Privacy and Electronic Communications (Amendment) Regulations 2018

Privacy and Electronic Communications (Amendment) Regulations 2018

The PECR (Privacy and Electronic Communications Regulations), also known as the ePrivacy Regulations, have been amended to bring them in line with the GDPR (General Data Protection Regulation). The PECR implement EU Directive 2002/58/EC, also known as the ePrivacy Directive. They apply alongside the GDPR and must be read together accordingly.

The EU is in the process of replacing the ePrivacy Directive with the new ePrivacy Regulation to sit alongside the GDPR. However, while negotiations concerning the full text of the ePrivacy Regulation are ongoing, the PECR continue to apply.

How do the PECR apply to commercial organisations?

Some of the PECR’s rules only apply to organisations that provide a public electronic communications network or service. However, the PECR will apply to any organisation that:

  • Sends direct marketing communications by phone, email or text;
  • Uses cookies or a similar technology on its website to track user activity; or
  • Compiles a telephone directory or similar.

The rules also protect companies and their data even if they are not processing personal data. In other words, some of the marketing rules apply even if an organisation cannot identify the person it is contacting.

The issue of consent

Under the GDPR, organisations often rely on ‘legitimate interests’ for their lawful grounds for processing data; it is a common misconception that the Regulation requires consent for the processing of data for direct marketing purposes. However, under the PECR, positive ‘opt-in’ consent must be obtained for an organisation to lawfully send direct marketing to consumers by means of electronic communication, unless there is an existing commercial relationship (the ‘soft’ or ‘implied’ opt-in).

Although the GDPR does not replace the PECR, it does change the underlying definition of ‘consent’. When reading the two regulations together, this places an increased burden on an organisation to ensure that consent is:

  • Sufficiently granular;
  • Informed by way of a data privacy notice or otherwise;
  • Easily withdrawn – the data subject must be given the opportunity to opt out and must be informed, in clear terms, of their right to do so; and
  • Recorded – an audit trail must be retained of who consented, when, how they consented and what they were told at the time.

What has changed?

The PECR, as amended, broaden the scope of monetary penalties that may be imposed by the ICO (Information Commissioner’s Office) where an organisation is found to be in breach. The ICO has the power to fine an ‘officer’ of an organisation, in addition to the organisation itself, where there has been a serious breach of certain parts of the PECR, particularly those parts relating to automated calling and unsolicited direct marketing and where such breach is caused by the action (or inaction) of an officer.

The ICO can impose financial sanctions of up to £500,000 where a director has consented to or ‘connived’ in the breach if that breach is attributable to their neglect. As such, any organisation involved in direct marketing, or using cookies for that purpose, must take note and should both look carefully at their direct marketing strategies and educate their employees accordingly.

For more information please see: