What is PECR?

What is PECR

Although the following information is factually correct please don’t use the points outlined in this blog as a basis for making a business decision without consulting with one of our qualified consultants first. Here at Compliance Direct Solutions Ltd, we have recently observed a growing number of businesses approaching us regarding PECR compliance. In response to this, the following blog is here to provide guidance for organisations that wish to understand more about the ePrivacy regulations or currently send electronic marketing messages (by phone, fax, email or text), use cookies, or provide electronic communication services to members of the public.

The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act 2018 and the GDPR. The directive gives people specific privacy rights in relation to electronic communications they receive from businesses. We help organisations comply with PECR and promote best practice internally through offering advice and guidance in addition to consultancy and hands on support. With the regulations now statutory law, its increasingly understandable why the ICO (Information Commissioners Office) will take enforcement action against organisation’s that fail to comply or ignore their obligations, starting with those that generate the most complaints.

This specifically applies to:

  1.  Marketing calls, emails, texts and faxes
  2.  Cookies (and similar technologies)
  3.  Keeping communications services secure 
  4. Customer privacy, location data, itemised billing, line identification, and directory listings. 

How does ePrivacy work with the GDPR? 

 As you would expect there is some overlap, given that both regulations aim to protect people’s privacy. In essence, it’s relatively straight forward, complying with PECR will help you comply with the GDPR, and vice versa. Many businesses fail to realise that the PECR regulations apply even if you’re not processing personal data. For example, many of the rules protect companies as well as individuals, and the marketing rules apply even if you cannot identify the person you are contacting. For more information on how to implement Data protection compliance please read our previous blogs.

Telephone Marketing? 

You must not make marketing calls to any number listed on the Telephone Preference Service (TPS) or Corporate TPS (CTPS), unless that person has specifically consented to your calls. So, you need to screen call lists against the TPS and CTPS. The rules on live marketing calls are in regulation 21, 21A and 21B. In short, you must not make unsolicited live calls to:

  1. Anyone who has told you they don’t want your calls.
  2. Any number registered with the TPS or CTPS, unless the person has specifically consented to your calls. 

You must always say who is calling, allow your number (or an alternative contact number) to be displayed to the person receiving the call, and provide a contact address or freephone number if asked.

Fax Marketing?

 You must not send marketing faxes to individuals or to any number listed on the Fax Preference Service (FPS), unless they have specifically consented to your faxes. You can send marketing faxes to companies that are not listed on the FPS. So, you need to screen business fax lists against the FPS. The rules on marketing faxes are in regulation 20. In short, you must not send marketing faxes to: 

  1.  Individuals, including sole traders and some partnerships, unless they have specifically consented to your faxes.
  2.  A company or other corporate body that has told you they don’t want your faxes; or 
  3. Any number registered with the FPS, unless the person has specifically consented to your faxes. All marketing faxes must include your name and a contact address or freephone number. 

Electronic mail marketing? 

 You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’. You can send marketing emails or texts to companies. However, it is good practice to keep a ‘do not email or text’ list of any companies that object. The rules on electronic mail marketing are in regulation 22. In short, you must not send electronic mail marketing to individuals, unless: 

  1. They have specifically consented to electronic mail from you. 
  2. They are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent.

You also must not disguise or conceal your identity, and you must provide a valid contact address so they can opt out or unsubscribe. 

Using marketing lists?

When marketing, check the origin and accuracy of bought-in lists. You should screen call lists against the TPS, and only use bought-in lists for email, text or recorded calls with very specific consent. For in-house marketing lists, use opt-in boxes wherever possible. Specify consent to marketing by email, by text, by fax, by phone or by recorded call. Ask for specific consent also if you want to pass details to other companies, and make sure you name or describe those companies. Keep clear records of consent and keep a ‘do not contact’ list of anyone who objects or opts out.

Cookies and similar technologies? 

The rules on cookies are in regulation 6. The basic rule is that you must: 

  1. Tell people the cookies are there. 
  2. Explain what the cookies are doing and why.
  3. Get the person’s consent to store a cookie on their device. 

As long as you gain consent the first time you set cookies, you do not have to repeat it every time the same person visits your website. However, bear in mind that devices may be used by different people. If there is likely to be more than one user, you may want to consider repeating this process at suitable intervals. You may also need to obtain fresh consent if your use of cookies changes over time. 

Security breaches? 

A personal data breach may mean that someone other than the data controller gets unauthorised access to personal data. But a personal data breach can also occur if there is unauthorised access within an organisation, or if a data controller’s own employee accidentally alters or deletes personal data. Service providers are required to notify the ICO if a ‘personal data breach’ occurs. They must also notify customers if the breach is likely to adversely affect customers’ privacy and keep a breach log.

Exemptions?

There are only two general exemptions from PECR: a national security exemption, and a law and crime exemption (for compliance with other laws, law enforcement, or legal advice or proceedings). You should consider these exemptions on a case-by-case basis. There is no exemption for contractual obligations. 

Complaints?

 If someone complains about your electronic marketing (e.g. spam calls or texts), cookies or other privacy issues regarding electronic communications, the information commissioner’s office will record and review the concerns raised and may investigate your compliance with PECR. If they decide it is likely you have failed to comply with PECR or other data protection legislation, they may ask you to take steps to remedy this and avoid similar complaints in future. If appropriate, they may decide to take enforcement action and fine businesses. If you have any questions or concerns around e-privacy or Data Protection compliance feel free to contact us today for a free consultation.

https://compliancedirectsolutions.com/data-protection/eprivacy/ – Contact us for more information.  

https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/what-are-pecr/ – ICO Guidance