The ICO exists to empower you through information.

In brief…

You can only process traffic data (eg information about the routing, duration or timing of a message) for limited purposes with the authority of the network or service provider.

You must tell customers if you keep their traffic data, and get their consent before using it for marketing or value-added services. You must erase or anonymise it as soon as you have finished with it (unless another law requires you to keep it).

In more detail…

What is traffic data?

Traffic data is defined as:

“any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication and includes data relating to the routing, duration or time of a communication”.

This includes information about the routing or timing of any phone call, text or email, whether it relates to an individual or a company.

The focus here is on data collected and processed by a public communications provider. It is not likely to include data collected by another party via another route (eg data collected directly from nearby mobile devices by an organisation’s wi-fi equipment).

What are the rules on traffic data?

The rules on traffic data are in regulations 7 and 8. Only public communications providers, or those acting under their authority, can process traffic data. In summary, if you are processing traffic data, you must:

  • only use it for permitted purposes;
  • give your customers information about the processing;
  • get their consent for certain uses of the data; and
  • erase or anonymise it as soon as you have finished with it (unless another law requires you to keep it).

There is an exemption for emergency alerts where a relevant public authority needs to warn, advise or inform users or subscribers of an emergency in their location (regulation 16A).

Who needs to comply?

The relevant public communications provider has ultimate responsibility for complying with these rules. If you are a network or service provider and are using a third-party data processor to process traffic data on your behalf, you need to take steps to ensure they comply with PECR. In particular, you should have a written contract setting out what the data processor is allowed to do.

This is similar to UK GDPR contract obligations – but remember that to comply with PECR the contract needs to cover the traffic data of corporate subscribers as well as the personal data of individuals. See our separate Guide to UK GDPR for more information on general contract obligations.

However, anyone else processing traffic data without proper authority would also be in breach of PECR.

What can we use traffic data for?

Network providers can only process traffic data:

  • to manage billing or traffic;
  • to handle customer enquiries;
  • to prevent or detect fraud.

Service providers can also process traffic data:

  • to market electronic communication services (with consent);
  • to provide a ‘value-added service’ (with consent).

The processing must be restricted to what is necessary for these activities. However, PECR do not prevent you providing traffic data to Ofcom or any other authority that has statutory authority to resolve disputes.

What information must we give customers?

You must give the relevant subscriber or user information about the type of traffic data you will be processing for billing, marketing or value-added services, and how long you will keep it.

PECR do not specify how to provide this information. However, the information should be clear and easily available – and remember that if you need to get consent for your processing, the consent won’t be valid if the information is buried in a privacy policy. (See below for more on what counts as consent.)

This ties in with the transparency requirements of the UK GDPR. Although the UK GDPR won’t apply to traffic data where the PECR rules apply, following the approach in our UK GDPR guidance on transparency can also help you comply with the PECR transparency requirements.

When do we need consent?

You need consent if you want to use or store someone’s traffic data for marketing purposes, or to provide any value-added service.

‘Marketing’ in this context is not limited to direct marketing by phone, text or email. For example, it may also include using traffic data to analyse a customer’s usage patterns to offer alternative tariffs.

A ‘value-added service’ is defined as:

“any service which requires the processing of traffic data or location data beyond that which is necessary for the transmission of a communication or the billing in respect of that communication”.

This may, for example, include an email content-filtering service offered by an internet service provider, which monitors traffic data to scan incoming emails. It may also include a mobile network operator using their customers’ traffic data to target advertising.

What counts as consent?

To be valid, consent must be freely given, specific and informed. It must involve some form of clear positive action – for example, ticking a box, clicking a link, sending an email, or subscribing to a service – and the person must fully understand that they are giving you consent to use traffic data. You cannot show consent if you only provide information about the use of traffic data as part of a privacy policy that is hard to find, difficult to understand, or rarely read.

You will not be able to rely on a blanket ‘catch-all’ statement on a bill or website, and should get separate consent for marketing and for each value-added service requested. The clearest way to obtain consent is to use specific opt-in boxes.

PECR also specify that you must get consent from the person who the data is actually about – who might be a subscriber or a user. For this reason it may not always be enough to rely on consent given by the subscriber in advance when they signed up to a contract, if someone else will actually be using the connection.

In the case of companies and other corporate subscribers (limited liability partnerships, Scottish partnerships and government bodies), you can accept assurances from a representative giving consent on behalf of the organisation, unless you have reasonable grounds to question their authority.

PECR specify that consent must be given to the provider. If the relevant value-added service is offered by a third party (with your authority), you should make it very clear that the traffic data will be passed to that third party. If the customer gives consent to a provider for a particular service, they should not then be surprised when they are contacted by a third party about that service.

Remember that the customer is entitled to withdraw their consent at any time, in which case you should immediately stop using the traffic data for marketing or value-added services. You should make it easy to withdraw consent, and tell people how.

How long can we keep traffic data?

The general rule is that you must erase or anonymise the data when it is no longer needed to transmit a communication – in other words, as soon as the message has been sent or the phone call has ended.

Of course, if the traffic data is still required for billing purposes, you will need to keep it longer in order to calculate charges. PECR say you can keep this billing data until the end of the period in which proceedings can be brought to challenge the bill or chase payment (including the period for appealing any decisions). In terms of contract law, this would usually mean a limitation period of six years (plus appeals time). However, in our view it will not usually be necessary to keep the data for this long. You should only keep it when the circumstances require this – for example, if the bill remains unpaid or has been challenged before being paid. You also need to have told the customer how long you plan to keep this data.

If you have consent to keep the traffic data for marketing or value-added services, you can only keep it for as long as is necessary for those purposes. Again, you also need to have told the customer how long you plan to keep it.

There is an exemption if another law requires you to keep the data for longer than this – for example, for national security or crime prevention reasons. You need to set up procedures for allowing access to the data in such cases. See the exemptions section of this guide for more information.