PECR stands for Privacy and Electronic Communications Regulations. Its complete title is “The Privacy and Electronic Communications (EC Directive) Regulations 2003. It was promulgated by the UK Parliament; they implement European Directive 2002/58/EC, which is also known as “the e-privacy Directive”. More-specific privacy rights on electronic communications are settled by e-privacy Directive. It also complements the General Data Protection Regulation.
It has been observed that broad access to digital mobile networks and the internet have brought umpteen possibilities and opportunities for business and users. On the same time, it has also enlarged the privacy risk and cybercrimes.
PECR has altered been many times in the previous years. In 2018, it changed to ban cold-calling of claims management services and to halt the violation of marketing rules. In 2019, the sole purpose of alteration in e-Privacy was to ban cold-calling of pension schemes in certain circumstances. The latest version of PECR launched on 9 January 2019, to cover up the flaws made by GDPR on 25 May 2018. The current status of PECR is, EU is endeavouring to generate a new-e-privacy regulation to replace the old one to sit alongside the GDPR. But the new Regulation is not yet agreed. Please find the link to overlook the amendments took place in 2004, 2011, 2015, 2016, 2019 and 2019 on the ‘what we do’ section of our website.
There are certain rules of PECR which are applied to specific organisations, especially to those who provide electronic communications network or service. But the terms and conditions get changed if you are not a network.
They both work for the same means, which is to protect the privacy of a person. If your standards are meeting with GDPR then they must meet standards of PECR. Nevertheless, there are specific differences which need to be followed with both of them. No matter you are processing your data, PECR will still apply to this. For example, companies get protected by multiple rules so as individuals. Whereas, marketing rules apply no matter you identify the person (you are in contact) with or not. Being a service or a network provider, you should know the rules and regulations associated with GDPR and PECR. Article 95 of the GDPR expounds, that GDPR does not apply where the PECR regime already exists. It is to shun duplication/replication, and further indicates that being a service or network provider you have to adhere with PECR rules. These rules will apply on, Security and security breaches, traffic data, location data, itemised billing and line identification services.
The question that arises here is, are there any exemptions exist? Some of the rules have built-in exemptions, so yes. Moreover, some other general exemptions can be applied to national security, law enforcement or compliance with other law.
Does compliance audit help?
If you are facilitating your customers with a service whether it is telecom or internet, conduct an inspection of your current security measures. This conduction of audit will remove doubts within you and your security policies by examining your effective policies and procedures and to what extent you are pursuing them. The audit refers to a general view, plays a vital role for many organisations and lastly enhances their understanding and meets their obligations. Inspections are needed when the level of risk increases. As a service provider, if a company selects you and sends you an invitation for audit. Your immediate response will create a good impression. But if you will not retort or any tardiness will encourage them to have an enforced mandatory examination. And then they will have an off-site inspection of your security procedures, policies and practices. Later on, you will be given a comprehensive report and executive summary. You will be allowed to ask any question regarding the audit. If in case you find any incomprehensible action of the team or their recommendation.
When anyone tries to breach PECR, ICO immediately takes effect and rescues PECR from an unauthorised person. Those actions include criminal prosecution, non-criminal enforcement and audit. For example, anybody gets caught, in that case, the Information Commissioner will issue a monetary penalty notice. It means enforcing a fine of £500,000, which can be issued against an organisation or its directors.
PECR does not define “electronic communications”; however, by the help of specific concepts and definitions rules are being applied in different ways. There are rules for everyone and everything, whether it is marketing messages, service providers and at last, communication providers. Every law on each aspect is applied and hence working accordingly. Although, the single concept of electronic communications strengthen the regulation. In other words, it can be said that the sharing of information between particular parties by using a phone line or internet connection, including phone calls, faxes, text messages, video messages, emails and internet messaging. The general information like the content of web pages or broadcast programming are excluded from this.
The idea of Public electronic communications network first discussed in the section of 151 of communication Act 2003. It was defined as “an electronic communications network provided wholly or mainly to make electronic communications services available to members of the public”. Whereas, in section 32, it was referred in several points,
In section 122(5) of the Data Protection Act 2018, Direct Marketing refers to, “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. Direct marketing deals with all the aspects of marketing or promotional material, plus it also promotes the aims of non-profit organisations, such as supporting or funding a political party campaigning or charities. Genuine Marketing research cannot be regarded as direct marketing. But here is a condition, if the survey accumulates the details for future marketing campaigns or any promotional material, then this will be called direct marketing with all rules applied.
Phone, fax, email, or electronic mail of any kind, comes under the category of PECR marketing. On the contrary, there are different rules of live calls, automated calls, faxes and electronic mail. PECR marketing provisions are not applied to other sorts of marketing, named as mailshots or online advertising. It is crucial for you to meet your standards with the Data Protection Act and GDPR. For instance, you are using cookies or other technologies relevant to that, for advertisement, cookies’ provisions can apply.
Several rules of PECR are only exercised with unsolicited marketing messages; however, solicited marketing is not restricted. Solicited messages are highly requested; if a person requires some information, you can pass that information to that individual without fretting about PECR. But you have to inquire that individual, by asking for his identity, contact number or contact address. Unlike solicited messages, unsolicited messages are those who are not requested. Conditionally, if a customer yearns to receive marketing from you, it will be regarded as unsolicited marketing. If a Customer chooses “opt-in”, that reflects he is agreed to the future messages not as he is asking for a piece of information. As long as PECR is being complied, unsolicited messages can be sent, that is not unlawful.
Staying alert and responsible is imperative, so no matter someone sends information on your behalf, you both are responsible for complying with PECR. You are accountable in this act because those calls or messages are instigating by you. In case of any adversity, you will be taken into enforcement action, along with a specialist subcontractor for deliberately ignoring the rules. Consequently, there should be a written contract representing your contractor’s responsibilities, which you can exhibit in time of need. And your contractor will reimburse you for your lose in PECR breaches. Breaching of PECR means a great deal, for instance, despite being innocent your contractor puts you in enforcement action, through this contract you will be able to seek legal advice regarding such an unethical act. Repayment will not help because this will put your name in danger. Having a written contract with your contractor ties in with your contractual obligations under the GDPR.
Business-to-business marketing contains different rules. Individual marketing including sole traders and partnerships and company marketing encompasses different rules and regulations. However, marketing with companies is not that strict. For international marketing campaigns, you should know that many European countries’ laws are mostly like ours, based on PECR directives.
On the other hand, if you are messaging countries located outskirts of the UK, then you must adhere to their laws. Some companies have robust regulations in terms of marketing. For further guidance, you have to look forward to some legal advice if you desire to expand marketing campaign globally.
You must avoid making unsolicited calls, regulations of 21; 21A and 21B have all the stipulations of live marketing calls. Do not call to less interested customers, or who is reluctant to attend your requests. Don’t go for any registered number with TPS or CTPS, until and unless an individual has sanctioned to your calls specifically. TPS (Telephone Preference Service) carries those named individuals who are willing to receive live marketing calls. Similarly, CTPS is corporate TPS, which works for companies and other corporate bodies.
When it comes to pension schemes, the condition demands you to be a trustee, manager of a pension scheme or a firm authorised by the financial conduct authority. And the person should be agreed with your call. The regulation number 19 says all about rules on automated calls. It forbids automated marketing calls, mainly created by automated dialling system having a recorded message in it. Consented General marketing must cover automated calls.
Regulation 20 states everything about Fax Marketing; according to it, one must not send faxes to individuals, sole traders and some partnerships without their permission. Faxes should not be sent to even a company, a corporate body and a number registered with the FPS if they sound reluctant. Make sure your name, complete contact address and number are mentioned in the faxes. FPS refers to Fax Preference Service, provided only too keen customers. Faxes should just be sent to those who manifest some interest. In spite of the fact, you are permitted to send a fax to corporate bodies, but here, the condition demands that particular corporate body’s number should not be registered on the FPS or your faxes haven’t been objected by them in the past. Display B2B fax lists against the FPS. And do not forget, you have your list of “do not fax” of any businesses, especially those who are not agreed or opt-out and also to screen it against FPS.
Electronic mail marketing regime applies when messaging directly via social media for marketing purpose. PECR sets no separate rules for display or banner ads marketing. On the contrary, Cookies have some specific rules, implemented to profile users and target behavioural advertising. You need to comply with the Data Protection Act and the GDPR if using your data. Moreover, PECR does not promote marketing by post, but in case you are targeting individuals, the Data Protection Act and GDPR should comply.
Other than marketing with electronic means, PECR contains the privacy of communications networks’ or services customers but also the provisions related to the security of public electronic communications services. A few rules are applied to service providers. However, others involve more widely. Such as, the directories provision implement only those organisations that desire to compile a telephone, fax or an email directory.
Getting hacked is a nightmare. This essential guide teaches you