PECR stands for Privacy and Electronic Communications Regulations. Its complete title is the “Privacy and Electronic Communications (EC Directive) Regulations 2003.
It was promulgated by the UK Parliament; they implemented European Directive 2002/58/EC, which is also known as the “ePrivacy Directive”.
More-specifically privacy rights for electronic communications are settled by the ePrivacy Directive. It also complements the General Data Protection Regulation (GDPR).
Opportunities for businesses and users are great. But, at the same time, it has also increased privacy risk and cybercrime.
Alterations and clarifications
PECR has been altered many times in previous years. In 2018, it changed to ban cold calling of claims management services and to halt the violation of marketing rules.
In 2019, the sole purpose of alteration in ePrivacy was to ban cold-calling of pension schemes in certain circumstances. The latest version of PECR was launched on 9th January 2019, to cover up the flaws within the GDPR that were enforced on 25th May 2018.The current status of PECR: EU is endeavoring to generate a new ePrivacy Regulation. This is to replace the old one to sit alongside the GDPR.
Areas which PECR covers
These technologies track information. Public electronic communications services’ security also comes under the PECR.
“Customers’ privacy by using communication networks or services known as traffic and location data, itemised billing, line identification services, and directory listings also falls under the PECR.”
There are certain rules of PECR which apply to specific organizations. They apply especially to those who provide electronic communications networks or services. But the terms and conditions vary if you are not on a network.
How PECR fits with the GDPR
They both perform their functions; however, there is no way PECR has been replaced by GDPR, but it changes the underlying definition of consent. The rules within PECR are applied after the GDPR’s standard approval.
They both work for the same means, which is to protect the privacy of a person. If your standards comply with GDPR then they must also comply with the PECR. Nevertheless, there are specific differences that need to be adhered to under both these regulations.
“No matter how you are processing your data, PECR will still apply to this processing. For example, companies are protected under multiple rules so are individuals. Whereas, marketing rules apply whether you can identify the person (you are in contact with) or not.”
GDPR and PECR for service providers
Being a service or a network provider, you should know the rules and regulations associated with the GDPR and the PECR. Article 95 of the GDPR stipulates that GDPR does not apply where the PECR regime already exists.
It is to shun duplication/replication, and further indicates that being a service or network provider you have to adhere to PECR rules. These rules will apply to security and security breaches, traffic data, location data, itemised billing, and line identification services.
The question that arises here is, are there any exemptions that exist? Some of the rules have built-in exceptions, so yes.
Moreover, some other general exemptions can be applied to national security, law enforcement or compliance with other laws.
PECR “privacy” refers to the privacy laws and regulations under the PECR.
Whereby, the PECR itself stands for the “Privacy and Electronic Communications Regulations”. The Privacy and Electronic Communications Regulations are the short forms to the Privacy and Electronic Communications (EC Directive) Regulations 2003.
European law derived these. ‘ePrivacy Directive’ is implemented.
The PECR “privacy” entails privacy provisions for data subjects and the organisations collecting data to enhance the privacy of individuals online through the use of better cookie policies, web banners and more. Privacy and Electronic Communications Regulations include:
- PECR policies regarding marketing communication,
- Some PECR regulations on the use of information for market research,
- PECR guidelines for the providers of electronic communication services,
- Ensuring customer privacy online wherever possible.
The table below provides some key advantages & disadvantages of the PECR regulation:
|Allows a better assurance of the privacy of individuals.||Does not apply to individuals outside of the EU’s jurisdiction|
|Helps in the provision of a basic guideline to marketers and businesses on what can and cannot be done under the law||Needs understanding and policy enforcement in each organisation|
|Limits the scope of unwanted communication|
|Allows restriction of communication that an individual chooses not to adhere to|
Does a PECR compliance audit help?
If you are facilitating your customers with a service whether it is telecom or internet, then you must conduct an inspection of your current security measures.
This PECR audit will identify any gaps within your organization in terms of your security policies by examining your effective policies and procedures and to what extent you are pursuing them.
