What is the PECR? And why you should be informed about it?

PECR stands for Privacy and Electronic Communications Regulations. Its complete title is the “Privacy and Electronic Communications (EC Directive) Regulations 2003.

It was promulgated by the UK Parliament; they implemented European Directive 2002/58/EC, which is also known as the “ePrivacy Directive”.

More-specifically privacy rights for electronic communications are settled by the ePrivacy Directive. It also complements the General Data Protection Regulation (GDPR).

It has been observed that broad access to digital mobile networks and the internet have brought about a myriad of possibilities. These opportunities for businesses and users are great. But, at the same time, it has also increased privacy risk and cybercrime.

Alterations and clarifications

PECR has been altered many times in previous years. In 2018, it changed to ban cold calling of claims management services and to halt the violation of marketing rules.

PECR infographic

In 2019, the sole purpose of alteration in ePrivacy was to ban cold-calling of pension schemes in certain circumstances. The latest version of PECR was launched on 9th January 2019, to cover up the flaws within the GDPR that were enforced on 25th May 2018.The current status of PECR: EU is endeavouring to generate a new ePrivacy Regulation. This is to replace the old one to sit alongside the GDPR. But the new regulation is not yet agreed.

Areas which PECR covers

PECR encourages marketing through an electronic mechanism such as calls, texts, emails, and faxes. EPrivacy also sheaths technologies like cookies and the use of cookies.

These technologies track information that has been accessed on an electronic service or a website. Public electronic communications services’ security also comes under the PECR.

“Customers’ privacy by using communication networks or services known as traffic and location data, itemised billing, line identification services, and directory listings also falls under the PECR.”

There are certain rules of PECR which apply to specific organisations. They apply especially to those who provide electronic communications networks or services. But the terms and conditions vary if you are not on a network.

PECR

How PECR fits with the GDPR

They both perform their functions; however, there is no way PECR has been replaced by GDPR, but it changes the underlying definition of consent. The rules which exist within PECR are being applied but by the GDPR’s standard of approval.

It indicates that if you are involved in any use of cookies, electronic marketing or similar technologies from 25 May 2018 onwards, you must comply with both the PECR and the GDPR.

They both work for the same means, which is to protect the privacy of a person. If your standards comply with GDPR then they must also comply with the PECR. Nevertheless, there are specific differences that need to be adhered to under both these regulations.

“No matter how you are processing your data, PECR will still apply to this processing. For example, companies are protected under multiple rules so are individuals. Whereas, marketing rules apply whether you can identify the person (you are in contact with) or not.”

GDPR and PECR for service providers

Being a service or a network provider, you should know the rules and regulations associated with the GDPR and the PECR. Article 95 of the GDPR stipulates that GDPR does not apply where the PECR regime already exists.

It is to shun duplication/replication, and further indicates that being a service or network provider you have to adhere to PECR rules. These rules will apply to security and security breaches, traffic data, location data, itemised billing, and line identification services.

The question that arises here is, are there any exemptions that exist? Some of the rules have built-in exceptions, so yes.

Moreover, some other general exemptions can be applied to national security, law enforcement or compliance with other laws.

PECR “privacy” refers to the privacy laws and regulations under the PECR. 

Whereby, the PECR itself stands for the “Privacy and Electronic Communications Regulations”. The Privacy and Electronic Communications Regulations are the short forms to the Privacy and Electronic Communications (EC Directive) Regulations 2003.

They are derived from European law. They implement European Directive 2002/58/EC, which is also known as the ‘ePrivacy Directive’.

The PECR “privacy” entails privacy provisions for data subjects and the organisations collecting data to enhance the privacy of individuals online through the use of better cookie policies, web banners and more. Privacy and Electronic Communications Regulations include:

  • PECR policies regarding marketing communication,
  • Some PECR regulations on the use of information for market research,
  • PECR guidelines for the providers of electronic communication services,
  • Ensuring customer privacy online wherever possible.

The table below provides some key advantages & disadvantages of the PECR regulation:

ProsCons
Allows a better assurance of the privacy of individuals.Does not apply to individuals outside of the EU’s jurisdiction
Helps in the provision of a basic guideline to marketers and businesses on what can and cannot be done under the lawNeeds understanding and policy enforcement in each organisation
Limits the scope of unwanted communication
Allows restriction of communication that an individual chooses not to adhere to

Does a PECR compliance audit help?

If you are facilitating your customers with a service whether it is telecom or internet, then you must conduct an inspection of your current security measures.

This PECR audit will identify any gaps within your organisation in terms of your security policies by examining your effective policies and procedures and to what extent you are pursuing them.

The audit refers to a general view, plays a vital role for many organisations and lastly enhances their understanding and meets their obligations. Inspections are needed when the level of risk increases. As a service provider, if a company selects you and sends you an invitation for audit.

