Any business operating in the competitive environment of the UK needs to consider the best way of reaching potential customers.
Marketing is no longer a matter of considering which newspaper your next customer is likely to be reading and coming up with a memorable slogan. Increasingly sophisticated technology allows advertisers to monitor people's online behavior, predict individual behavior, and send personalized communications to millions of people at the click of a button.
These new marketing methods come with privacy considerations. The Privacy and Electronic Communications Regulations (PECR) sets the rules for how businesses communicate with UK consumers. We're going to look at what the law requires, and consider some practical ways you can fulfill your obligations.
What are the PECR?
The PECR represents the UK's law on how businesses are allowed to market to UK consumers using electronic technology. This covers:
- Online tracking technologies such as cookies
- Instant messaging
- Electronic communications networks
In this article we're going to focus on those first two marketing methods - email and cookies. The rules around email also apply to SMS and instant messaging (eg via WhatsApp and Facebook Messenger).
The PECR derives from an EU law known as the ePrivacy Directive (sometimes called the Cookies Directive).
EU directives are like a set of objectives for EU countries. A directive sets out the sorts of laws that EU countries should adopt. The PECR is the UK's way of implementing the ePrivacy Directive.
Are the PECR Part of the GDPR?
The EU General Data Protection Regulation (GDPR) is an important EU data protection law. The GDPR was implemented in UK law by the Data Protection Act 2018 (DPA). We'll be referring to the GDPR rather than the DPA throughout this article.
The PECR is not part of the GDPR as such. But the interaction between the rules on privacy (under the PECR) and the rules on data protection (under the GDPR) is very important.
The GDPR provides a broad framework covering the processing of personal data. This means the use of people's identifying information, such as their name, email address, or cookie ID.
Electronic marketing and communications involve the processing of personal data, and so the GDPR applies to these activities.
The PECR provides detailed rules in this specific area. The PECR and the GDPR complement one another and you need to comply with both laws.
Who Needs to Comply With the PECR?
If you're a non-UK or non-EU business operating in the UK, you may be wondering whether you're actually required to comply with the UK's privacy law. The short answer is that the PECR applies to non-UK and non-EU businesses if they are engaged in commercial activity in the UK.
If you're targeting people in the UK with your products, services, or advertising, you should obey the PECR and the GDPR.
This applies even if your company has no presence in the UK or the EU. It's part of the rules around data protection set out under Article 3 of the GDPR.
If you're based outside of the UK, you might also need to appoint an EU Representative.
What are the Penalties for Violating the PECR?
The Information Commissioner's Office (ICO) can issue warnings, reprimands, and fines under the PECR. Breaching the PECR can also be a criminal offense.
The maximum fine for breaching the PECR is £500,000. However, it's important to remember that taking action that violates the PECR might also violate the GDPR. The fines under the GDPR are much higher - up to 2 percent of annual turnover or €20 million (whichever is higher).
Will Brexit Affect the PECR?
At the time of writing, the likely impact of Brexit (on anything) remains very unclear.
However, the PECR is part of UK law. There's no suggestion that the PECR (or the GDPR) will be changed or repealed because of Brexit.
Therefore, you should continue to comply with the PECR regardless of Brexit.
Consent and the PECR
The first thing to understand when trying to comply with any privacy law is how to deal with consent.
People's intolerance of intrusive advertising is often what prompts the creation of privacy laws like the PECR. It makes sense that you would need to ask someone for consent before sending them marketing communications. The question is how you ask for consent.
Different laws have different definitions of what constitutes "consent." The definition that applies to the PECR comes from the GDPR.
Valid consent under the GDPR is:
- Freely-given - the person must not suffer any detriment if they refuse consent
- Specific - consent must be requested for one specific thing at a time
- Informed - clear information must be provided about what the person is consenting to
- Unambiguous - the person must not be confused or tricked into consenting
- Affirmative - the person must actively agree rather than failing to disagree
- Easy to withdraw - the person must have a clear way to change their mind
This sets a high standard. It's easy to get consent wrong. Throughout the article, we'll look at how this model of consent applies in different contexts relevant to the PECR.
Regulations 22 and 23 of the PECR cover the rules on email marketing. These rules also apply when sending marketing communications via SMS and instant messaging.
Here are some of the rules about email marketing under the PECR:
- You can't normally send a person marketing emails without their consent
- You can send your existing customers marketing emails without their consent under certain conditions
- You can't conceal your email address when sending marketing emails
- You must provide a way for anyone who receives a marketing email from you to unsubscribe
- You can't encourage someone else to send marketing emails in a way that violates the PECR
Consent for Email Marketing
You can't normally send someone marketing emails without their consent. There's an exception to this rule about consent for existing customers. We'll look at this below
Because consent must be affirmative, it's not appropriate to use pre-checked boxes when requesting consent.
Here's an example from the Sea Life Aquarium. This is just an illustration - this request not aimed at UK users and so Sea Life is not necessarily required to comply with the PECR.
Under the PECR and the GDPR, you can't claim to have a person's consent simply because they failed to uncheck a box.
Here's how charity World Animal Protection does this:
Specificconsent means giving people control over what they're agreeing to. Consenting to contact by email doesn't mean consenting to contact by phone.
Here's an example of how charity Turn2Us requests consent:
Note that consent for postal correspondence is earned via an opt-out. Marketing via regular mail is not covered by the PECR, and so the rules are different.
