Back to Insights Back to Insights

In the era of digital communication and big data, it’s more important than ever to protect the rights and privacy of customers, whether these are individuals or other businesses. 

This is the purpose of the UK’s Privacy and Electronic Communications Regulations 2003 (PECR). In this article, we look at PECR regulations, how they apply and what you need to consider to be compliant.

What is PECR?

The Privacy and Electronic Communications Regulations (PECR) 2003 is the UK’s implementation of the EU ePrivacy Directive (Directive 2002/58/EC)

It covers the privacy rights of customers when using electronic communication for marketing. The PECR is about protecting consumers from misuse of their information and potential cybercrime.

Who does PECR affect?

The term ‘electronic communications’ may seem rather broad, but it can be narrowed down to the following types according to the PECR:

  • Telephone calls, SMS messages, email marketing and B2B direct marketing 
  • Website cookies are used to track the behaviour of visitors
  • Security of public electronic communications services
  • The right to privacy when using electronic communications services

If you use any of the above methods of electronic communications for marketing, you must ensure that your business is compliant at all times.

Can you contact companies under the PECR?

Yes, however, you must ensure that when you send direct marketing messages to other businesses, you follow the compliance steps outlined in this article. 

The applicable compliance requirements will depend on whether the communication is between a company and an individual or B2B. 

The methods of communication used will also regulate the safeguarding procedures you need to undertake

How can I ensure my business is compliant with the PECR?

The steps you will need to take to comply with the PECR will depend on the type of communications, your personal data subject and prospective clients. Some of the actions you may need to take include the following:

  • Gaining the consent of customers to send them marketing electronic communications (EC)
  • When making marketing calls, it’s essential to explain who is calling and the reason for the call
  • Provide an address and freephone number if a customer you have contacted requests this information
  • Ensure that website visitors understand you use cookies, how these are used, and gain their consent to use them

Does PECR apply to sole traders?

Sole traders are classed as individual subscribers under PECR, in contrast to limited companies classified as ‘corporate subscribers. 

Therefore, the applicable compliance rules can vary when sending direct marketing to a sole trader.

For example, you may be able to email or text corporate subscribers without gaining their prior consent. However, prior consent must be given before emailing or texting direct marketing material to individuals.

If you own a limited company and use a third-party marketing list to send direct marketing communications to individuals (remember, prior consent is required for this group), you must act cautiously. 

This is because although consent may have been given to the third party, more than this consent may be needed to cover your compliance requirements.

The ICO recommends that when using bought-in lists for texts, emails, or recorded calls, the buyer obtains proof of opt-in consent given to the seller in the previous six months, specifically named the buyer. This will require a careful due diligence exercise by you as the purchaser.

What is PECR in relation to GDPR?

The PERC sits alongside the UK GDPR Data Protection Act 2018. The standards applied to consent under PERC are the same as those stipulated in the UK GDPR

If you send electronic marketing or use cookies or similar technologies, you must comply with both PECR and the UK General Data Protection Regulation.

In some cases, PERC may apply when the UK GDPR does not. For example, the former protects the rights of both individuals and corporates.

What is the difference between PERC and ePrivacy directive?

PERC implemented the ePrivacy Directive into UK law. The EU is replacing the current ePrivacy law with a new ePrivacy Regulation (ePR). 

This will sit alongside the EU GDPR. However, because the UK is no longer part of the EU, it is optional to implement the ePR. Although to ensure it maintains its GDPR adequacy status, the UK may need to bring part or all of the new ePR into UK legislation.

Get legal assistance from LawBite

If you’re unsure whether the PECR affects your business and how to make the necessary changes to gain compliance, speak to one of the specialist data privacy lawyers at LawBite. 

They will be able to guide you through the process and help you protect the rights and privacy of your customers. To get started book a free 15 minute consultation with one of our data protection lawyers or call us on 020 3808 8314 to find out more.


Additional resources

In closing

Nothing in this article constitutes legal advice on which you should rely. The article is provided for general information purposes only. Professional legal advice should always be sought before taking any action relating to or relying on the content of this article. Our Platform Terms of Use apply to this article.

Free legal support for businesses

The LawBite Free Essentials Plan acts as your very own legal assistant, ready to provide expertise and guidance on the common legal issues that SMEs and businesses face.

Free Templates
  • X 3 legal document templates
  • Drafted by our expert lawyers
  • New documents added every month
Legal Healthcheck Tools
  • Business-specific surveys
  • Understand how compliant you are
  • Checks in, GDPR, IP, Brexit and more
Resources, Webinars and Articles
  • Access to the latest LawBite events
  • Legal guides for businesses
  • Smarter business law videos