Guide to the Privacy and Electronic Communications Regulations
The PECR, or Privacy and Electronic Communications (EC Directive) Regulations 2003, exist to protect the data privacy rights of individuals and businesses online in response to the proliferation in online business and marketing activity.
Alongside the General Data Protection Regulations (GDPR), the PECR ensure organisations use data responsibly by requiring any organisation that uses electronic communications for marketing purposes to adhere to certain rules in regards to how and when they can contact individuals or businesses.
The Privacy and Electronic Communications Regulations are complex, and it can be difficult to understand your particular obligations in order to be compliant. The PECR are read in conjunction with the GDPR and the penalties for non-compliance can be severe.
Who does PECR apply to?
PECR apply to all organisations within the European Union that use electronic communications such as email, calls and social media for marketing purposes. This includes such use by charities and political parties.
In the UK, the Data Protection Act 2018 defines marketing to include all of an organisation’s advertising and marketing materials. Contacting your existing client base for routine customer service messages or market research will not trigger PECR unless any of those messages also contain marketing content.
The regulations protect both individuals and businesses within the EU, although the rules that concern contacting businesses using electronic communications are less strict than those that concern individuals.
You cannot contract out of your obligations under PECR.
What activities are covered by PECR?
PECR restrict unsolicited electronic marketing communications by way of calls, texts, emails, faxes and cookies without first meeting the requirements of PECR. The requirements differ depending on whether you are marketing business to business, or business to individual.
The following will generally apply:
- You must obtain specific consent from an individual before contacting them.
- You may not need consent to contact companies except where they are sole traders, have specifically opted out or are listed on a preference list.
Types of marketing communications
- Electronic Mail Marketing
Regulation 22 of PECR restricts you from contacting an individual via electronic messages without specific consent, except in relation to certain existing customers, for which you can rely on a ‘soft opt-in’.
A ‘soft opt-in’ refers to a situation in which an existing customer has previously bought or contracted to purchase similar goods, gave you their details and did not opt-out of marketing. It can, therefore, be presumed that they would be happy to receive similar messages that they haven’t specifically consented to. However, you must ensure that you provide a clear way to opt-out each time you contact them.
These rules relate to all forms of electronic messaging including email, text, direct social media messages and picture and video messaging. You must ensure your identity is clear and provide a valid opt-out address so that recipients can unsubscribe.
While you do not need explicit consent to contact businesses, you should exercise caution in regards to sole traders and partnerships as they may be seen as individuals in this context. Also be aware when emailing a business using a named email address, as this will also require you to comply with GDPR principles.
- Telephone Calls
The general principle is that you cannot make unsolicited telephone calls to anyone except in specific circumstances.
You cannot contact any individual listed on the Telephone Preference Service (TPS), or any business listed on the Corporate Telephone Preference Service (CTPS) unless they have specifically consented.
Regulation 21 says you can only make a live call to individuals or businesses where:
They have consented to you calling.
Without consent, if they are not listed on the TPS (or CTPS for businesses), nor objected to you previously.
PECR have even stricter guidelines for automated calls. Regulation 19 requires that you obtain specific consent to receive automated calling; above and beyond any existing consent for live calls.
Therefore if anyone you wish to contact has previously consented to live calls, this is not sufficient to give you the authority to contact them via an automated call, and you will have to obtain specific consent.
These rules apply to existing customers, and in all cases, you must also:
- make sure you state who is calling;
- ensure your telephone number is visible, and
- give a contact address or Freephone number if asked to
- Marketing Lists
Any individual on a marketing list must have specifically consented to be listed. Using explicit opt-ins such as tick boxes will help you to identify what was permitted in case of complaint.
If you have bought in a marketing list, you must be careful to ensure that the details listed have been obtained in accordance with the Privacy and Electronic Communications Regulations, and that you are clear on how you can use the information. It is your responsibility to ensure the origin and accuracy of bought in lists, and that adequate consents were obtained from those listed for your specific marketing purposes. Therefore if you wish to utilise recorded marketing calls for example, you must ensure you have specific consent.
Your use of the marketing list is also restricted, and you must ensure you obtain specific consent from those listed for each purpose including:
- Selling the list
- Sharing within your group of companies
- Using the list to market a business with multiple trade names
According to Regulation 6, before placing a cookie on a user’s computer, smartphone or another device, you must:
- Tell them that you use them
- Explain what you use them for and why
- Get the user’s consent to use it on their device
Ensure that your explanations are clear enough that the user will understand what consenting to them will mean, in compliance with the transparency requirements of the GDPR.
The guidelines for faxing under Regulation 20 are similar to those for calling. However, you must ensure that individuals haven’t registered on the Fax Preference Service (FPS).
You can contact businesses without consent as long as they are not listed on the FPS and have not previously told you that they don’t want to receive them from you.
You must also make sure to include your name, contact address or Freephone number within all marketing faxes.
What is Consent?
The GDPR has changed the requirements for consent, and businesses are now expected to ensure that consent is given freely, is specific and informed, and in all cases (except soft opt-ins) includes a positive, unambiguous action such as a tick box. The individual must also fully understand what it is they are consenting to.
Exemptions to PECR
Alongside the specific exemptions already discussed, there are two general exemptions to the regulations.
- National Security
As per Regulation 28, communications providers are exempt from the rules where the exemption is necessary for national security.
- Law and law enforcement
Regulation 29 allows providers exemption where the rule in question would:
- breach another provision or court order;
- be likely to prejudice the prevention or detection of crime; or
- prejudice the apprehension or prosecution of offenders.
You may also be permitted to breach your obligation for or in connection with legal proceedings, to get legal advice or to establish, defend or exercise legal rights.
These exemptions are applied only on a case-by-case basis, and only to the specific conflicting provisions. Take legal advice if you are concerned about application of PECR exemptions to ensure you remain compliant.
Breaching the Regulations
Enforcement of PECR is controlled by the UK Information Commissioner’s Office (ICO) who can investigate any complaints and order you to remedy any failure so that you comply.
If you discover a breach within your organisation, you must take immediate steps to remedy this to ensure you comply with the regulations. You must also comply with your obligations under GDPR as they relate to breaches of personal data.
If there is a complaint against your organisation, the ICO may investigate and, if found to be non-compliant with the regulations, will order you to take steps to comply. They also have further enforcement powers including criminal and civil enforcement, audits and can issue a penalty notice of up to £500,000.
Regulation 30 also allows those who have been damaged by your breach to claim compensation through the courts independently of the ICO.
How Can Legal Advice Help?
Seeking the advice of a qualified solicitor can not only help in the event of a breach but can also prevent any occurrence by ensuring you have the correct systems in place to meet your duties under the regulations. This can include things like a do not contact list, checking the appropriate preference service lists and submitting a log to the ICO every month.