The audit refers to a general view, plays a vital role for many organizations and lastly enhances their understanding and meets their obligations. As a service provider, you give an immediate response.
Your immediate response will create a good impression. But if you will not respond or delay your response then this tardiness will encourage them to have an enforced mandatory examination. And then they will have an off-site inspection of your security procedures, policies, and practices.
Later on, a comprehensive report and executive summary is given. If in case, you find any incomprehensible action of the team or their recommendation.
When anyone tries to breach PECR, the ICO immediately takes action. These actions include criminal prosecution, non-criminal enforcement, and audit.
PECR and Information Commissioner’s Office (ICO)’s action of enforcement
For example ICO will issue a monetary penalty notice. Organizations will face penalties and financial legalities.
PECR does not define “electronic communications”; however, with the help of specific concepts and definitions, specific rules are being applied in different ways.
There are rules for everyone and everything, whether it is marketing messages, service providers and at last, communication providers. Every law has different application and work accordingly.
Although, the single concept of electronic communications strengthens the regulation.
In other words, it includes the sharing of information between particular parties by using a phone line or internet connection, including phone calls, faxes, text messages, video messages, emails, and internet messaging.
The public electronic communications network
The idea of a public electronic communications network was first discussed in section 151 of the Communication Act 2003.
It was defined as “an electronic communications network provided wholly or mainly to make electronic communications services available to members of the public”.
Section 32 states several points
- “a transmission system for the conveyance, by the use of electrical, magnetic or electromagnetic energy, of signals of any description; and”
- Apparatus comprised in the system;
- Apparatus used for the switching or routing of the signals;
- Software and stored data; and
- (Except for sections 125 to 127) other resources, including network elements which are not active.”
In section 122(5) of the Data Protection Act 2018, Direct Marketing refers to, “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”.
Direct marketing deals with all the aspects of marketing or promotional material. It is noteworthy that it also promotes the aims of non-profit organizations, such as supporting or funding a political party campaign or charities.
Genuine marketing research is not direct marketing. But here is a condition, if the survey accumulates the details for future marketing campaigns then it comes under direct marketing.
Types of electronic marketing
Phone, fax, email, or electronic mail of any kind comes under the category of PECR marketing. On the contrary, there are different rules of live calls, automated calls, faxes, and electronic mail.
PECR marketing provisions are not applied to mailshots.
It is crucial for you to meet your standards with the Data Protection Act 2018 and GDPR. For instance, if you are using cookies or other technologies relevant to that, for advertisement, cookies’ provisions can still apply.
Solicited and unsolicited marketing
Solicited messages are highly requested; if a person requires some information, you can pass that information to that individual without fretting about PECR.
You must inquire about the identity of that individual, by asking for his name, contact number or contact address.
Unsolicited messages are not requested ones. If a customer yearns to receive messages, then it’s a different scenario!
If a customer chooses to “opt-in”, it reflects that he has agreed to receive future messages.
Paying someone else to do our marketing
Staying alert and responsible is imperative, so no matter if someone else sends information on your behalf, then you are both responsible for complying with PECR.
Consequently, there should be a written contract representing your contractor’s responsibilities, which you can exhibit in times of need. Your contractor will reimburse you for your loss in PECR breaches.
Breach of PECR means a great deal, for instance, despite being innocent your contractor puts you in enforcement action, through this contract you will be able to seek legal advice regarding such an unethical act. Repayment will not help because this will put your name in danger.
Having a written contract with your contractor ties in with your contractual obligations under the GDPR.
Rules for business to business (B2B) marketing
Business-to-business marketing contains different rules. Individual marketing including sole traders and partnerships and company marketing encompasses different rules and regulations.
However, marketing with companies is not that strict. For international marketing campaigns, you should be aware that the regulatory regime across the EU is similar to the UK, based on PECR directives.
On the other hand, if you are messaging countries located outside of the UK or EU, then you must adhere to their laws.
