Jun 2025

Note: This article is one of three included in the OneTrust DataGuidance: Bermuda – Direct Marketing Guidance Notes series.

1. Governing Texts

1.1. Legislation

The Personal Information Protection Act 2016 (as amended) (PIPA)

The Electronic Transactions Act 1999 (as amended) (ETA)

The Standard for Electronic Transactions (the ETA Standard)

The Electronic Communications Act 2011 (ECA)

Other relevant Bermuda legislation

Cross-border marketing of products or services by an overseas company (a body corporate incorporated outside of Bermuda) to customers in Bermuda could be construed as carrying on business in Bermuda and, if so, would be prohibited unless the overseas company holds the requisite permit issued under the Companies Act 1981. Whether such marketing activity would be deemed to constitute carrying on any trade or business in or from within Bermuda on a continuing basis, will depend on the specific facts and circumstances of the case, including, but not limited to, the nature and frequency of the activity. In general, provided that an overseas company does not establish a presence or occupy premises in Bermuda, marketing communications (including telephone, SMS, email, and other electronic communications) or providing products or services will not breach this prohibition where conducted from outside of Bermuda to Bermuda persons; and instigated by a Bermuda person (i.e., on a reverse inquiry basis).

The Investment Business Act 2003 includes a specific restriction on entering into an investment agreement in the course of or as a result of an unsolicited call.

1.2. Regulatory authority guidance

Guidance issued by the Office of the Privacy Commissioner for Bermuda (PrivCom) and the ETA Standard applies to emarketing activities.

The ECA allows the Regulatory Authority of Bermuda to make general determinations to establish requirements and procedures to govern the activities of certain licensed communications operators and providers when engaged in unsolicited direct marketing by means of electronic communications networks in order to minimize intrusion, annoyance, inconvenience, or anxiety to consumers. Activities include marketing by means of automated calling and communications systems or machines that do not involve human interaction; facsimile machines; and electronic mail.

2. Definitions

Email: Not legislatively defined, but the ETA broadly defines ‘electronic record’ as a record created, stored, generated, received, or communicated by electronic means.

Email marketing: Not legislatively defined.

Consent: Not defined in the ETA. Consent is a specified condition for the use of personal information under PIPA. In order for an organization to rely on consent as a condition for use, it must provide clear, prominent, easily understandable, and accessible mechanisms for an individual to give their consent in relation to the use of their personal information. Except in relation to sensitive personal information, organizations are not obliged to provide such mechanisms where it can be reasonably implied from the conduct of an individual that they consent to the use of their personal information for all intended purposes that have been notified to them. Where an individual consents to the disclosure of their personal information by an intermediary for a specified purpose, that individual will be deemed to have consented to the use of that personal information by the receiving organization for the specified purpose. PrivCom guidance on conditions under which organizations in Bermuda use personal information provides that consent should be clear and concise and means offering individuals real choice and control.

Spam: Not legislatively defined.

E-commerce service provider: The ETA defines an e-commerce service provider as a person who uses electronic means to provide goods, services, or information.

Intermediary: The ETA defines an intermediary with respect to an electronic record as a person who, on behalf of another person, sends, receives, or stores that electronic record or provides other services in respect of that electronic record.

3. Consent Requirements

3.1. B2C

PIPA applies to any organization that uses personal information in Bermuda for business-to-consumer (B2C) transactions.

PIPA provides individuals with a right to submit a written request to an organization to cease, or not begin, using their personal information:

• for the purposes of advertising, marketing, or public relations; or
• where the use of that personal information is causing or is likely to cause substantial damage or substantial distress to the individual or another individual.

An organization on receiving a request shall either cease or not begin using the personal information that the individual has identified in their request or provide the individual with written reasons why such use is justified.

The ETA Standard, which entered into effect on 3 July 2000, applies to and must be complied with by intermediaries and e-commerce service providers who carry on a trade or business (carried out electronically) or conduct commercial transactions or services in or from within Bermuda.

Section 4(A) of the ETA Standard sets out the minimum standards for intermediaries and e-commerce service providers, including Section 4(A)(v), which provides that such service providers must ‘avoid abusive usage, and accordingly do not send bulk unsolicited emails, seek unauthorized access to other peoples’ systems or seek to interrupt other people’s use of electronic communications, or enable others to do so.’

Section 7 of the ETA Standard sets out certain ‘safe harbor guidelines,’ which if an intermediary or e-commerce service provider’s procedures and practices are substantially in accordance with, and in the absence of special circumstances, such entity will be deemed compliant with the ETA Standard. Section 7(D) of the ETA Standards establish systems to protect privacy (which does not apply to the extent inconsistent with any more onerous obligations of confidentiality of personal data or business records as required by any other law or equity) and proposes a broad range of personal data principles, including limited collection, consent, purpose limitation, security safeguards, and transparency. If an intermediary or e-commerce service provider does not intend to observe these principles, they must notify the persons from whom they collect personal data or business records. These principles include that intermediaries and e-commerce service providers should use the personal data and business records of customers only for internal marketing, billing, or other purposes necessary for the provision of services; purposes made known to the customer prior to the time the personal data or business records are collected; or other purposes with the prior consent of the customer.

Further, intermediaries and e-commerce service providers may not sell or transfer personal data or business records of customers to another person for the purpose of sending bulk, unsolicited electronic records.

Section 7(E) of the ETA Standards – ‘Establish Practices to Avoid Abusive Usage’ provides that intermediaries and e-commerce service providers should refrain from sending bulk, unsolicited electronic records to persons with whom they do not have a relationship (either contractual or personal) or to persons who have not otherwise consented to receive such records. Intermediaries should establish reasonable practices to prevent their services from being used for the sending of such bulk, unsolicited electronic records and should endeavor to cease providing services to persons who engage in such conduct.

Double Opt-In

Not applicable.

3.2. B2B

The restrictions under PIPA and the ETA Standard outlined in the section on B2C above also apply in business-to-business (B2B) relationships.

Double Opt-In

Not applicable.

3.3. Social media marketing

The restrictions under PIPA and the ETA Standard outlined in the section on B2C above also apply to social media marketing.

3.4. Viral marketing

The restrictions under PIPA and the ETA Standard outlined in the section on B2C above also apply to viral marketing.

3.5. Exceptions

Not applicable.

3.6. Additional requirements

Not applicable.

4. Marketing Lists

Any marketing list would be subject to the PIPA and ETA Standard restrictions.

5. National Opt-Out List

Not applicable.

6. Penalties

An intermediary or e-commerce service provider who fails to comply with the ETA Standard shall first be given a written warning by the Minister which may direct that person to cease and desist or otherwise correct their practices. If such a person fails to do so within the period specified in the direction, that person shall be guilty of an offense and liable on summary conviction to a fine of $5,000 for each day the contravention continues.

Where a person has committed an offense under PIPA, they may be liable on summary conviction of an individual to a fine of up to $25,000, up to two years imprisonment, or both, and on conviction of an entity on indictment to a fine not exceeding $250,000. Further, an individual who suffers financial loss or emotional distress due to an organization’s failure to comply with any of the requirements of PIPA may be entitled to compensation from the organization.

¹ This chapter was originally published by OneTrust DataGuidance in its Bermuda – Direct Marketing series.