Did you know that in addition to having to comply with the GDPR, businesses may also need to comply with the ‘PECR’ (the Privacy and Electronic Communications Regulations)? A lot of businesses miss this and open themselves up to risk.
The PECR implemented the European ‘ePrivacy Directive’ in the UK and sets out privacy rules around using electronic communications, which sit alongside the GDPR rules.
The PECR is extremely important, as it sets out several mandatory rules to comply with – for example, around marketing, calls, emails, texts, cookies, the use of web traffic and location data, and ensuring communications services are secure.
In this article, we’ll explain the key issues around PECR, the rules that apply to most businesses and possible changes to the rules in the future.
Jump to:
What’s the difference between GDPR and PECR?
- The GDPR (and in the UK, the UK GDPR and Data Protection Act 2018) sets out the rules on processing personal information about living individuals.
- PECR sets out rules for using electronic communications.
GDPR applies only to personal data.
PECR, however, must be complied with even if you are not processing personal data. The two laws complement one another and stipulate that when a business engages in electronic communications, it must guarantee certain privacy and security rights to both individuals and companies.
If you use electronic marketing or employ cookies or similar technology you need to comply with both GDPR and PECR. These are the most common examples of where the PECR rules kick in.
What rules do PECR cover?
PECR aims to protect specific privacy rights of individuals and businesses in receipt of electronic communications.
The rules strengthen the EU’s Digital Market Strategy, intended to boost technology-based businesses, protect consumers and upgrade the communications infrastructure across the region.
The PECR rules covers several areas that are relevant to businesses, including:
- Electronic, unsolicited direct marketing by phone, email, text and fax.
- The use of cookies and other technology tracking user behaviour (e.g. rules around how you’re able to track individuals and store information around their behaviour).
- Keeping communications services secure.
- Ensuring customer privacy in traffic and location data, itemised billing, line identification and directory listings.
Why does PECR matter to your business?
Electronic communications are fundamental to the way most of us now do business. If you use email, web chat or text to engage with customers or other businesses, you need to be familiar with PECR and what rules to follow.
PECR is actually broader than the GDPR, as it doesn’t just protect individuals as PECR is not just about personal data. It is wider and can cover businesses too. The rules under PECR apply to ‘subscribers’, so as well as individuals, it also protects corporates and affords different rights to ‘individual’ and ‘corporate subscribers’.
Your business will be caught by the rules in various circumstances, for example (most commonly) if you:
- Market to customers using phone, email, or text.
- Use cookies or similar technologies on your website to track user behaviour.
- Compose a telephone directory.
Certain rules under PECR apply only to businesses that provide a public electronic communications network or service, but a number of businesses use cookies and electronic marketing in their day-to-day activities. Therefore, the PECR rules should not be ignored. PECR is a vast and complicated topic, so please contact our team if you’d like specific advice on how the rules apply to your business.
What challenges do businesses face when complying with PECR and what happens if they get this wrong?
The rules around PECR have already changed several times and there are more changes in the pipeline. This can be difficult for businesses to stay on top of. In December of 2022, the ICO published brand new guidance and checklists around PECR compliance. Therefore, it’s vital that businesses stay up to date with the latest advice from the regulator and continue to monitor their compliance.
Businesses also sometimes struggle to understand how the rules under PECR work alongside the GDPR rules, particularly around the issue of ‘consent’ and sending out email marketing. This topic has caused a lot of confusion for businesses since the GDPR came into force. For example, we expect that a lot of businesses would have deleted their marketing databases for fear of not having appropriate ‘consent’, when this may not have been strictly necessary (as there are certain exemptions under the PECR, allowing marketing communications to be sent out).
There have been several enforcement actions from the ICO for breaches of PECR and it’s expected that the ICO will continue to take a strict approach with those businesses who fail to comply, in particular businesses who engage in spam email and marketing calls. Businesses should therefore take the time to fully understand the rules which apply to them and make sure they comply.
As a recent example, the UK ICO fined two companies (Crown Glazing Ltd and Maxen Power Supply Ltd) £250,000 in June 2023 for carrying out unsolicited direct marketing calls, in breach of the PECR rules. The ICO cited in its blog post that through their enforcement of PECR, they have issued over £2.4 million in fines since 2022, for breaches concerning nuisance calls, texts and emails. Most companies engage in some form of direct marketing activities, so PECR compliance is vital.
The ICO can take several types of enforcement actions against businesses who breach the PECR rules, including criminal prosecution and non-criminal enforcement action, audits and of course fines of up to £500,000 (which can be issued to either a company itself, or its directors).
What about the future?
The EU is in the process of replacing the current ePrivacy Directive with a new ‘ePrivacy Regulation’, however we’ve been waiting a long time for this and its uncertain as to how the UK will handle this, since due to Brexit, the new rules won’t automatically apply in the UK. However, given the UK’s ‘adequacy status’, it is expected that the UK will want to align with any new rules issued by the EU.
This new ePrivacy Regulation intends to bring financial penalties for breaching its rules to the same level as prescribed by the GDPR, meaning businesses breaking the rules could be finedup to 4% of annual global turnover for the preceding financial year or 20 million euros, whichever is the greater, for the most serious breaches. The new regulation would also bring with it several changes to the rules – there have been a number of discussions around the potential changes in rules and this is a complicated topic, so please contact us if you’d like further advice on the possible changes and implications for businesses.
As covered in our article the proposed ‘Data Protection and Digital Information Bill’ intended to reform UK data protection laws is also in the pipeline. This new bill would change the rules around direct marketing and cookies, including increasing the fines for breaches of PECR to the same level as the GDPR.
We are following developments around these updates in law closely and will report further when there is more news around them.
In conclusion, compliance with the PECR is vital and all businesses should assess the PECR rules and how they apply to them to ensure compliance.
If you have any further questions about the PECR rules or any data protection law issues , please contact one of our expert data protection lawyers.
