The General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR) are two sets of rules that govern data protection and electronic marketing communications in the UK.
PECR was introduced in 2003 and updated in 2011, while GDPR came into effect in 2018, replacing the Data Protection Act 1998.
Their full title of PECR is The Privacy and Electronic Communications (EC Directive) Regulations 2003 which is derived from European law. PECR implement European Directive 2002/58/EC, also known as ‘the e-privacy Directive’.
The Information Commissioner’s Office (ICO) publish a Guide to Privacy and Electronic Communications Regulations.
Consent and opt-in
One of the key principles of both GDPR and PECR is that marketers must obtain the consent of individuals before processing their personal data or sending them electronic marketing messages. This means that individuals must actively opt-in to receive marketing messages and must be given the opportunity to easily opt-out of receiving future messages. Examples of electronic marketing messages include emails, text messages, and direct messages on social media platforms.
Cookies and online tracking
Both GDPR and PECR govern the use of cookies and other tracking technologies on websites. Websites must obtain consent from users before placing cookies on their devices, except in cases where the cookies are strictly necessary for the functioning of the website. The regulations also require website owners to provide clear and comprehensive information about the types of cookies used on their sites and their purposes.
There are two exemptions which apply where:
- the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
- the cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.
Direct marketing
Direct marketing is a type of marketing that involves sending messages directly to individuals, such as through email or direct mail. GDPR and PECR require that individuals are given the opportunity to opt-out of receiving direct marketing messages, and that marketers must stop sending messages to individuals who have opted-out. The regulations also prohibit the use of pre-ticked boxes or other forms of consent that are automatically applied to individuals.
Complaints
The concerns section of the ICO website contains more information on when and how individuals can report their concerns to the ICO.
If someone complains about your electronic marketing (eg spam calls or texts), cookies or other privacy issues regarding electronic communications, we will record and review their concerns, and we may investigate your compliance with PECR. If we decide it is likely you have failed to comply with PECR or other data protection legislation, we may ask you to take steps to remedy this and avoid similar complaints in future. If appropriate, we may decide to take enforcement action.
Guide to PECR ICO
Enforcement and penalties
Both GDPR and PECR are enforced in the UK by the Information Commissioner’s Office (ICO). The ICO has the power to investigate and take enforcement action against organisations that breach the regulations, including imposing fines and other penalties.
In 2021, the ICO fined British Airways and Marriott International for breaching GDPR, with fines of £20m and £18.4m respectively.
Conclusion
GDPR and PECR are important sets of regulations that govern data protection and electronic marketing communications in the UK.
Marketers must obtain the consent of individuals before processing their personal data or sending them marketing messages, provide clear and comprehensive information about the use of cookies on their websites, and give individuals the opportunity to opt-out of receiving direct marketing messages.
Failure to comply with GDPR and PECR can result in significant fines and other penalties, so it is essential for organizations to ensure they are following the regulations carefully.
We recommend you should always seek formal legal advice if required, from a qualified and reputable lawyer (solicitor or barrister).
We have a number of links to Free Legal Resources and Legal Organisations on our Free Legal Advice , Legal Aid and Pro Bono pages.
Read the reviews of Gavin Howe Barrister
“He is awful, underhanded and should not be practising law!”
Latest Articles
- Direct Access Barrister
A Direct Access Barrister, also known as a Public Access Barrister, enables members of the public to directly instruct a… Read more: Direct Access Barrister - What is a Public Spaces Protection Order (PSPO)?
A Public Spaces Protection Order (PSPO) is a powerful tool introduced in 2014 under the Anti-Social Behaviour, Crime and Policing… Read more: What is a Public Spaces Protection Order (PSPO)? - Transparency and Open Justice Board
The Lady Chief Justice of England and Wales, Dame Sue Carr, has created a new Transparency and Open Justice Board.… Read more: Transparency and Open Justice Board - What is a Paralegal ?
A paralegal is a legal professional who performs tasks that require knowledge of legal concepts but does not hold the… Read more: What is a Paralegal ?