Some companies have robust regulations in terms of marketing. For further guidance, you have to obtain some legal advice if you desire to expand the marketing campaign globally.
You must avoid making unsolicited calls, regulations 21; 21A and 21B cover the stipulations of live marketing calls. Do not call less interested customers.
You should not choose any registered number with TPS or CTPS, until and unless an individual has sanctioned your calls specifically.
TPS (Telephone Preference Service) carries those named individuals who are willing to receive live marketing calls. Similarly, CTPS is corporate TPS, which works for companies and other corporate bodies.
When it comes to pension schemes, the condition demands you to be a trustee, manager of a pension scheme or a firm authorised by the financial conduct authority. And the person should have agreed to your call.
The regulation number 19 relates to rules on automated calls. It forbids automated marketing calls, mainly created by an automated calling system having a recorded message on it.
Consented general marketing also covers automated calls.
Regulation 20 states everything about fax marketing; according to it, one must not send faxes to individuals, sole traders and some partnerships without their permission.
If it is reluctant or not suitable, it is better to avoid faxes.
Your name, complete contact address, and number is mentioned in the faxes. FPS refers to Fax Preference Service, provided only to keen customers.
Display B2B fax lists against the FPS. And do not forget, you have your list of “do not fax” of any businesses. Especially those who have not agreed or have “opted-out” and also to screen it against FPS.
Online marketing and behavioral advertising
Electronic mail marketing regime applies when messaging directly via social media for marketing purposes. PECR sets no separate rules for display or banner ads marketing. On the contrary, cookies have some specific rules, implemented to profile users and target behavioral advertising. You need to comply with the Data Protection Act 2018 and the GDPR if using your personal data.
Other than marketing with electronic means, PECR contains the privacy of communications networks’ or services customers but also the provisions related to the security of public electronic communications services.
Service providers follow few rules. However, others apply to wider industry sectors. Such as, the directories provision impact only those organizations that desire to compile a telephone, fax or an email directory.
FAQs (Privacy and Electronic Communications Regulations)
What does PECR stand for?
The simple answer to this is that the PECR stands for the Privacy and Electronic Communications (EC Directive) Regulations 2003. This is a part of the law under the UK legislation. UK Parliament proposed it. European Directive 2002/58/EC, also known as the “ePrivacy Directive” implemented it. Seers offers AI-based PECR and GDPR audit tools to help companies become compliant with these regulations.
Who does Privacy and Electronic Communications Regulations apply to?
If you are a member of any EU country or operating in the UK, then the PECR law applies to you. If your visitors or the data subjects that you collect data on are from the UK or Europe, then the PECR law will apply to you.
Does PECR apply to B2B businesses?
Under the PECR law, the regulations apply to all business to business or B2B operations, as well as all B2C operations. More importantly, PECR applies to all marketing communication and activity.
Although businesses may show legitimate interest as their legal basis for electronic marketing. This is done where b2b is concerned. In this case, the law is flexible but not completely banished.
Are work emails personal data?
Work emails are not personal data. However, every employee is subject to their own privacy. This is in terms of their personal life, contact information, work history and performance.
What is not personal data?
The data which doesn’t contain personal details is not personal data. Things which aren’t relevant to person’s identity isn’t personal data. Thus, anonymous data is not personal.
What data is PII?
Under the GDPR, personally identifiable information, or PII, is the kind of data that could be helpful in any way to identify a particular person. This means that this data is unique and not true for everyone.
Your personal contact details, body measurements, blood group, bank details etc will not be the same as your brother and so on. The perfect and concise examples of a PII is a full name. It also includes options like someone’s social security number, driver’s license number, bank account number, passport number and email address.
What are three examples of personal information?
The personal information or data may be in a written form, visual form or a video form. For example, a person’s name, address, bank details, phone number or email address are all personal information.
Similarly, the photograph of a person is also personal information. The video recording of the person is also personal. Even when it is from a CCTV or phone or any recording of events in a public area are all their personal data.