Have you ever received a pesky marketing email that made you cringe and hit delete faster than you could say “spam”? Or maybe you’ve been bombarded with text messages promoting products you have zero interest in, and you’re left wondering how they even got your number. Well, that’s where PECR regulations come in.
Most of us have experienced the frustration of receiving unwanted electronic communications from businesses. But did you know there are rules and regulations to protect us from these intrusions? If you’re a business owner or marketer, understanding PECR is crucial to avoid hefty fines and building a trusting relationship with your customers. So, let’s dive in.
What is PECR?
PECR in full is the Privacy and Electronic Communications Regulations. It represents how businesses are allowed to market to UK consumers using electronic technology. PECR covers different areas, including:
- Electronic marketing communications, including marketing calls, emails, texts, and faxes
- Security of public electronic communications services
- Privacy of customers with communications networks or services like traffic and location data, line identification services, itemized billing, and directory listings
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) is a UK law that works alongside the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) to implement strict rules related to privacy rights and electronic communications. They are designed to strengthen the privacy and security of electronic communications in the UK.
The goal of PECR is to provide consumers with an equal protection level when using these services. For instance, it forbids companies from collecting data about their customers without their consent and requires users to be told anytime their data is disclosed to a third party.
PECR governs how companies handle data when using electronic communications to interact with consumers. This act gives all types of protections for individuals using these services, including:
- How much information is to be collected
- Who gets access
- Where it can get stored in a digital or physical location
Notably, PECR has undergone some changes. The most recent changes took place in 2018 when it was decided to restrict cold-calling for management services and to hold directors accountable for severe violations of communication rules. In 2019, they were updated to include the UK GDPR definition of permission and to prohibit certain kinds of cold calling for pension schemes.
Are the PECR Part of the GDPR?
The PECR is not part of the GDPR as such. However, the interaction between the rules on data protection under the GDPR and the rules on privacy under the PECR is necessary.
GDPR (General Data Protection Regulation) is a European Union regulation that controls the protection and privacy of personal data for all EU citizens. The GDPR establishes a higher data protection and privacy standard and applies to all businesses inside the EU. In contrast, the PECR only applies to organizations operating in the UK.
PECR complements GDPR by offering extra protections for specific processing activities relevant to electronic communications services.
The GDPR offers a broad framework that covers processing personal data, which means using people’s personal information such as their name, address, or cookie ID.
Both communications and electronic marketing involve processing personal data, so the GDPR applies to these activities. The PECR gives detailed rules in this specific area. The PECR and GDPR complement each other, and you must comply with both laws.
What are the Requirements of PECR?
PECR requirements have new marketing communications rules, web cookies, updated consent thresholds, and new information security standards for service and network providers.
a). Marketing, Cookies, and Consent
The PECR restricts unsolicited marketing communications by phone, fax, email, text, and other electronic means. There are various rules for different types of communication. Generally, these rules are stricter for marketing to individuals than for marketing to businesses.
Organizations will often need specific consent to send unsolicited direct marketing. The best way to gain valid consent is to ask consumers to tick opt-in boxes confirming their desire to receive marketing calls, SMS, or emails.
Organizations that use web cookies must:
- State the cookies to be set
- Explain what cookies do
- Obtain consent to store cookies on devices
PECR also applies to ‘similar technologies,’ such as fingerprinting techniques. Unless an exemption exists, such technologies must include clear and comprehensive information and the user’s or subscriber’s consent.
b). Communications Networks and Services
Service providers must take appropriate precautions to safeguard the security of their services. The nature of the risk, available technology, and cost determines the meaning of “appropriate.”
In addition, service providers must also inform their customers of any significant security risks.
At a minimum, the measures should:
- Ensure personal data is only accessible by authorized personnel for legally official purposes
- Ensure implementation of security policies for the processing of personal data
- Protect personal data stored or transmitted against unlawful or accidental destruction, illegal or unauthorized storage, accidental loss or alteration, processing, access, or disclosure
Who Does the PECR Apply to?
If you are a non-UK or non-EU company operating in the UK, you may wonder whether you must comply with UK privacy rules. The PECR applies to non-UK and non-EU businesses that engage in commercial activity in the UK. Therefore, if you target UK consumers with your advertising, products, and services, you must comply with the PECR and the GDPR.
In addition, this applies even if your company doesn’t have a presence in the EU or UK since it’s part of the rules set on data protection under Article 3 of the GDPR. Notably, you might have to appoint an EU Representative if you are outside the UK.
Notably, some of the PECR rules apply to organizations providing a public electronic communications network or service. Also, if you are not a network or service provider, PECR rules will apply to you if you:
- Market your business by email, phone, fax, or text
- Compile a telephone directory
- Own a company that offers location-based services such as GPS and Wi-Fi positioning services.
What are the Pros and Cons of PECR Regulations?
The privacy and electronic communications regulations have some pros and cons, and they include:
- PECR compliance allows for a better assurance of privacy for individuals
- Limits the scope of unwanted communication
- It helps in providing a basic guideline to businesses and marketers on what can be done or not done under the law
- Allows the restriction of communication which an individual chooses to adhere to
- It doesn’t apply to individuals outside the EU’s jurisdiction
- Each organization will need to understand policy enforcement
What Are The Rules Under PECR?
PECR forbids businesses from sending unsolicited direct marketing to individuals by electronic mail unless the intended recipient has previously told the sender that they consent to the communications being delivered. The consent standard is the exact standard that applies under the GDPR.
However, PECR Regulation 22(3) has an exception to the general prohibition, commonly called “soft-opt-in.” This allows a business to send electronic direct marketing to individuals where:
- The business obtains the contact details of recipients in the case of a sale or negotiations for the sale of a product or a service to that recipient
- Direct marketing is only applicable to similar products and services that the business offers
- When the information was first acquired, the recipient was given a direct way to refuse to use their contact information for such direct marketing. If they did not initially refuse the use of the information at the time of each subsequent communication
Many businesses depend on soft opt-in to send electronic direct marketing as a more accessible alternative to acquiring GDPR-compliant consent from individuals. Also, you must offer an unsubscribe method with each marketing communication.
Are there Penalties for Violating the PECR?
Under the PECR, the Information Commissioner’s Office (ICO) can issue warnings, reprimands, and fines. Breaching the PECR rules can also result in a criminal offense.
The maximum penalty for violating the PECR is £500,000. However, it is vital to remember that actions that violate the PECR may also violate the GDPR. The GDPR penalty is substantially greater, up to 2% of annual turnover or €20 million, which is still higher.
Conclusion on PECR Regulations
PECR regulations are crucial to protecting our privacy and digital rights as consumers. With the constant bombardment of electronic communications from businesses, it’s comforting to know that there are rules to prevent unwanted messages from cluttering our inboxes and phones.
These PECR rules apply to location data, security breaches, traffic data, and line identification services. For businesses, adhering to PECR regulations ensures compliance with the law and builds customer trust and credibility.
Featured Image Source: unsplash.com