In this article, we’ll take you through everything you need to know about the UK’s PECR (Privacy and Electronic Communications Regulations).
The Privacy and Electronic Communications Regulations (PECR) is a set of regulations in the UK that gives individuals specific privacy rights in relation to electronic marketing communications. The regulation governs the use of cookies and similar technologies, unsolicited electronic communications (such as spam), and the processing of personal data in the context of electronic communications services.
The regulation is implemented by the Information Commissioner’s Office (ICO) and is designed to complement the data protection principles set out in the General Data Protection Regulation (GDPR).
PECR (Privacy and Electronic Communications Regulations) is a UK specific regulation that covers electronic marketing communications and the use of cookies. On the other hand, GDPR (General Data Protection Regulation) is a regulation from the European Union that governs the protection and privacy of personal data for all individuals within the EU. The GDPR sets a higher standard for data protection and privacy, and applies to all organizations operating within the EU, while PECR applies only to organizations operating in the UK.
PECR complements the GDPR by providing additional protections for specific processing activities that are particularly relevant to electronic communications services, such as the use of cookies and similar technologies, direct marketing, and the privacy of communications.
Overall, PECR and GDPR work together to provide a comprehensive framework for the protection of personal data in the UK, with PECR filling in any gaps and providing additional protections where necessary in the context of electronic communications services.
How does PECR fit with the UK GDPR? The PECR and the GDPR both regulate the processing of personal data in the UK. However, while the GDPR provides a general framework for the protection of personal data, PECR specifically addresses the processing of personal data in the context of electronic communications services.
👉 See here for more on the UK’s GDPR.
PECR covers the following 5 areas related to electronic communications:
🔎 For further information on this, see the ICO website →
PECR applies to businesses, organizations, and individuals that process personal data in the context of electronic communications services, including but not limited to:
👉 If you operate in any of these areas, or process personal data in the context of electronic communications services, it is likely that PECR applies to you.
Are you a non-UK company that operates in the UK? Or offer electronic communications services to individuals in the UK? If you answered YES to either of these questions — You must comply with PECR in relation to the processing of personal data in the context of those services. Similarly, if a UK-based company offers electronic communications services to individuals outside the UK, you must still comply with PECR even if your target users are located outside the UK.
The ICO has a range of enforcement powers to ensure that businesses and organizations comply with PECR, including:
The ICO takes a risk-based approach to enforcement, and will generally focus its efforts on the areas of highest risk to privacy and where there is evidence of significant harm to individuals.
👉 ICO published a quarterly update on the action they have taken to enforce PECR.
What you need | How to do it |
---|---|
Obtain valid consent (with a cookie banner!) | 👉 Get set up with a fully customizable banner |
Have a clear privacy and cookie policy about your data processing practices | 👉 Generate your privacy and cookie policy |
Respect individuals’ rights to opt-out of direct marketing | 👉 See our step-by-step breakdown |
*Please note: Organizations must also appoint a Data Protection Officer and implement appropriate technical and organizational measures to secure personal data processed for electronic communications. They may also need to carry out regular privacy impact assessments (PIAs) and keep detailed records of their data processing activities.