What on earth are PECR?!

PECR - regulating electronic communications

PECR are the Privacy and Electronic Communications Regulations. The regulations were written up in 2003 and exist to support the GDPR and DPA. But it’s possible that you’ve not heard much about these regulations, considering the amount of noise GDPR caused.

 

What do PECR do?

The regulations sit alongside the DPA 2018 and GDPR as part of the UK’s group of growing data protection laws.

The regulations are intended to cover direct marketing communications made to individuals through electronic means like email and text. Even though they may not be as widely known as the GDPR or DPA, they are just as important for businesses.

The regulations cover:

  • Marketing calls, emails, texts, faxes (yes, they do still exist)
  • Cookies (and other similar technologies)
  • Ensuring communications service providers are secure (like internet services)
  • Customer privacy such as traffic and location data, itemised billing, line identifications and directory listings

 

Why do the regulations exist?

PECR’s main purpose is to support the GDPR and DPA in achieving their purposes. The GDPR doesn’t replace the Privacy and Electronic Communications Regulations. The rules outlined by the regulations still apply but must meet the standards of GDPR when it comes to consent.

Like the GDPR and DPA, the ICO governs the regulations and give individuals very specific privacy rights when it comes to electronic communications. This is mainly because public access to digital mobile networks and the internet poses increased risks to user privacy.

PECR are in place to restrict the amount of unsolicited electronic marketing communications people receive from businesses.

As a rule of thumb, the regulations are stricter for B2C marketing than B2B marketing.

 

What does this mean for businesses?

If your business uses electronic methods for marketing or uses cookies, you must comply with the Privacy and Electronic Communications Regulations and GDPR.

If your marketing practices already meet GDPR expectations, then this will make adhering to the regulations easier. And this goes the other way too – if you comply with PECR, then that will help you comply with GDPR.

The most important consideration is that no matter whether you process personal data or not, PECR will still apply.

But bear in mind that the regulations will eventually be replaced by the ePrivacy Regulation when it comes into force in 2019.

 

What happens if I am not PECR compliant?

If you experience a breach of data and fail to submit a breach notification to the ICO, you may incur a fine of £1,000.

£1,000 may not seem much but it’s not actually the maximum fine that the ICO can incur on businesses.

According to the ICO, they have the power to serve a fine of up to £500,000 under PECR for a breach.

Flybe was fined £70,000 for a breach of the regulations by sending 3.3 million emails to people that had already opted-out of receiving marketing emails from the airline.

This is a clear reminder that you cannot break one regulation (PECR) in attemps to comply with another (GDPR)!

Honda also received a fine amounting to £13,000 for sending 289,790 unsolicited marketing emails in 2017.

 

PECR fines Flybe for 3.3 million emails

Further reading:

The full PECR 2003 – http://www.legislation.gov.uk/uksi/2003/2426/contents/made

PECR overview – https://ico.org.uk/for-organisations/guide-to-pecr/what-are-pecr/

 

The other UK data protection laws:

DPA – https://supporttree.co.uk/data/data-protection-act/

GDPR – https://supporttree.co.uk/gdpr/smes-know-gdpr/