The Privacy and Electronic Communications Regulations (PECR, or PECR 2003) is based on the European Directive 2002/58/EC, also known as the e-privacy Directive. PECR is not part of the GDPR as such, but it sits alongside the Data Protection Act and the UK GDPR. PECR was introduced in 2003 to regulate direct marketing activities by electronic means. PECR regulates the security and confidentiality of marketing communications and the use of cookies and similar technologies. The most recent changes were made in January 2019. You can visit the official PECR site here.
Areas, Covered by PECR
PECR covers several areas of interest:
- Marketing by electronic means, which include marketing calls, texts, emails, and faxes.
- The use of cookies and similar technologies that collect and process users' information regarding the use of a website or other electronic service.
- Security of public electronic communications services.
- Privacy of customers using communications networks or services, such as traffic and location data, itemized billing, line identification services, and directory listings.
To Whom does PECR apply?
PECR applies to any business or organization, including non-UK and non-EU businesses, if they are engaged in commercial activity in the UK. If you're targeting people in the UK with your products, services, or advertising, you must follow the rules of PECR and the GDPR.
PECR applies to companies or organizations which:
- Market by phone, email, text, or fax.
- Use cookies or similar technology on their website.
- Compile a telephone directory or a similar public directory.
In addition, some of the PECR rules apply to organizations that provide a public electronic communications network or service.
PECR regulates “direct marketing”, which is described as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”. The ICO considers “direct marketing” as covering a wide range of activities: not just the offer for the sale of goods or services, but also the promotion of an organization's aims and ideals. For example, it covers charity campaigning for support or funds for not-for-profit organizations, the University communication via electronic means targeting prospective students or alumni (e.g. for fundraising). If your communication could affect consumers' behavior then it is likely to be considered marketing or promotional material.
The use of cookies and similar technologies is not limited just to websites and users' web browsers. The PECR applies to any technique that stores or accesses information in the terminal equipment of the subscriber or user.
PECR also covers mobile apps, which communicate with websites and web services and can set cookies. Mobile apps, developed with specific frameworks, can store or access users' information on the device for various purposes.
Furthermore, when you run any other kind of service, that could store or access information, you are responsible for complying with PECR. This is especially relevant when you are using any third-party code or other software components.
PECR does not apply in the same way to intranets since an intranet is not meant to be a public electronic communications service. However, the requirements of the data protection law still apply if cookies or other similar technologies are used to monitor users' performance, for example, at work. Wherever you collect personal data with the help of cookies then the PECR and other requirements of data protection laws will apply.
What Does PECR Say About Cookies?
PECR does not specifically mention cookies, but Regulation 6 of PECR states:
- “ … a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
- The requirements are that the subscriber or user of that terminal equipment —
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.”
This means that if you use cookies you must:
- Say what cookies will be set.
- Explain the purpose of these cookies.
- Provide any third parties who may also process users' information.
- Provide the duration of cookies you intend to set.
- Obtain consent to the use of cookies prior to the usage of cookies.
There are additional requirements for the use of cookies, defined by UK GDPR, which also apply to PECR, including:
- You cannot use any pre-ticked boxes for the use of cookies or accept cookies automatically, for example, on scroll.
- You must give users the possibility to select the types of cookies, which will be used on their device.
- You must allow users access to your website even if they don’t consent to non-essential cookies.
- You must not place any non-essential cookies, scripts or other technologies until the user has given his consent.
PECR also regulates “similar technologies” as cookies, like fingerprinting techniques. Therefore, the use of device fingerprinting requires the same provision of information as well as getting the consent of the user to use these technologies.
How Does PECR Fit With the UK GDPR?
PECR sits alongside the UK GDPR. This means that if you send electronic marketing, newsletters, or use cookies or similar technologies, you must comply with both PECR and the UK GDPR.
Naturally, many requirements overlap, since both aim to protect consumers' privacy, but there are some differences and you have to be sure you comply with both.
Most importantly, PECR applies to you even if you are not processing personal data, differently from the UK GDPR. The marketing regulations apply even if you do not process the data and do not identify the person you are contacting.
There are also specific PECR rules for network or service providers, which are not covered by the UK GDPR.
Key definitions of PECR regarding marketing and the use of cookies
Consent
PECR requires users to consent to use cookies being placed on their devices. There is no definition of consent given in the PECR, however, Regulations 2019 clarifies that consent by a user or subscriber under the PECR corresponds to the data subject’s consent in the GDPR.
Article 4(11) of the UK GDPR states that “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Valid consent under the GDPR is:
- Freely-given. The person must not suffer any consequences if they refuse consent.
- Specific. The consent must be requested for one specific action, for example- for the use of cookies.
- Informed. You must provide clear information about the use of cookies or similar technologies.
- Unambiguous. It is not allowed to confuse or trick the user into consenting.
- Affirmative. The consent must include an affirmative action rather than the absence of disagreement.
- Easy to withdraw. The user must have an easy way to withdraw his consent at any time.
Subscribers and users
The cookie rules apply to the “terminal equipment” of the “subscriber or user”. The “subscriber” means the person who pays the bill for the use of the internet connection line. The “user” is the person who uses a computer or other device to access an online service.
In most cases, the subscriber and the user will be the same, for example when a person uses his internet connection to access a website on their computer or mobile device. However, this is not always the case. For instance, if another person, a friend or even a family member, uses your internet connection to access the service from their device, he will be a user and not a subscriber.
Terminal equipment
PECR uses the term “terminal equipment”, which refers to the device a cookie is placed on. Typically it is a computer or mobile device, but it also comprises other equipment such as wearable technology devices, smart TVs, and other connected devices which are using the Internet of Things technology.
Enforcement of PECR
The Privacy and Electronic Communications Regulations are enforced by the UK Information Commissioner's Office (ICO), which may impose a civil monetary penalty of up to a maximum of £500K for a very serious breach of the Regulations. For less serious cases, an Enforcement Notice could be issued and a fine may be imposed for breach of an Enforcement Notice. The ICO actions to enforce PECR could also include criminal prosecution, non-criminal enforcement, and audit.
Frequently Asked Questions
What are PECR?
The Privacy and Electronic Communications Regulations (PECR) are based on the European Directive 2002/58/EC, and regulate the security and confidentiality of marketing communications and the use of cookies and similar technologies for UK consumers. PECR is not part of the GDPR as such, but PECR sits alongside the Data Protection Act and the UK GDPR.
What is the difference between PECR and GDPR?
GDPR relates to the processing of personal data, while the PECR applies to you even if you are not processing personal data. PECR relates to electronic marketing and regulates marketing calls, emails, texts, faxes, and the use of cookies and similar technologies. The PECR marketing regulations apply even if you do not process the data and do not identify the person you are contacting.
Does PECR require consent?
PECR requires consent to electronic marketing for UK customers. If you want to use marketing emails, calls, or texts to corporate subscribers, which include limited companies and limited liability partnerships, you don't need consent under PECR.
Who does PECR apply to?
PECR applies to companies or organizations that either market by phone, email, text, or fax; use cookies or similar technology on their website; or compile a telephone directory or a similar public directory.
How does PECR regulate the use of cookies?
PECR does not specifically mention cookies, but the requirements for the use of cookies, defined by UK GDPR, also apply to PECR. Thus, to comply with PECR, you must: say what cookies will be set; explain the purpose of these cookies; provide any third parties who may also process users' information; provide the duration of cookies you intend to set; and obtain consent to the use of cookies prior to the usage of cookies.