In brief…
The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and the UK GDPR. They give people specific privacy rights in relation to electronic communications.
There are specific rules on:
- marketing calls, emails, texts and faxes;
- cookies (and similar technologies);
- keeping communications services secure; and
- customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
We aim to help organisations comply with PECR and promote good practice by offering advice and guidance. We will take enforcement action against organisations that persistently ignore their obligations, starting with those that generate the most complaints.
In more detail…
- The basics
- What kind of areas do PECR cover?
- Do PECR apply to me?
- How does this fit with the UK GDPR?
- Are there any exemptions?
- How can the ICO help us comply?
- What action can the ICO take to enforce PECR?
The basics
PECR are the Privacy and Electronic Communications Regulations. Their full title is The Privacy and Electronic Communications (EC Directive) Regulations 2003.
They are derived from European law. PECR implement European Directive 2002/58/EC, also known as ‘the e-privacy Directive’.
The e-privacy Directive complements the general data protection regime and sets out more specific privacy rights on electronic communications. It recognises that widespread public access to digital mobile networks and the internet opens up new possibilities for businesses and users, but also new risks to their privacy.
PECR have been amended a number of times. The more recent changes were made in 2018, to ban cold-calling of claims management services and to introduce director liability for serious breaches of the marketing rules; and in 2019 to ban cold-calling of pensions schemes in certain circumstances and to incorporate the UK GDPR definition of consent.
This guide covers the latest version of PECR, which came into effect on 29 March 2019.
The EU is in the process of replacing the current e-privacy law with a new e-privacy Regulation (ePR), to sit alongside the EU version of the GDPR. However, the ePR will not automatically form part of UK law - or sit alongside the UK GDPR - as the UK has left the EU.
PECR continues to apply alongside the UK GDPR but we will continue to keep our guidance under review and update it where necessary
What kind of areas do PECR cover?
PECR cover several areas:
- Marketing by electronic means, including marketing calls, texts, emails and faxes. See the Electronic and telephone marketing section of this guide for more information.
- The use of cookies or similar technologies that track information about people accessing a website or other electronic service. See the Cookies and similar technologies section of this guide for more information.
- Security of public electronic communications services. See the Security of services and Security breaches sections of this guide for more information.
- Privacy of customers using communications networks or services as regards traffic and location data, itemised billing, line identification services (eg caller ID and call return), and directory listings. See the Communications networks and services section of this guide for more information.
Do PECR apply to me?
Some of the rules only apply to organisations that provide a public electronic communications network or service. But even if you are not a network or service provider, PECR will apply to you if you:
- market by phone, email, text or fax;
- use cookies or a similar technology on your website; or
- compile a telephone directory (or a similar public directory)
How does this fit with the UK GDPR?
The UK GDPR sits alongside PECR. PECR rules apply and use the UK GDPR standard of consent.
This means that if you send electronic marketing or use cookies or similar technologies you must comply with both PECR and the UK GDPR.
Naturally, there is some overlap, given that both aim to protect people’s privacy. Complying with PECR will help you comply with the UK GDPR, and vice versa – but there are some differences and you must make sure you comply with both.
In particular, it’s important to realise that PECR apply even if you are not processing personal data. For example, many of the rules protect companies as well as individuals, and the marketing rules apply even if you cannot identify the person you are contacting.
For more information on your other data protection obligations, see our separate Guide to the UK GDPR.
If you are a network or service provider, Article 95 of the UK GDPR says the UK GDPR does not apply where there are already specific PECR rules. This is to avoid duplication, and means that if you are a network or service provider, you only need to comply with PECR rules (and not the UK GDPR) on:
- security and security breaches;
- traffic data;
- location data;
- itemised billing; and
- line identification services.
Are there any exemptions?
Yes. Some of the rules have built-in exemptions. These specific exemptions are explained in the relevant section of this guide.
There are also a few more-general exemptions that can apply to any of the rules – in brief, exemptions for national security, law enforcement, or compliance with other laws (see the Exemptions section of this guide).
How can the ICO help us comply?
If you are a service provider (eg a telecoms provider or an internet service provider), we can also conduct an audit of your security measures. The audit will look at whether you have effective policies and procedures in place, and whether you are following them. It includes our recommendations on how you could improve. We believe that audits play a key role in helping organisations understand and meet their obligations.
We select service providers for audit based on the level of risk. If we select you for audit, we will write a letter of invitation, asking you to participate voluntarily. If you decide not to respond, then we have the power to undertake a compulsory audit. We agree a scope of work with you, and set this out in a letter of engagement. We will then carry out both an off-site check of your security policies and procedures, and an on-site review of your procedures in practice.
After completing the audit, we provide a comprehensive report and an executive summary. The report allows you to respond to our audit team’s observations and recommendations. We publish the outcomes of PECR audits on our website.
What action can the ICO take to enforce PECR?
ICO has several ways of taking action to change the behaviour of anyone who breaches PECR. They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner can also serve a monetary penalty notice imposing a fine of up to £500,000 which can be issued against the organisation or its directors.
These powers are not mutually exclusive. We will use them in combination where justified by the circumstances.
We also publish a quarterly update on action we have taken to enforce PECR.