With an increasingly global economy and progressive regulatory landscape, organizations doing transatlantic business are susceptible to not only the General Data Protection Regulation (GDPR) but the Privacy and Electronic Communications Regulations (PECR) as well.

The digitalization of business processes and operations will proceed but with an even greater focus on privacy. And to that point, these data privacy laws are being introduced and enforced at an impressive rate, all the while being subject to change. Businesses need to understand the outlined expectations of these regulations to avoid penalties, mitigate risk and build customer confidence.

The PECR is another UK data privacy law corresponding to the GDPR and the Data Protection Act (DPA), enforcing rules tailored explicitly to electronic communications. These rules and regulations apply to businesses targeting customers with marketing, advertising, products, or services. It is worth noting that over the last 11 years, the marketing technology landscape has experienced explosive growth, with an increase of 6,521%. So, suppose you are a business sending electronic marketing messages, using cookies (for now) or providing electronic communications services to the public. In that case, you are required to comply with both the GDPR and PECR. 

Like other privacy laws and regulations, the PECR has been amended — six times to date — since implementation of the rules in 2003, with the last amendment taking effect in 2018. It has never been more important to stay current with the GDPR, PECR, and DPA to better conduct business operations and effectively navigate the regulatory landscape. 

What is PECR? Understanding as a first step to Compliance

While the PECR is not new, it is crucial for businesses wishing to send electronic marketing messages to understand which aspects of the communications sector the rules cover. At Ground Labs, our understanding is that the PECR protects various channels of the digital communication landscape including electronic marketing, cookies or similar technologies used to track personal information and telecommunications or other communication networks that utilize location data. 

The latest update to PECR, shared in December 2021, outlined specifics for making marketing calls to individuals, including the following:

  • Telephone Marketing: Without consent, you are not allowed to make marketing calls to anyone listed on the Telephone Preference Service (TPS) or Corporate TPS (CTPS). To comply with this rule, you can compare your call lists to the TPS and CTPS.
  • Fax Marketing: Likewise, without consent, sending marketing faxes to any number listed on the Fax Preference Service (FPS) is unlawful. Similar to telephone marketing compliance, you can compare your business fax list against the FPS.
  • Email Marketing: Individuals must consent to receive marketing emails or texts, with the limited exception for your own previous customers, or otherwise known as the “soft opt-in.”

When comparing the GDPR and PECR, the standard for consent as outlined by the GDPR also applies to the PECR and is used more frequently. Consent must be “given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement.” If you are sending electronic marketing messages or using cookies or similar technologies, it is your obligation to uphold the law and comply with both PECR and the GDPR. Lastly, the PECR applies even if you are not collecting personal data. 

What are the penalties for violating PECR? Expect to pay £500k

Violating the PECR can result in warnings, reprimands and fines, which are issued by the Information Commissioner's Office (ICO). Likewise, breaching the PECR can result in a criminal offense and the maximum fine is £500,000, slightly less than the maximum fine for the GDPR. 

One method to ensure your business is well-informed in PECR is to invest in sensitive data discovery technology. Ground Labs’ Enterprise Recon enables organizations to quickly and easily discover, remediate and report on more than 300 predefined and variant personal data types across multiple systems, and makes compliance with security regulations much easier to achieve. 

Want to get started on your path to PECR compliance? It has never been easier – arrange a workshop with us today.

Want to keep up with all our blog posts? Subscribe to our newsletter!

Subscribe