The PECR (Privacy and Electronic Communications Regulations) and EU ePrivacy Directive

What are the PECR?

The PECR (Privacy and Electronic Communications (EC Directive) Regulations 2003) are a UK law that implements the EU’s ePrivacy Directive (Directive 2002/58/EC) and set out privacy rights relating to electronic communications.

The PECR are affected by the GDPR (General Data Protection Regulation)’s rules on consent, so it is essential for organisations to ensure they comply with both laws if they send electronic marketing messages, use cookies or provide electronic communications services to the public.

Since Brexit, there are two versions of the GDPR that UK organisations might need to comply with:

  • The UK GDPR, which, with the DPA (Data Protection Act) 2018, applies to the processing of UK residents’ personal data; and
  • The EU GDPR, which continues to apply to the processing of EU residents’ personal data.

Learn more about the GDPR and how it has been affected by Brexit

The PECR have been amended six times – in 2004, 2011, 2015, 2016 and twice in 2018. The latest amendment came into effect on 17 December 2018, introducing director liability for non-compliance caused by director connivance or negligence.

They were due to be replaced by the ePR (ePrivacy Regulation) in 2018, but this regulation is now expected to come into force in 2022 at the earliest. It is not yet known whether the UK will implement the ePR's requirements in full.

What do the PECR cover?

The PECR apply to:

  • Electronic marketing, including telephone calls, SMS messages, emails and faxes;
  • The use of website cookies to track visitors;
  • The security of public electronic communications services; and
  • The privacy of users of electronic communications services.

Free PDF download: PECR 2018 Amendment: Facts for directors

The second 2018 amendment to the PECR enabled the ICO (Information Commissioner’s Office) to fine organisations’ directors personally for infringements. 

Download now

Free PDF download: GDPR and PECR: A guide for marketers

This free guide explains what you need to do to ensure your marketing activities are lawful, and how you can save time by addressing all three laws together.

Download now

How do the PECR relate to the UK GDPR?

The UK GDPR’s standard of consent applies under the PECR. (The UK GDPR matches the EU GDPR’s standard of consent, which is much higher than that under the Data Protection Act 1998, which it replaced.)

To complicate matters, the PECR require the use of consent much more frequently than the UK GDPR does.

Consent must be “given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement”.

The PECR apply even if you are not processing personal data and therefore do not have to comply with the UK GDPR. For example, the PECR’s marketing rules apply even if the person you are contacting cannot be identified.

For network and service providers, the UK GDPR does not apply where the PECR already provide rules. In practice, this means providers need comply only with the PECR’s requirements relating to:

  • Security and security breaches;
  • Traffic data;
  • Location data;
  • Itemised billing; and
  • Line identification services.

Some service providers, such as Internet service providers, might, however, be obliged to comply with the NIS Regulations (Network and Information Systems Regulations 2018) as well, so should check their compliance obligations carefully.

Both the UK GDPR and PECR are enforced by the ICO, which also regulates the NIS Regulations for DSPs (digital service providers).

What are the penalties for not complying with the PECR?

The ICO has the power to take action against organisations and, as of 17 December 2018, their officers for PECR violations. Actions include criminal prosecution, non-criminal enforcement, audit and the imposition of monetary penalties of up to £500,000.

An ‘officer’ is defined by The Privacy and Electronic Communications (Amendment) Regulations 2018 as “a director, manager, secretary or other similar officer of the body [corporate] or any person purporting to act in such capacity” or, “where the affairs of the body are managed by its members, a member”. In relation to a Scottish partnership, an officer is “a partner or any person purporting to act as a partner”.

How IT Governance can help you comply

Understand your level of PECR compliance with our independent PECR Audit service, which assesses:

PECR Audit service

  • Organisation-wide awareness of the PECR;
  • How risks are managed and the accompanying documentation;
  • The security procedures in place such as access limitation;
  • Handling of data subjects’ rights and privacy notices;
  • Staff training;
  • Data transfer mechanisms and third-party processors;
  • Your ISMS (information security management system), including testing and frameworks; and
  • Your breach response processes.

We will identify areas of non-compliance and deliver a report to help you take remedial action.

Find out more

This website uses cookies. View our cookie policy
WIN £100