Your immediate response will create a good impression. But if you will not respond or delay your response then this tardiness will encourage them to have an enforced mandatory examination. And then they will have an off-site inspection of your security procedures, policies, and practices.

Later on, you will be given a comprehensive report and executive summary. You will be allowed to ask any questions regarding the audit. If in case, you find any incomprehensible action of the team or their recommendation.

PECR and Information Commissioner’s Office (ICO)’s action of enforcement

When anyone tries to breach PECR, the ICO immediately takes action. These actions include criminal prosecution, non-criminal enforcement, and audit.

For example, if anybody gets caught, in that case, the ICO will issue a monetary penalty notice. It means enforcing a fine of up to £500,000, which can be issued against an organisation or its directors.

Electronic communications

PECR does not define “electronic communications”; however, with the help of specific concepts and definitions, specific rules are being applied in different ways.

There are rules for everyone and everything, whether it is marketing messages, service providers and at last, communication providers. Every law on each aspect is applied and hence working accordingly.

Although, the single concept of electronic communications strengthens the regulation.

In other words, it includes the sharing of information between particular parties by using a phone line or internet connection, including phone calls, faxes, text messages, video messages, emails, and internet messaging.

The general information such as the content of web pages or broadcast programming is excluded from this.

The public electronic communications network

The idea of a public electronic communications network was first discussed in section 151 of the Communication Act 2003.

It was defined as “an electronic communications network provided wholly or mainly to make electronic communications services available to members of the public”.

Whereas, in section 32, it was referred in several points,

  • “a transmission system for the conveyance, by the use of electrical, magnetic or electromagnetic energy, of signals of any description; and”
  • Much of the following as are used, by the person providing the system and in association with it, for the conveyance of the signals;
  • Apparatus comprised in the system;
  • Apparatus used for the switching or routing of the signals;
  • Software and stored data; and
  • (Except for sections 125 to 127) other resources, including network elements which are not active.”

Direct marketing

In section 122(5) of the Data Protection Act 2018, Direct Marketing refers to, “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”.

Direct marketing deals with all the aspects of marketing or promotional material. It is noteworthy that it also promotes the aims of non-profit organisations, such as supporting or funding a political party campaign or charities.

Genuine marketing research cannot be regarded as direct marketing. But here is a condition, if the survey accumulates the details for future marketing campaigns then it comes under direct marketing. Basically, if it includes any promotional material, then this will be called direct marketing with all rules applied.

Types of electronic marketing

Phone, fax, email, or electronic mail of any kind comes under the category of PECR marketing. On the contrary, there are different rules of live calls, automated calls, faxes, and electronic mail.

PECR marketing provisions are not applied to other sorts of marketing, named as mailshots or online advertising.

It is crucial for you to meet your standards with the Data Protection Act 2018 and GDPR. For instance, if you are using cookies or other technologies relevant to that, for advertisement, cookies’ provisions can still apply.

Solicited and unsolicited marketing

Several rules of PECR are only exercised with unsolicited marketing messages; however, solicited marketing is not restricted.

Solicited messages are highly requested; if a person requires some information, you can pass that information to that individual without fretting about PECR.

You must inquire about the identity of that individual, by asking for his name, contact number or contact address.

Unlike solicited messages, unsolicited messages are those that are not requested. Conditionally, if a customer yearns to receive marketing from you, it will be regarded as unsolicited marketing.

If a customer chooses to “opt-in”, it reflects that he has agreed to receive future messages. As long as PECR is being complied with, unsolicited messages can be sent, which is not unlawful.

Paying someone else to do our marketing

Staying alert and responsible is imperative, so no matter if someone else sends information on your behalf, then you are both responsible for complying with PECR.

You are accountable in this act because those calls or messages have been instigated by you. In case of any adversity, you will be taken into enforcement action, along with a specialist subcontractor for deliberately ignoring the rules.

Consequently, there should be a written contract representing your contractor’s responsibilities, which you can exhibit in times of need. Your contractor will reimburse you for your loss in PECR breaches.

Breach of PECR means a great deal, for instance, despite being innocent your contractor puts you in enforcement action, through this contract you will be able to seek legal advice regarding such an unethical act. Repayment will not help because this will put your name in danger.

Having a written contract with your contractor ties in with your contractual obligations under the GDPR.

Rules for business to business (B2B) marketing

Business-to-business marketing contains different rules. Individual marketing including sole traders and partnerships and company marketing encompasses different rules and regulations.

However, marketing with companies is not that strict. For international marketing campaigns, you should be aware that the regulatory regime across the EU is similar to the UK, based on PECR directives.

On the other hand, if you are messaging countries located outside of the UK or EU, then you must adhere to their laws.

