UK ICO Privacy and Electronic Communications Regulations FAQ

Frequently Asked Questions

If you've ever wondered about the UK's regulations around privacy and electronic communication, here's an FAQ.

What are the UK Privacy and Electronic Communications Regulations (PECR)?

PECR are a set of laws that regulate the use of electronic communication methods, such as email, SMS, and phone calls, for the purpose of marketing and advertising.

What types of electronic communication are covered under PECR?
PECR covers electronic communication methods such as email, SMS, automated calls, and fax. It also covers the use of cookies and other online tracking technologies.
Can businesses send marketing emails or SMS messages to customers without their consent?

No, businesses must obtain the consent of the recipient before sending any marketing emails or SMS messages. This consent must be specific and explicit, and must be obtained through a clear and concise opt-in process.

Can businesses use cookies or other online tracking technologies without the consent of the user?

Yes, but only if the use of these technologies is necessary for the functionality of the website or service being offered. If the use of these technologies is for the purpose of tracking or targeting users for marketing purposes, the user must be notified and given the option to opt-out.

How can businesses ensure compliance with PECR?

Businesses can ensure compliance with PECR by implementing clear and concise opt-in processes for electronic communication, using cookies and online tracking technologies only when necessary, and respecting the rights of users to opt-out of marketing communication and tracking. It is also important to keep accurate records of all opt-in and opt-out requests.

What penalties are there for violating PECR?

Violating PECR can result in various penalties, including fines of up to PS500,000 for companies and up to PS50,000 for individuals. In addition to financial penalties, businesses may also face damage to their reputation and loss of customer trust. It is important for businesses to ensure compliance with PECR to avoid these consequences.

Is there case law for PECR violations?

Yes, there are several cases that have resulted in penalties for violating PECR. For example, in 2017, a marketing company was fined PS200,000 for making over 3.3 million nuisance calls to individuals who had not given consent to receive such calls. In 2018, another marketing company was fined PS70,000 for sending over 2.2 million spam emails to individuals who had not given consent to receive marketing emails. These cases demonstrate the importance of obtaining explicit consent before engaging in electronic communication for marketing purposes.

Are directors liable for PECR violations?

Yes, directors of a company can be held personally liable for PECR violations committed by the company. In addition to financial penalties, directors may also face disqualification from serving as directors of a company for up to 15 years. It is important for directors to ensure compliance with PECR to avoid these consequences.

Which government body enforces PECR?

PECR is enforced by the Information Commissioner's Office (ICO). The ICO is an independent authority that is responsible for protecting the privacy rights of individuals and enforcing data protection laws in the UK. If a business is found to be in violation of PECR, the ICO can issue fines and other penalties, as well as provide guidance on how to comply with the regulations.

How will Brexit affect PECR?

It is expected that PECR will continue to apply in the UK now that it has left the EU, as it is based on European Union (EU) law. However, the UK is no longer be bound by EU decisions or subject to the jurisdiction of the European Court of Justice. It is possible that the UK may make changes to PECR in the future, but it is unclear at this time what those changes may be.