Privacy and Electronic Communications (EC Directive) Regulations 2003, No. 2426 (as amended) (PECR)

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) is a UK law that governs electronic communications. It works alongside the Data Protection Act 2018 (DPA 2018) to protect individuals' privacy and regulate the use of electronic communications for marketing purposes.

Purpose

The primary purpose of PECR is to ensure the privacy and security of electronic communications. This includes regulating marketing activities through electronic channels such as email, SMS, phone calls, and cookies, as well as ensuring the confidentiality of communications and providing specific protections for subscribers and users.

Requirements

PECR sets out several key requirements for organizations:

1. Marketing Consent: Organizations must obtain prior consent from individuals before sending marketing communications via email, SMS, or automated calls. Consent must be specific, informed, and freely given.
2. Opt-Out Mechanisms: All marketing communications must include a clear and easy way for individuals to opt out of future communications. This applies to emails, SMS, and phone calls.
3. Cookies and Similar Technologies: Organizations must inform users about the use of cookies and obtain their consent before placing cookies on their devices. Clear and comprehensive information about the purposes of cookies must be provided.
4. Telephone Marketing: Organizations making live marketing calls must not call individuals who have opted out via the Telephone Preference Service (TPS). Caller identification information must be provided during the call.
5. Confidentiality of Communications: PECR requires that the confidentiality of communications is protected, prohibiting unlawful interception and ensuring security measures are in place to safeguard data during transmission.
6. Traffic and Location Data: Traffic and location data collected by network providers must be anonymized or deleted when no longer needed for the purpose they were collected unless consent is given for other uses.

Applicability

PECR applies to:

• Organizations: All businesses, public authorities, and other entities that engage in electronic marketing, use cookies, or provide electronic communication services must comply with PECR.
• Service Providers: Telecommunications and internet service providers have specific obligations under PECR to ensure the confidentiality and security of their services.
• Individuals and Households: While PECR primarily targets organizations, individuals making marketing communications or using cookies in a business context must also comply.

PECR is enforced by the Information Commissioner's Office (ICO), which has the authority to investigate breaches and issue penalties for non-compliance. Organizations must be diligent in obtaining consent, providing opt-out options, and safeguarding electronic communications to comply with PECR requirements.

​The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) sets out specific requirements regarding the handling of electronic communications and data privacy. The key evidence requirements under PECR generally focus on proving compliance or non-compliance with its provisions, especially in relation to marketing, cookies, and the security of communications. Here’s a concise overview of the main evidence requirements:

1. Consent Records: Organizations must provide evidence of obtaining freely given, informed, and specific consent from individuals before sending electronic marketing messages or setting cookies on their devices. This includes maintaining detailed records of when and how consent was obtained, and the information provided to individuals at that point.
2. Marketing Lists: For email and SMS marketing, evidence must show that individuals on marketing lists have indeed opted in to receive such communications. This includes keeping accurate and up-to-date records of subscriptions and opt-ins.
3. Cookie Compliance: When using cookies, organizations need to demonstrate compliance with the requirement to inform users and obtain consent. This typically involves records of consent mechanisms and user acknowledgements.
4. Security Measures: Evidence of implementing adequate security measures to protect the processing of personal and communication data is required. This might include documentation of security policies, procedures, and any relevant audits.
5. Impact Assessments: For more intrusive technologies or new practices, evidence of conducted impact assessments on privacy can be necessary to demonstrate consideration of privacy implications and compliance with regulatory expectations.
6. Complaint Handling and Breach Notification: Records of any complaints received and how they were handled are essential. In cases of data breaches affecting personal data, evidence of timely breach notifications to authorities and affected individuals is required.

These requirements are crucial for demonstrating compliance during investigations or audits by regulatory authorities such as the Information Commissioner's Office (ICO) in the UK.