The PECR (Privacy and Electronic Communications Regulations) and EU ePrivacy Directive

What is the PECR?

The PECR (Privacy and Electronic Communications (EC Directive) Regulations 2003) implement the EU’s ePrivacy Directive (Directive 2002/58/EC) and set out privacy rights relating to electronic communications.

Although affected by the GDPR (General Data Protection Regulation)’s rules on consent, the PECR have not been superseded by the Regulation, so it is essential for organisations to ensure they comply with both laws if they send electronic marketing messages, use cookies or provide electronic communications services to the public.

The PECR have been amended six times – in 2004, 2011, 2015, 2016 and twice in 2018. The latest amendment came into effect on 17 December 2018, introducing director liability for non-compliance caused by director connivance or negligence.

They were due to be replaced by the ePR (ePrivacy Regulation) in 2018, but this regulation is now expected to come into force in 2020. It is not yet known whether this will be after the UK leaves the EU and, if so, whether the UK will implement the ePR in full.

What do the PECR cover?

The PECR apply to:

  • Electronic marketing, including telephone calls, SMS messages, emails and faxes;
  • The use of website cookies to track visitors;
  • The security of public electronic communications services; and
  • The privacy of users of electronic communications services.

Free PDF download: PECR 2018 Amendment: Facts for directors

The second 2018 amendment to the PECR enabled the ICO (Information Commissioner’s Office) to fine organisations’ directors personally for infringements. 

Download now

Free PDF download: GDPR and PECR: A guide for marketers

This free guide explains what you need to do to ensure your marketing activities are lawful, and how you can save time by addressing all three laws together.

Download now

How do the PECR relate to the GDPR?

The GDPR’s standard of consent is much higher than under the Data Protection Act 1998 that it replaced, and this applies under the PECR. To complicate matters, the PECR require the use of consent much more frequently than the GDPR does.

Consent must be “given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement”.

The PECR apply even if you are not processing personal data and therefore do not have to comply with the GDPR. For example, the PECR’s marketing rules apply even if the person you are contacting cannot be identified.

For network and service providers, the GDPR does not apply where the PECR already provide rules. In practice, this means providers need comply only with the PECR’s requirements relating to:

  • Security and security breaches;
  • Traffic data;
  • Location data;
  • Itemised billing; and
  • Line identification services.

Some service providers, such as Internet service providers, might, however, be obliged to comply with the NIS Regulations (Network and Information Systems Regulations 2018) as well, so should check their compliance obligations carefully.

Both the GDPR and PECR are enforced by the ICO (Information Commissioner’s Office), which also regulates the NIS Regulations for DSPs (digital service providers).

What are the penalties for not complying with the PECR?

The ICO has the power to take action against organisations and, as of 17 December 2018, their officers for PECR violations. Actions include criminal prosecution, non-criminal enforcement, audit and the imposition of monetary penalties of up to £500,000.

An ‘officer’ is defined by The Privacy and Electronic Communications (Amendment) Regulations 2018 as “a director, manager, secretary or other similar officer of the body [corporate] or any person purporting to act in such capacity” or, “where the affairs of the body are managed by its members, a member”. In relation to a Scottish partnership, an officer is “a partner or any person purporting to act as a partner”.

How IT Governance can help you comply

Understand your level of PECR compliance with our independent PECR Audit service, which assesses:

PECR Audit service

  • Organisation-wide awareness of the PECR;
  • How risks are managed and the accompanying documentation;
  • The security procedures in place such as access limitation;
  • Handling of data subjects’ rights and privacy notices;
  • Staff training;
  • Data transfer mechanisms and third-party processors;
  • Your ISMS (information security management system), including testing and frameworks; and
  • Your breach response processes.

We will identify areas of non-compliance and deliver a report to help you take remedial action.

Find out more

This website uses cookies. View our cookie policy
WIN £100