In brief…

The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications.

There are specific rules on:

  • marketing calls, emails, texts and faxes;
  • cookies (and similar technologies);
  • keeping communications services secure; and
  • customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

We aim to help organisations comply with PECR and promote good practice by offering advice and guidance. We will take enforcement action against organisations that persistently ignore their obligations, starting with those that generate the most complaints.

In more detail…

The basics

PECR are the Privacy and Electronic Communications Regulations. Their full title is The Privacy and Electronic Communications (EC Directive) Regulations 2003.

They are derived from European law. They implement European Directive 2002/58/EC, also known as ‘the e-privacy Directive’.

The e-privacy Directive complements the existing data protection regime and sets out more-specific privacy rights on electronic communications. It recognises that widespread public access to digital mobile networks and the internet opens up new possibilities for businesses and users, but also new risks to their privacy.

PECR have been amended four times. The more recent changes were made in 2015, to allow emergency text alerts and to make it easier to take action for breaches of the marketing rules; and in 2016, to require anyone making a marketing call to display their number. This guide covers the latest version of PECR, which came into effect on 16 May 2016.

You can find a link to the full text of the original PECR - and to the exact changes made in the 2004, 2011, 2015 and 2016 amendment regulations - on the ‘what we do’ section of our website.

What kind of areas do PECR cover?

PECR cover several areas:

  • Marketing by electronic means, including marketing calls, texts, emails and faxes. See the Electronic and telephone marketing section of this guide for more information.
  • The use of cookies or similar technologies that track information about people accessing a website or other electronic service. See the Cookies and similar technologies section of this guide for more information.
  • Security of public electronic communications services. See the Security of services and Security breaches sections of this guide for more information.
  • Privacy of customers using communications networks or services as regards traffic and location data, itemised billing, line identification services (eg caller ID and call return), and directory listings. See the Communications networks and services section of this guide for more information.

Do PECR apply to me?

Some of the rules only apply to organisations that provide a public electronic communications network or service. But even if you are not a network or service provider, PECR will apply to you if you:

  • market by phone, email, text or fax;
  • use cookies or a similar technology on your website; or
  • compile a telephone directory (or a similar public directory).

How does this fit with the Data Protection Act?

The Data Protection Act still applies if you are processing personal data. PECR just set out some extra rules for electronic communications. You must still comply with the Data Protection Act as well. In fact, regulation 4 explicitly says:

“Nothing in these Regulations shall relieve a person of his obligations under the Data Protection Act in relation to the processing of personal data.”

Naturally, there is some overlap, given that both aim to protect people’s privacy. Complying with PECR will help you comply with the Data Protection Act, and vice versa – but there are some differences and you must make sure you comply with both.

In particular, it’s important to realise that PECR apply even if you are not processing personal data. For example, many of the rules protect companies as well as individuals, and the marketing rules apply even if you cannot identify the person you are contacting.

For more information on your other obligations under the Data Protection Act, see our separate Guide to data protection.

Are there any exemptions?

Yes. Some of the rules have built-in exemptions. These specific exemptions are explained in the relevant section of this guide.

There are also a few more-general exemptions that can apply to any of the rules – in brief, exemptions for national security, law enforcement, or compliance with other laws (see the Exemptions section of this guide).

How can the ICO help us comply?

If you are a service provider (eg a telecoms provider or an internet service provider), we can also conduct an audit of your security measures. The audit will look at whether you have effective policies and procedures in place, and whether you are following them. It includes our recommendations on how you could improve. We believe that audits play a key role in helping organisations understand and meet their obligations.

We select service providers for audit based on the level of risk. If we select you for audit, we will write a letter of invitation, asking you to participate voluntarily. If you decide not to respond, then we have the power to undertake a compulsory audit. We agree a scope of work with you, and set this out in a letter of engagement. We will then carry out both an off-site check of your security policies and procedures, and an on-site review of your procedures in practice.

After completing the audit, we provide a comprehensive report and an executive summary. The report allows you to respond to our audit team’s observations and recommendations. We publish the outcomes of PECR audits on our website.

What action can the ICO take to enforce PECR?

The ICO has several ways of taking action to change the behaviour of anyone who breaches PECR. They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner can also serve a monetary penalty notice imposing a fine of up to £500,000.

These powers are not mutually exclusive. We will use them in combination where justified by the circumstances.

We also publish a quarterly update on action we have taken to enforce PECR.