The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) are UK regulations which sit alongside the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) to enforce strict rules relating to privacy rights and electronic communications.
Any organisation that sends electronic marketing communications via phone, fax, email or text, uses web cookies, or provides communications services to the public falls under the scope of the PECR, and must be aware of its information security requirements.
What are PECR?
The Privacy and Electronic Communications (EC Directive) Regulations 2003, or PECR, are designed to strengthen the privacy and security of electronic communications across the UK.
Introduced in response to the EU e-privacy Directive (Directive 2002/58/EC), the PECR have been updated several times, most recently in October 2022. All organisations are subject to PECR restrictions on marketing communications, web cookies and location data. The PECR also introduce additional obligations for service and network providers to maintain robust cyber security and prevent breaches.
PECR and GDPR
The EU’s e-privacy Directive was devised before the enactment of the General Data Protection Regulation (GDPR), but despite the overlap, the PECR and GDPR apply in tandem.
While the GDPR does not replace the PECR, it does update the underlying standards for obtaining, recording and managing consent. Many of the controls that organisations need to implement to adhere to the requirements of the GDPR will also help to achieve PECR compliance. However, there are important differences to be aware of.
The main distinction is that the PECR apply even where the individuals being contacted cannot be personally identified. To avoid duplication, sections of the GDPR do not apply to network or service providers who already have additional obligations under the PECR.
The EU is in the process of replacing the current e-privacy law with a new e-privacy Regulation, the ePR, which will sit alongside the EU version of the GDPR. However, because the UK has left the EU, this will not automatically form part of UK law or sit alongside the UK GDPR.
The PECR continue to apply alongside the UK GDPR but will be updated when necessary.
The requirements of PECR
The PECR cover several key areas:
Electronic and telephone marketing
The PECR restrict unsolicited marketing by phone, fax, email, text, or other electronic message, with different rules for different types of communication. The rules are usually more rigorous for marketing to individuals than for marketing to companies.
You will often be required to have specific consent in order to send unsolicited direct marketing. The best way to obtain this is to provide opt-in boxes to enable your customers to confirm they are happy to receive marketing calls, texts or emails from you.
It is important to retain clear records of what a person has consented to, along with when and how you obtained this consent, so that you can demonstrate compliance in the event of a complaint.
Be vigilant about relying on consent that was obtained indirectly, i.e., consent originally given to a third party. Check that the consent is valid and specifically identifies you because generic consent that covers any third party is not enough.
As the customer is entitled to withdraw their consent at any time, you must ensure that it is easy for people to be able to do this.
The use of cookies or similar technologies
This covers the use of cookies or similar technologies that track information about people accessing a website or other electronic service. The basic rule about cookies is that you must:
- Tell people the cookies are there
- Explain what the cookies are doing and why
- Obtain the person’s consent to store a cookie on their device
As long as this is done the first time you set cookies, you do not have to repeat it each time the same person visits your website. Keep in mind that devices may be used by different people. If it is likely that there will be more than one user, it may be worth repeating this process at suitable intervals. Fresh consent may also be required if your use of cookies changes over time.
The same rules also apply to any other type of technology used to store or gain access to information on someone’s device.
Security of public electronic communications services
Service providers such as telecoms providers or internet service providers are required to take appropriate measures to safeguard the security of their service. The definition of ‘appropriate’ in this context depends on the nature of the risk, the available technology and the cost. Service providers are also required to inform their customers of any significant security risks.
Network providers, the organisations that operate and maintain the underlying network, must comply with any reasonable security requests made by the service provider.
Service providers must notify the ICO if a ‘personal data breach’ occurs. They are also required to notify customers if the breach is likely to adversely affect customers’ privacy. They must also keep a breach log.
A personal data breach may mean that someone other than the data controller gains unauthorised access to personal data. However, a personal data breach can also take place if there is unauthorised access within an organisation, or in the event of a data controller’s own employee accidentally alters or deletes personal data.
Service providers have certain obligations if a personal data breach occurs. They must:
- Notify the ICO
- Consider whether to notify customers
- Record details in their own breach log
Because this replaces UK GDPR breach reporting obligations, you don’t need to take any separate action to comply with the UK GDPR.
Communications networks and services
This covers the privacy of customers using communications networks or services in relation to traffic and location data, itemised billing, line identification services, such as caller ID and call return, and directory listings.
As well as being concerned with marketing by electronic means, the PECR also contain provisions that concern the security of public electronic communications services and the privacy of customers using communications networks or services.
While some of these provisions only apply to service providers, for example, the security provisions, others apply more widely.
Service providers must take appropriate measures to safeguard the security of their service. The definition of ‘appropriate’ in this context will depend on the nature of the risk, the technology available, and the cost.
Service providers must also inform their customers of any significant security risks.
How the ICO enforces PECR
The ICO offers advice and guidance to promote compliance best practice. It also has a range of enforcement powers to enable it to take action when organisations fail to comply. These include criminal prosecution, non-criminal enforcement and audit.
The Information Commissioner can also serve a monetary penalty notice imposing a fine of up to £500,000. Fines can be issued against organisations and directors, and sanctions between standards are not mutually exclusive, meaning the most serious offences can result in both GDPR and PECR fines.
While participation in an audit is voluntary, organisations failing to respond to a request could be subjected to a compulsory audit. Audits involve a combination of off-site checks and on-site reviews to identify whether service providers have taken appropriate technical and organisational measures to safeguard the security of the public electronic communications service they provide. The results of PECR audits are published online and include observations and recommendations for improvement.
How Kroll can help
Kroll is an award-winning provider of security services, helping organisations to better understand and minimise their cyber security risk in line with PECR, GDPR and other compliance requirements.
Our range of offensive security services, including penetration testing and red team operations, are designed to help organisations improve their security posture by identifying and addressing vulnerabilities before they be exploited maliciously.
Kroll Responder, our Managed Detection and Response service, combines world-class SOC expertise, the latest detection technologies and aggregated threat intelligence to help organisations hunt for, detect and promptly report breaches.
