used (e.g., “for direct marketing”, “for research”)
  • Whether sold or licensed to third parties

Consent requirements:

  • Must be freely given
  • Must be specific (know what you’re agreeing to)
  • Must be informed (understand the purposes)
  • Must be given before inclusion

Article 12(2): Control Over Personal Data

Subscribers must be able to determine:

What data to include:

  • Full name vs initials
  • Full address vs partial address
  • Whether to include additional contact details
  • Whether to mark as “unlisted” (directory assistance only) vs “ex-directory” (no listing at all)

Verification and correction rights:

  • Check what data is listed
  • Correct inaccuracies
  • Update changed information
  • Remove their entry entirely

Free of charge:

Subscribers shall be given the right to verify, correct or withdraw such data

Categories of Personal Data

Typical directory information:

  • Name (surname, forename, initials)
  • Address (full or partial)
  • Telephone number
  • Email address (in electronic directories)
  • Business name and category
  • Professional qualifications

Control per category:

  • Subscriber can choose to include name but not address
  • Can list number but mark “no direct marketing”
  • Can include business details but not personal residence

Article 12(3): Non-Discrimination

Member States shall take the necessary measures to ensure that subscribers who have chosen not to have their personal data included in the directory are not subject to any discrimination in relation to the terms and conditions of the subscriber relationship.

What this means:

  • Cannot charge extra for being unlisted
  • Cannot reduce service quality for unlisted subscribers
  • Cannot make directory listing mandatory for service
  • Pricing must be independent of directory status

Exceptions:

  • May charge for special directory services (e.g., premium listing, bold print) - these are optional extras

Types of Directories Covered

Printed directories:

  • Traditional phone books
  • Yellow Pages (business directories)
  • Specialized professional directories

Electronic directories:

  • Online phone directories
  • Directory assistance (411, 118, etc.)
  • Reverse lookup services
  • Mobile app directories

Quasi-directories:

  • Search engine indexing of phone numbers
  • Social media contact discovery
  • Business review sites with contact info

Purposes of Directories

Must be disclosed to subscribers:

Common purposes:

  • Enable people to find and contact you
  • Directory assistance services
  • Reverse lookup (find name from number)
  • Direct marketing
  • Market research
  • Sale or licensing to third parties

”Further Usage Possibilities”

Article 12(1) requires informing subscribers of any further usage.

Examples:

  • Directory data sold to marketing companies
  • Used for market research or profiling
  • Included in aggregated datasets
  • Made available through APIs
  • Scraped by search engines

If directory operator learns of new uses later:

  • Must inform subscribers
  • Must obtain consent for new uses
  • Cannot rely on original consent

Subscribers can withdraw at any time:

  • Contact directory operator
  • Must be free of charge
  • Must be simple process
  • Entry removed within reasonable time

After withdrawal:

  • Data removed from next directory edition
  • Removed from electronic directories promptly
  • No longer available for directory assistance
  • Third parties notified if data was shared

Relationship with GDPR

Article 12 predates GDPR but works alongside it:

GDPR applies:

  • Article 6 (lawful basis - consent)
  • Article 7 (conditions for consent)
  • Article 13/14 (information requirements)
  • Article 15-22 (data subject rights)

ePrivacy Article 12 is more specific:

  • Sector-specific rules for directories
  • Additional requirements beyond GDPR
  • Both must be complied with

Practical Compliance

For directory operators:

  1. Obtain informed consent before inclusion
  2. Explain all purposes and uses clearly
  3. Provide granular choices (per category of data)
  4. Offer free verification and correction
  5. Remove entries on request
  6. Don’t discriminate against unlisted subscribers
  7. Track consent and withdrawal requests

For subscribers:

  • Right to know what’s listed about you
  • Right to control what’s included
  • Right to be unlisted entirely
  • Right to correct errors
  • No penalty for being unlisted

Examples

Scenario 1: New phone subscriber

  • Signs up for landline service
  • Operator asks: “Include in phone directory?”
  • Requirement: Must explain directory is public, may be used for marketing, sold to third parties
  • Subscriber chooses: Name and number yes, address no

Scenario 2: Business listing

  • Business wants premium directory listing
  • Allowed: Can charge for enhanced visibility
  • Not allowed: Cannot charge extra just for basic listing vs being unlisted

Scenario 3: Directory assistance update

  • Directory used to be print-only
  • Now launching reverse-lookup service
  • Requirement: Must inform existing listed subscribers of new use, get consent

Scenario 4: Subscriber wants removal

  • Previously listed subscriber requests removal
  • Requirement: Free of charge, remove from next edition
  • Cannot penalize subscriber for request

Member State Implementation

National laws typically specify:

  • Consent mechanisms (opt-in vs opt-out)
  • Default settings (unlisted by default in some states)
  • Timeframes for removal
  • Penalties for non-compliance

Penalties

Non-compliance by directory operators:

  • Including subscribers without consent
  • Not informing of purposes
  • Discriminating against unlisted subscribers
  • Refusing to remove entries
  • Result: GDPR fines, national penalties, regulatory action

Citation

Article 12, ePrivacy Directive

Contains public sector information licensed under the Open Government Licence v3.0 where applicable. This is not legal advice. Always refer to official sources for authoritative text.

llms.txt