PECR

The Privacy and Electronic Communications (EC Directive) Regulations 2003 is a regulation in the United Kingdom which made it unlawful to, amongst other things, transmit an automated recorded message for direct marketing purposes via a telephone, without prior consent of the subscriber. They are derived from European law. And implement European Directive 2002/58/EC, also known as ‘the e-privacy Directive’.

One of the key points of this legislation is that it is unlawful to send someone direct marketing who has not specifically granted permission (via an opt-in agreement) unless there is a previous relationship between the parties. Organisations cannot merely add people's details to their marketing database and offer an opt out after they have started sending direct marketing. For this reason the regulations offer increased consumer protection from direct marketing.

The regulations can be enforced against an offending company or individual anywhere in the European Union. The Information Commissioner's Office has responsibility for the enforcement of unsolicited e-mails and considers complaints about breaches. A breach of an enforcement notice is a criminal offence subject to a fine of up to £500,000 depending on the circumstances.

Does PECR apply to me?

Some of the rules only apply to organisations that provide a public electronic communications network or service. But even if you are not a network or service provider, PECR will apply to you if you:

market by phone, email, text or fax;

use cookies or a similar technology on your website; or

compile a telephone directory (or a similar public directory)

How does this fit with the GDPR?

The GDPR does not replace PECR, although it changes the underlying definition of consent. Existing PECR rules continue to apply, but using the new GDPR standard of consent.

This means that if you send electronic marketing or use cookies or similar technologies, from 25 May 2018 you must comply with both PECR and the GDPR.

Naturally, there is some overlap, given that both aim to protect people’s privacy. Complying with PECR will help you comply with the GDPR, and vice versa – but there are some differences and you must make sure you comply with both.

In particular, it’s important to realise that PECR apply even if you are not processing personal data. For example, many of the rules protect companies as well as individuals, and the marketing rules apply even if you cannot identify the person you are contacting.

For more information on your other data protection obligations, see our separate page on GDPR.

If you are a network or service provider, Article 95 of the GDPR states the GDPR does not apply where there are already specific PECR rules. This is to avoid duplication, and means that if you are a network or service provider, you only need to comply with PECR rules (and not the GDPR) on:

security and security breaches;

traffic data;

location data;

itemised billing; and

line identification services.

Need Help?

If you have any questions about cyber security or would like a free consultation, don't hesitate to give us a call!

Our Services

Keep up to date!

Subscribe to our newsletter. Keep up to date with cyber security.


For More Information Please Contact Us

Smiling Person

ACCREDITATIONS