Some companies have robust regulations in terms of marketing. For further guidance, you have to obtain some legal advice if you desire to expand the marketing campaign globally.

PECR

Live calls

You must avoid making unsolicited calls, regulations 21; 21A and 21B cover the stipulations of live marketing calls. Do not call less interested customers. Any customer who seems reluctant to attend your requests should not be called.

You should not choose any registered number with TPS or CTPS, until and unless an individual has sanctioned your calls specifically.

TPS (Telephone Preference Service) carries those named individuals who are willing to receive live marketing calls. Similarly, CTPS is corporate TPS, which works for companies and other corporate bodies.

When it comes to pension schemes, the condition demands you to be a trustee, manager of a pension scheme or a firm authorised by the financial conduct authority. And the person should have agreed to your call.

The regulation number 19 relates to rules on automated calls. It forbids automated marketing calls, mainly created by an automated calling system having a recorded message on it.

Consented general marketing also covers automated calls.

Fax rules

Regulation 20 states everything about fax marketing; according to it, one must not send faxes to individuals, sole traders and some partnerships without their permission.

Faxes should not be sent to even a company, a corporate body and a number registered with the FPS if they sound reluctant.

Make sure your name, complete contact address, and number are mentioned in the faxes. FPS refers to Fax Preference Service, provided only to keen customers.

Faxes should just be sent to those who manifest some interest. In spite of the fact, you are permitted to send a fax to corporate bodies. However, the condition demands that a particular corporate body’s number should not be registered on the FPS. This or your faxes haven’t been objected to or rejected by them in the past.

Display B2B fax lists against the FPS. And do not forget, you have your list of “do not fax” of any businesses. Especially those who have not agreed or have “opted-out” and also to screen it against FPS.

Online marketing and behavioural advertising

Electronic mail marketing regime applies when messaging directly via social media for marketing purposes. PECR sets no separate rules for display or banner ads marketing. On the contrary, cookies have some specific rules, implemented to profile users and target behavioural advertising. You need to comply with the Data Protection Act 2018 and the GDPR if using your personal data.

Moreover, PECR does not promote marketing by post, but in case you are targeting individuals, the Data Protection Act 2018 and GDPR should be complied with.

Other than marketing with electronic means, PECR contains the privacy of communications networks’ or services customers but also the provisions related to the security of public electronic communications services.

A few rules are applied to service providers. However, others apply to wider industry sectors. Such as, the directories provision impact only those organisations that desire to compile a telephone, fax or an email directory.

FAQs

What does PECR stand for?

The simple answer to this is that the PECR stands for the Privacy and Electronic Communications (EC Directive) Regulations 2003. This is a part of the law under the UK legislation. It was proposed by the UK Parliament and then implemented as the European Directive 2002/58/EC, which is also known as the “ePrivacy Directive”. Seers offers AI-based PECR and GDPR audit tools to help companies become compliant with these regulations.

Who does PECR apply to?

If you are a member of any EU country or operating in the UK, then the PECR law applies to you. If your visitors or the data subjects that you collect data on are from the UK or Europe, then the PECR law will apply to you.

Does PECR apply to B2B businesses?

Under the PECR law, the regulations apply to all business to business or B2B operations, as well as all B2C operations. More importantly, it can be assumed that the PECR applies to all marketing communication and activity.

This covers all that is undertaken with a sole trader, partnerships, unincorporated trusts, partnerships and foundations and their staff members.

Although businesses may show legitimate interest as their legal basis for electronic marketing. This can be done where b2b is concerned. In this case, the law is flexible but not completely banished.

Are work emails personal data?

Any work emails are not considered as personal information and neither are, they supposed to be treated as confidential. However, every employee is subject to their own privacy. This is in terms of their personal life, contact information, work history and performance.

The work correspondence, however, can be reviewed, tested and shared in a court of law and is thus not personal.

What is not personal data?

The data that cannot be used to distinguish the exact person or identify a person is not personal information. Anything that is not connected with the identity of a person will not be considered as personal data. Thus, anonymous data is not personal.

What data is PII?

Under the GDPR, personally identifiable information, or PII, is the kind of data that could be helpful in any way to identify a particular person. This means that this data is unique and not true for everyone.

Your personal contact details, body measurements, blood group, bank details etc will not be the same as your brother and so on. The perfect and concise examples of a PII is a full name. It also includes options like someone’s social security number, driver’s license number, bank account number, passport number and email address.

What are three examples of personal information?

The personal information or data may be in a written form, visual form or a video form. For example, a person’s name, address, bank details, phone number or email address are all personal information.

Similarly, the photograph of a person is also personal information. The video recording of the person is also personal. Even when it is from a CCTV or phone or any recording of events in a public area are all their personal data.