The ICO has published new guidance to help organisations comply with Privacy and Electronic Communications Regulations 2003 (PECR).
PECR is a set of regulations that sit alongside the Data Protection Act and UK GDPR, targeting privacy rights in electronic communications including marketing calls, emails and texts. They aim to keep communications secure and allow users privacy when using electronic devices.
Prior to Brexit, the rather slow progress of the EU’s E-Privacy Regulation which was intended to update PECR. Currently it is expected to come into force in 2023 but possibly because it will not now apply in the UK, the ICO published, in October 2022, some new guidance which aimed to clarify how businesses should comply with PECR for direct marketing and live calls.
The ICO has introduced some essential terminology:
Electronic mail which means:
- Email and text (SMS) messages.
- Picture or video messages.
- Voicemail messages.
- In-app messages.
- Direct messaging on social media (ie where you send someone a private message).
Direct marketing: which means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals (taken from the Data Protection Act 2018).
Solicited: which means where someone specifically asks you to call them with marketing information.
Unsolicited: which means any marketing message that someone hasn’t specifically requested.
The ICO has confirmed that under PECR, a company can only send direct marketing by electronic mail if they have the recipient’s consent or if they meet all of the requirements of the ‘soft opt-in’.
Consent in the context of online activity is usually given by a pop-up which the user agrees to.
In contrast the ‘soft opt-in’ may be relied on where the following have been met:
- The recipient’s contact details have been obtained in the course of the sale or negotiation of products/services.
- The communication relates to products or services similar to those the recipient has purchased.
- The company plans to send the communication by electronic mail.
- The recipient’s details were collected directly from them.
- The recipient has a clear way to opt-out, e.g. by means of an unsubscribe link in the electronic mail communication.
- The recipient was given a clear way to opt-out when their details were originally collected.
These rules only apply to individual consumers, and it is the sender of the message who is responsible for complying with PECR.
The ICO has also released practical guidance on the PECR rules for performing direct marketing via live calls including an overview of essential terminology and rules for performing direct marketing via live calls.
Unlike electronic mail, consent to make most types of marketing calls is not usually needed if has not objected to receiving marketing calls and hasn’t registered with the Telephone Preference Service.
It is once again the sender of the message who is responsible for complying with PECR.
This update to PECR guidance is a useful reminder for organisations undertaking email and telephone marketing to consumers to help them comply with their legal obligations under PECR and data privacy laws. Organisations which fail to comply with the PECR could face action from the ICO including enforcement and a monetary penalty notice.
If you would like any assistance in making sure that your organisation properly complies with PECR and data protection law, please contact: [email protected]
Article contributor, Louise Tindall, Paralegal