You can also offer choices about the type of correspondence people receive. For example, a person might want to sign up to hear news about your company but not receive special offers.
Here's an example from Cambridge City Council:
If you can provide this sort of "granular" consent, you should do so.
Email Marketing Without Consent
You can send your existing customers marketing emails without their consent under certain conditions. This is sometimes called a "soft opt-in." It could apply if you feel a person would be happy to receive marketing emails from you but they haven't specifically consented to this.
The soft opt-in is not considered consent. EU law is very proud of its high standard of consent, and the soft opt-in doesn't meet that standard.
However, if you're familiar with any other privacy laws, the soft opt-in might remind you of the concept of "implied" consent.
Sometimes it is reasonable to assume that a customer wouldn't object to receiving marketing emails from a company they've made a purchase from. Under some privacy laws, companies can infer that their existing customers have given implied consent for email marketing.
The soft opt-in is, for all intents and purposes, the same thing as implied consent. That's strictly off-the-record.
You might be able to send someone email marketing correspondence without their consent if:
- You sold them something recently
- They gave you their email address
- They were offered a chance to opt out and they declined
- The marketing emails are about similar products and services to the one they bought
You can read our article about the 3-Part Test for Legitimate Interests Under the GDPR for more information about this.
Cookies and the PECR
A cookie is a piece of data that communicates information about a person's online activities.
Cookies can be used to remember whether a person has visited a website before and save information in web forms. They can also track a person's activities on the website, or even after they have left the website as they move around the web.
The PECR regulates how companies "store information" and "gain access to information stored" on a person's device. This is what cookies do, along with other tools such as web beacons and pixels.
Before your website or app can set cookies of a person's device, you must:
- Provide clear information about what cookies are and why you use them
- Get the person's consent
Cookies can be considered personal data under the GDPR. But that's not the issue here.
The PECR deals with placing data on a person's device or collecting data from their device. In the context of the PECR, it doesn't actually matter whether this is "personal" data.
Cookies that Don't Require Consent
The rules don't apply to all types of cookies.
Some cookies don't present any real privacy issues. They are simply used to make a website work properly or make the user's experience better. Such cookies don't require consent.
The types of cookies that don't require consent are given in Regulation 6.
Cookies don't require consent if:
- They are used solely for the purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or
- The storage or access is strictly necessary for the provision of an information society service requested by the user
Here are some specific examples of cookies that don't require consent, provided by the European Commission:
- User input cookies that last the duration of a session
- Authentication cookies that last the duration of a session
- User centric security cookies that detect authentication abuses
- Multimedia content player cookies that last the duration of a session
- Load balancing session cookies that last the duration of a session
- Cookies used for user interface customization of a browser session or for only a few hours, with exceptions
Try to think about why you're using a given cookie. Is it to benefit your company, or to benefit visitors to your website? Be honest with yourself about this.
If using a cookie mainly benefits your company, it's likely that you should be asking for consent. This includes the cookies used for website analytics.
Consent for Cookies
This doesn't mean that people can choose whether or not they see ads on your website or app. It just means that they can choose whether those ads are targeted at them based on their online activity.
Many websites get cookie consent using a solution known as a "cookie banner." This is a strip of text that appears at the bottom or top of a webpage requesting the user's consent for cookies.
Sometimes, however, a cookie banner is used as a means of retrospectively telling the visitor that cookies have already been set. This isn't getting consent. You shouldn't set cookies until the visitor has consented.
Consent for cookies must be affirmative and unambiguous. So-called "browsewrap," where a person is deemed to have consented by virtue of using your site, is not valid consent under the GDPR.
Here's an example of a browsewrap-style cookie banner from O2:
O2 states that the user can "carrying on browsing" if they consent to something that has already occurred.
This could be seen as ambiguous. The user hasn't indicated that they have read and understood the cookie banner. The user also hasn't taken any affirmative action to agree to this request.
Cookie consent must be freely given. If a person can't access or use your site properly without agreeing to targeted ads, they might consent without really wanting to.
Here's a somewhat problematic example from Polygon.
The cookie banner takes up nearly half of the page, and there's no option to refuse.
Remember you must also provide a way for people to withdraw their consent.
Here's how The Guardian's cookie settings page explains its users' choices:
The rules about cookies also apply to mobile apps. Google's EU User Consent Policy and Apple's App Store Review Guidelines require developers to implement a cookie consent solution in any app that involves personalised advertising.
Here's part of Android app Joey's consent solution:
The Privacy and Electronic Communications Regulations (PECR) is the UK's version of the EU ePrivacy Directive.
The PECR regulates how businesses use:
- Instant messaging
We've looked mostly at email and cookies.
The PECR requires that you earn consent in certain contexts. The model of consent used for the PECR derives from the GDPR.
Valid consent under the GDPR must be:
- Freely given
- Easy to withdraw
Here are some of the main rules around how businesses use email, SMS and instant messaging for marketing purposes:
- You must normally get consent to send electronic marketing communications
- You might not need consent from an existing customer
- You must give them a clear opt-out at the time you collect their contact details
- You must provide an unsubscribe method with each marketing communication
Here are some of the main rules around cookies:
- You must get normally get consent for cookies
- You might not need consent for certain cookies that are necessary or primarily benefit your users
- You must provide a way to withdraw consent