Areas, Covered by PECR
PECR covers several areas of interest:
- Marketing by electronic means, which include marketing calls, texts, emails, and faxes.
- Security of public electronic communications services.
- Privacy of customers using communications networks or services, such as traffic and location data, itemized billing, line identification services, and directory listings.
To Whom does PECR apply?
PECR applies to any business or organization, including non-UK and non-EU businesses, if they are engaged in commercial activity in the UK. If you're targeting people in the UK with your products, services, or advertising, you must follow the rules of PECR and the GDPR.
PECR applies to companies or organizations which:
- Market by phone, email, text, or fax.
- Compile a telephone directory or a similar public directory.
In addition, some of the PECR rules apply to organizations that provide a public electronic communications network or service.
PECR regulates “direct marketing”, which is described as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”. The ICO considers “direct marketing” as covering a wide range of activities: not just the offer for the sale of goods or services, but also the promotion of an organization's aims and ideals. For example, it covers charity campaigning for support or funds for not-for-profit organizations, the University communication via electronic means targeting prospective students or alumni (e.g. for fundraising). If your communication could affect consumers' behavior then it is likely to be considered marketing or promotional material.
PECR also covers mobile apps, which communicate with websites and web services and can set cookies. Mobile apps, developed with specific frameworks, can store or access users' information on the device for various purposes.
Furthermore, when you run any other kind of service, that could store or access information, you are responsible for complying with PECR. This is especially relevant when you are using any third-party code or other software components.
PECR does not apply in the same way to intranets since an intranet is not meant to be a public electronic communications service. However, the requirements of the data protection law still apply if cookies or other similar technologies are used to monitor users' performance, for example, at work. Wherever you collect personal data with the help of cookies then the PECR and other requirements of data protection laws will apply.
What Does PECR Say About Cookies?
PECR does not specifically mention cookies, but Regulation 6 of PECR states:
- “ … a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
- The requirements are that the subscriber or user of that terminal equipment —
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.”
- Say what cookies will be set.
- Explain the purpose of these cookies.
- Provide any third parties who may also process users' information.
- Provide the duration of cookies you intend to set.
- You must give users the possibility to select the types of cookies, which will be used on their device.
- You must allow users access to your website even if they don’t consent to non-essential cookies.
- You must not place any non-essential cookies, scripts or other technologies until the user has given his consent.
PECR also regulates “similar technologies” as cookies, like fingerprinting techniques. Therefore, the use of device fingerprinting requires the same provision of information as well as getting the consent of the user to use these technologies.
How Does PECR Fit With the UK GDPR?
Naturally, many requirements overlap, since both aim to protect consumers' privacy, but there are some differences and you have to be sure you comply with both.
Most importantly, PECR applies to you even if you are not processing personal data, differently from the UK GDPR. The marketing regulations apply even if you do not process the data and do not identify the person you are contacting.
There are also specific PECR rules for network or service providers, which are not covered by the UK GDPR.
Article 4(11) of the UK GDPR states that “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Valid consent under the GDPR is:
- Freely-given. The person must not suffer any consequences if they refuse consent.
- Unambiguous. It is not allowed to confuse or trick the user into consenting.
- Affirmative. The consent must include an affirmative action rather than the absence of disagreement.
- Easy to withdraw. The user must have an easy way to withdraw his consent at any time.
Subscribers and users
The cookie rules apply to the “terminal equipment” of the “subscriber or user”. The “subscriber” means the person who pays the bill for the use of the internet connection line. The “user” is the person who uses a computer or other device to access an online service.
In most cases, the subscriber and the user will be the same, for example when a person uses his internet connection to access a website on their computer or mobile device. However, this is not always the case. For instance, if another person, a friend or even a family member, uses your internet connection to access the service from their device, he will be a user and not a subscriber.
PECR uses the term “terminal equipment”, which refers to the device a cookie is placed on. Typically it is a computer or mobile device, but it also comprises other equipment such as wearable technology devices, smart TVs, and other connected devices which are using the Internet of Things technology.
Enforcement of PECR
The Privacy and Electronic Communications Regulations are enforced by the UK Information Commissioner's Office (ICO), which may impose a civil monetary penalty of up to a maximum of £500K for a very serious breach of the Regulations. For less serious cases, an Enforcement Notice could be issued and a fine may be imposed for breach of an Enforcement Notice. The ICO actions to enforce PECR could also include criminal prosecution, non-criminal enforcement, and audit.
Frequently Asked Questions
What are PECR?
What is the difference between PECR and GDPR?
Does PECR require consent?
PECR requires consent to electronic marketing for UK customers. If you want to use marketing emails, calls, or texts to corporate subscribers, which include limited companies and limited liability partnerships, you don't need consent under PECR.
Who does PECR apply to?