Iubenda logo
Start generating

Documentation

Table of Contents

PECR: Everything you need to know

In this article, we’ll take you through everything you need to know about the UK’s PECR (Privacy and Electronic Communications Regulations).

What is PECR?

The Privacy and Electronic Communications Regulations (PECR) is a set of regulations in the UK that gives individuals specific privacy rights in relation to electronic marketing communications. The regulation governs the use of cookies and similar technologies, unsolicited electronic communications (such as spam), and the processing of personal data in the context of electronic communications services. 

The regulation is implemented by the Information Commissioner’s Office (ICO) and is designed to complement the data protection principles set out in the General Data Protection Regulation (GDPR).

What is the difference between PECR and GDPR?

PECR (Privacy and Electronic Communications Regulations) is a UK specific regulation that covers electronic marketing communications and the use of cookies. On the other hand, GDPR (General Data Protection Regulation) is a regulation from the European Union that governs the protection and privacy of personal data for all individuals within the EU. The GDPR sets a higher standard for data protection and privacy, and applies to all organizations operating within the EU, while PECR applies only to organizations operating in the UK.

PECR complements the GDPR by providing additional protections for specific processing activities that are particularly relevant to electronic communications services, such as the use of cookies and similar technologies, direct marketing, and the privacy of communications.

Overall, PECR and GDPR work together to provide a comprehensive framework for the protection of personal data in the UK, with PECR filling in any gaps and providing additional protections where necessary in the context of electronic communications services.

How does PECR fit with the UK GDPR? The PECR and the GDPR both regulate the processing of personal data in the UK. However, while the GDPR provides a general framework for the protection of personal data, PECR specifically addresses the processing of personal data in the context of electronic communications services.

👉 See here for more on the UK’s GDPR.

What Areas Does PECR Cover?

PECR covers the following 5 areas related to electronic communications:

  1. Cookies and similar technologies – PECR requires websites to obtain informed consent from users before placing cookies or similar technologies on their devices.
  2. Marketing communications – PECR sets out specific rules for sending electronic marketing communications, including telemarketing calls, faxes, emails, and text messages.
  3. Location data – PECR regulates the use of location data, including GPS and Wi-Fi positioning data, collected through electronic communications services.
  4. Traffic and device data – PECR requires that traffic and device data collected in the course of providing electronic communications services is processed in accordance with data protection principles.
  5. Privacy of communications – PECR provides specific protections for the privacy of electronic communications, such as email and instant messaging, by requiring that such communications are intercepted only in accordance with the law.

🔎 For further information on this, see the ICO website →

Does PECR apply to me?

PECR applies to businesses, organizations, and individuals that process personal data in the context of electronic communications services, including but not limited to:

  • Websites and online services that use cookies or similar technologies.
  • Marketing companies that send electronic marketing communications, such as telemarketing calls, faxes, emails, and text messages.
  • Companies that offer location-based services, such as GPS and Wi-Fi positioning services.
  • Providers of electronic communications services, such as internet service providers and mobile network operators.
  • Businesses that use electronic communication systems, such as email and instant messaging, to process personal data.

👉 If you operate in any of these areas, or process personal data in the context of electronic communications services, it is likely that PECR applies to you.

Are you a non-UK company that operates in the UK? Or offer electronic communications services to individuals in the UK? If you answered YES to either of these questions — You must comply with PECR in relation to the processing of personal data in the context of those services. Similarly, if a UK-based company offers electronic communications services to individuals outside the UK, you must still comply with PECR even if your target users are located outside the UK.

Non-compliance with PECR

The ICO has a range of enforcement powers to ensure that businesses and organizations comply with PECR, including:

  1. Monetary penalties: The ICO can impose monetary penalties of up to £500,000 for serious breaches of PECR, such as sending unsolicited direct marketing communications or failing to obtain consent for the use of cookies.
  2. Enforcement notices: The ICO can issue enforcement notices requiring businesses and organizations to take specific actions to comply with PECR, such as obtaining consent for the use of cookies or ceasing to send unsolicited direct marketing communications.
  3. Prosecution: In severe cases, the ICO can bring criminal proceedings against businesses and organizations for breaches of PECR, such as sending unsolicited direct marketing communications.
  4. Audits and investigations: The ICO can carry out audits and investigations to assess compliance with PECR, and can use this information to take enforcement action where necessary.

The ICO takes a risk-based approach to enforcement, and will generally focus its efforts on the areas of highest risk to privacy and where there is evidence of significant harm to individuals.

👉 ICO published a quarterly update on the action they have taken to enforce PECR.

How to comply with PECR?

What you need How to do it
Obtain valid consent (with a cookie banner!) 👉 Get set up with a fully customizable banner 
Have a clear privacy and cookie policy about your data processing practices 👉 Generate your privacy and cookie policy
Respect individuals’ rights to opt-out of direct marketing 👉 See our step-by-step breakdown

*Please note: Organizations must also appoint a Data Protection Officer and implement appropriate technical and organizational measures to secure personal data processed for electronic communications. They may also need to carry out regular privacy impact assessments (PIAs) and keep detailed records of their data processing activities.