In this article, we’ll take you through everything you need to know about the UK’s PECR (Privacy and Electronic Communications Regulations).
PECR is an acronym for Privacy and Electronic Communications Regulations. They are part of the regulatory framework in the United Kingdom and are intended to complement the broader data protection legislation, such as the Data Protection Act and the UK GDPR. It governs the use of cookies and similar technologies, as well as electronic communications like marketing calls or emails.
The Privacy and Electronic Communications Regulations (PECR) is a set of regulations in the UK that gives individuals specific privacy rights in relation to electronic marketing communications. The regulation governs the use of cookies and similar technologies, unsolicited electronic communications (such as spam), and the processing of personal data in the context of electronic communications services.
The regulation is implemented by the Information Commissioner’s Office (ICO) and is designed to complement the data protection principles set out in the General Data Protection Regulation (GDPR).
PECR (Privacy and Electronic Communications Regulations) is a UK specific regulation that covers electronic marketing communications and the use of cookies. On the other hand, GDPR (General Data Protection Regulation) is a regulation from the European Union that governs the protection and privacy of personal data for all individuals within the EU. The GDPR sets a higher standard for data protection and privacy, and applies to all organizations operating within the EU, while the PECR applies only to organizations operating in the UK.
PECR complements the GDPR by providing additional protections for specific processing activities that are particularly relevant to electronic communications services, such as the use of cookies and similar technologies, direct marketing, and the privacy of communications.
Overall, PECR and GDPR work together to provide a comprehensive framework for the protection of personal data in the UK, with PECR regulations filling in any gaps and providing additional protections where necessary in the context of electronic communications services.
How does PECR fit with the UK GDPR? The PECR and the GDPR both regulate the processing of personal data in the UK. However, while the GDPR provides a general framework for the protection of personal data, PECR specifically addresses the processing of personal data in the context of electronic communications services.
👉 See here for more on the UK’s GDPR.
Yes, PECR still applies in the UK at the time of this writing. They were first created in 2003, and they have been amended a number of times. The more recent changes were made in 2018 and then in 2019 regarding cold-calling requirements. The latest version of the PECR came into effect on 29 March 2019.
Currently, PECR regulations continue to apply alongside the UK GDPR, and the ICO (Information Commissioner’s Office) will keep their guidance under review and update it where necessary, following the European ePrivacy regulation.
The PECR and the ePrivacy Regulation are closely related legislative frameworks, both focusing on privacy in electronic communications (i.e. marketing, cookies). The PECR is a national law in the UK, derived from a European legislation called the ePrivacy Directive 2002, which each EU member state has transposed into its national law.
The ePrivacy Regulation, on the other hand, is a proposed piece of legislation intended to replace the ePrivacy Directive. It aims to harmonize the privacy rules across the EU and ensure consistency with the GDPR. The ePrivacy Regulation, like the GDPR, is designed to be a regulation instead of a directive, meaning it would be directly applicable in all EU member states without needing transposition into national law.
In short, PECR regulations are the UK’s implementation of the EU’s ePrivacy Directive, and the ePrivacy Regulation is intended to replace this directive.
PECR regulations cover the following 5 areas related to electronic communications:
🔎 For further information on this, see the ICO website →
PECR applies to businesses, organizations, and individuals that process personal data in the context of electronic communications services, including but not limited to:
👉 If you operate in any of these areas, or process personal data in the context of electronic communications services, it is likely that the PECR applies to you.
Are you a non-UK company that operates in the UK? Or offer electronic communications services to individuals in the UK? If you answered YES to either of these questions — You must comply with PECR in relation to the processing of personal data in the context of those services. Similarly, if a UK-based company offers electronic communications services to individuals outside the UK, you must still comply with the PECR regulations even if your target users are located outside the UK.
The ICO has a range of enforcement powers to ensure that businesses and organizations comply with PECR, including:
The ICO takes a risk-based approach to enforcement, and will generally focus its efforts on the areas of highest risk to privacy and where there is evidence of significant harm to individuals.
👉 ICO published a quarterly update on the action they have taken to enforce PECR.
| What you need | How to do it |
|---|---|
| Obtain valid consent (with a cookie banner!) | 👉 Get set up with a fully customizable banner |
| Have a clear privacy and cookie policy about your data processing practices | 👉 Generate your privacy and cookie policy |
| Respect individuals’ rights to opt-out of direct marketing | 👉 See our step-by-step breakdown |
*Please note: Organizations must also appoint a Data Protection Officer and implement appropriate technical and organizational measures to secure personal data processed for electronic communications. They may also need to carry out regular privacy impact assessments (PIAs) and keep detailed records of their data processing activities.