The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and the GDPR. They give people specific privacy rights in relation to electronic communications.
There are specific rules on:
- marketing calls, emails, texts and faxes;
- cookies (and similar technologies);
- keeping communications services secure; and
- customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
We aim to help organisations comply with PECR and promote good practice by offering advice and guidance. We will take enforcement action against organisations that persistently ignore their obligations, starting with those that generate the most complaints.
In more detail…
- The basics
- What kind of areas do PECR cover?
- Do PECR apply to me?
- How does this fit with the Data Protection Act?
- How does this fit with the GDPR?
- Are there any exemptions?
- How can the ICO help us comply?
- What action can the ICO take to enforce PECR?
PECR are the Privacy and Electronic Communications Regulations. Their full title is The Privacy and Electronic Communications (EC Directive) Regulations 2003.
They are derived from European law. They implement European Directive 2002/58/EC, also known as ‘the e-privacy Directive’.
The e-privacy Directive complements the general data protection regime and sets out more-specific privacy rights on electronic communications. It recognises that widespread public access to digital mobile networks and the internet opens up new possibilities for businesses and users, but also new risks to their privacy.
PECR have been amended four times. The more recent changes were made in 2015, to allow emergency text alerts and to make it easier to take action for breaches of the marketing rules; and in 2016, to require anyone making a marketing call to display their number. This guide covers the latest version of PECR, which came into effect on 16 May 2016, with some updates to cover changes made by the GDPR from 25 May 2018.
The EU is in the process of replacing the e-privacy Directive with a new e-privacy Regulation to sit alongside the GDPR. However, the new Regulation is not yet agreed. For now, PECR continues to apply alongside the GDPR.
You can find a link to the full text of the original PECR - and to the exact changes made in the 2004, 2011, 2015 and 2016 amendment regulations - on the ‘what we do’ section of our website.
PECR cover several areas:
- Marketing by electronic means, including marketing calls, texts, emails and faxes. See the Electronic and telephone marketing section of this guide for more information.
- Security of public electronic communications services. See the Security of services and Security breaches sections of this guide for more information.
- Privacy of customers using communications networks or services as regards traffic and location data, itemised billing, line identification services (eg caller ID and call return), and directory listings. See the Communications networks and services section of this guide for more information.
Some of the rules only apply to organisations that provide a public electronic communications network or service. But even if you are not a network or service provider, PECR will apply to you if you:
- market by phone, email, text or fax;
- compile a telephone directory (or a similar public directory).
The Data Protection Act still applies if you are processing personal data. PECR just set out some extra rules for electronic communications. You must still comply with the Data Protection Act as well. In fact, regulation 4 explicitly says:
“Nothing in these Regulations shall relieve a person of his obligations under the Data Protection Act in relation to the processing of personal data.”
Naturally, there is some overlap, given that both aim to protect people’s privacy. Complying with PECR will help you comply with the Data Protection Act, and vice versa – but there are some differences and you must make sure you comply with both.
In particular, it’s important to realise that PECR apply even if you are not processing personal data. For example, many of the rules protect companies as well as individuals, and the marketing rules apply even if you cannot identify the person you are contacting.
For more information on your other obligations under the Data Protection Act, see our separate Guide to data protection.
The GDPR does not replace PECR, although it changes the underlying definition of consent. Existing PECR rules continue to apply, but using the new GDPR standard of consent.
If you are a network or service provider, Article 95 of the GDPR says the GDPR does not apply where there are already specific PECR rules. This is to avoid duplication, and means that if you are a network or service provider, you only need to comply with PECR rules (and not the GDPR) on:
- security and security breaches;
- traffic data;
- location data;
- itemised billing; and
- line identification services.
Yes. Some of the rules have built-in exemptions. These specific exemptions are explained in the relevant section of this guide.
There are also a few more-general exemptions that can apply to any of the rules – in brief, exemptions for national security, law enforcement, or compliance with other laws (see the Exemptions section of this guide).
If you are a service provider (eg a telecoms provider or an internet service provider), we can also conduct an audit of your security measures. The audit will look at whether you have effective policies and procedures in place, and whether you are following them. It includes our recommendations on how you could improve. We believe that audits play a key role in helping organisations understand and meet their obligations.
We select service providers for audit based on the level of risk. If we select you for audit, we will write a letter of invitation, asking you to participate voluntarily. If you decide not to respond, then we have the power to undertake a compulsory audit. We agree a scope of work with you, and set this out in a letter of engagement. We will then carry out both an off-site check of your security policies and procedures, and an on-site review of your procedures in practice.
After completing the audit, we provide a comprehensive report and an executive summary. The report allows you to respond to our audit team’s observations and recommendations. We publish the outcomes of PECR audits on our website.