Skip to main content
Home

How do the PECR rules relate to the UK GDPR?

Download options

Contents

At a glance

  • Where you are using storage and access technologies, you must consider PECR compliance before you look to the UK GDPR.
  • If you have to obtain consent for your use of storage and access technologies, and the information is personal data, then you should use consent as your lawful basis under the UK GDPR for subsequent processing.
  • If your use of the storage and access technologies does meet an exemption and the information is personal data, any of the lawful bases in the UK GDPR may apply — depending on your specific circumstances.
  • You must not retrospectively use the legitimate interests lawful basis to justify processing in cases where you encounter problems with the validity of consent.

In detail

What is the relationship between PECR and the UK GDPR?

PECR sits alongside the Data Protection Act 2018 (DPA) and the UK GDPR, and provides specific rules about privacy and electronic communications. Where these rules apply, they take precedence over the DPA and the UK GDPR. This means that where you are using storage and access technologies, you must consider PECR compliance before you look to the UK GDPR.

Additionally, PECR depends on data protection law for some of its definitions. For example, PECR takes the UK GDPR’s standard of consent.

If you operate an online service, then the easiest way to look at the two laws is:

  • if you store information, or access information stored, on user devices then you must comply with PECR first; and
  • the UK GDPR applies to any processing of personal data outside this storage or access.

Regulation 4 of PECR is also clear about the relationship with data protection law. It says:

‘Nothing in these Regulations shall relieve a person of his obligations under the data protection legislation in relation to the processing of personal data.’

Although PECR does not just apply where personal data is being processed, activities involving the processing of personal data generally have greater privacy and security implications.

Where the use of storage and access technologies does involve the processing of personal data, you must ensure you comply with the additional requirements of the UK GDPR.

Relevant provisions in PECR

See Regulation 4

 

What does the UK GDPR say about storage and access technologies?

It is important to note that Regulation 6 of PECR is about ‘information’, not ‘personal data’. This means the rules apply whether or not your use of storage and access technologies involves processing personal data.

The UK GDPR doesn’t specifically refer to storage and access technologies in the way that PECR does. This is because PECR contains specific rules on their use. However, it:

  • includes ‘online identifiers’ in the definition of personal data; and
  • refers to cookies and IP addresses as types of these identifiers.

This means that where information like an online identifier relates to a person, it is personal data. For example, a user authentication cookie is a type of online identifier that involves processing of personal data, as it is used to enable someone to log in to their account with an online service provider.

Alongside cookies and IP addresses, online identifiers can include (but are not limited to):

  • MAC addresses;
  • advertising IDs;
  • pixel tags;
  • account handles; and
  • device fingerprints.

The use of these may leave traces which, when combined with unique identifiers and other information, may be used to create profiles of people and identify them.

When you assess if a person is identifiable, you must consider whether online identifiers can be used to distinguish one user from another, whether on their own or in combination with other information that may be available to those processing the data.

For example, this is likely to be the case where identifiers are used or combined to create profiles of people. This may be either as a named person or simply as a unique user of electronic communications and other internet services who may be distinguished from other users.

While a single information element may not be personal data on its own, the combination of multiple elements makes it more likely that the information will constitute personal data. This is particularly the case when the information enables you to single out and take specific actions in relation to users (such as identifying them over time or across multiple devices and websites, even if you don't know the name of those users). Where this is the case, your processing must comply with the UK GDPR.

If you collect information that either: 

  • builds up a picture about a person, allowing them to be identified; or 
  • may be combined alongside other data to identify a person at a later date

You must inform people about what information is being collected, as well as how and for what purpose. 

How does PECR consent fit with the lawful basis requirements of the UK GDPR?

The UK GDPR has six lawful bases for processing personal data. One of these is consent. No lawful basis is more important than any other. The most appropriate one depends on the specifics of your processing activities.

However, Regulation 6 of PECR prohibits the storage and access of information on a device unless an exemption applies or you obtain consent.

This means if Regulation 6 applies, the full range of lawful bases under the UK GDPR will not always be available to you.

If your use of the storage and access technologies does meet an exemption and the information is personal data, any of the lawful bases in the UK GDPR may apply — depending on your specific circumstances.

You can use this flowchart to understand where the consent requirements apply for storage and access technologies.

What does PECR say about subsequent processing?

Regulation 6 is specifically about the processing involved in storing information, or accessing information stored, in user devices. It does not apply to, or contain any specific rule about, subsequent processing operations involving this information.

However, if you have to obtain consent for your use of storage and access technologies, and the information is personal data, then you should use consent as your lawful basis under the UK GDPR for subsequent processing. You can rely on this consent for the subsequent processing provided the consent sought under PECR was appropriate for the subsequent processing purpose(s).

Trying to apply another lawful basis such as legitimate interests is entirely unnecessary. It may also render your original consent request invalid. This is because it is likely the original consent will not have been freely given, informed, specific and unambiguous.

There may also be an element of unfairness as well. For example in cases where people understand their personal data is processed on the basis of consent, yet once they withdraw consent, you continue to process via legitimate interests.

Also, seeking to rely on legitimate interests creates more work for you. Legitimate interests means that you take on extra responsibility for ensuring that people’s interests, rights and freedoms are fully considered and protected.

You must not retrospectively use the legitimate interests lawful basis to justify processing in cases where you encounter problems with the validity of consent. This is because the use of storage and access technologies for non-essential purposes requires consent in order to be lawful.