The Privacy and Electronic Communications (EC Directive) Regulation 2003 (PECR) sits alongside the Data Protection Act 2018 (UK GDPR). These laws give people specific rights over how their personal data is used by others.
PECR contains specific rules which businesses must comply with when making marketing calls, and sending marketing communications via email, text and fax. The UK GDPR contains rules about sending marketing via post, as well as what constitutes “consent” and how personal data collected via direct marketing must be processed.
This article only focuses on the PECR rules on direct marketing. There are also a wide range of other regulatory and conduct issues that apply to direct marketing, but these will not be considered in this article.
What does PECR currently say about sending unsolicited e-marketing communications?
If you are sending unsolicited e-marketing communications, you must comply with the following rules:
Sending unsolicited e-marketing communications to individuals (including sole traders and certain partnerships):
- Unsolicited email, text, picture, video, voicemail, answerphone and some social networking messages: these can’t be sent to individuals without their specific (opt-in) UK GDPR compliant consent. Indirect consent is unlikely to be enough. You can’t disguise or conceal your identity in such marketing communications, and you must provide a valid contact email address (or freephone number) for individuals to opt out or unsubscribe.
- Unsolicited recorded marketing calls: these can’t be made to individuals without their specific (opt-in) UK GDPR compliant consent. Indirect consent (i.e. consent originally given to a third party) is unlikely to be enough. You can’t disguise or conceal your identity in such marketing calls and your telephone number, or an alternative contact number must be displayed to the person receiving the call.
- Unsolicited faxes: these can’t be sent without the individual’s specific (opt-in)
UK GDPR compliant consent. Indirect consent is unlikely to be enough. You must identify yourself and provide contact details (address or freephone number). - Unsolicited live marketing calls: these can’t be made to numbers which are registered on the Telephone Preference Service (unless the individual who receives the telephone bill has specifically said that they don’t object to receiving such calls from you), or to anyone who has told you that they don’t want to receive such calls. Your telephone number or an alternative contact number must be displayed to the person receiving the call.
The exception to this rule and so what is allowed under PECR is where the individual has previously given their details to the company. In this case, the company (but no one else) is permitted to contact the individual by email to offer similar products and/or services (which would be determined on a case-by-case basis) provided that the individual is given the opportunity to opt out of receiving such communications at the time that the details were initially collected and in every subsequent e-marketing communication. This consent must be freely given, specific, informed, and involve a positive indication (e.g. ticking a box) from the individual. This is known as the ‘soft opt-in’ rule.
Sending unsolicited e-marketing communications to corporates (companies and other corporate bodies e.g. limited liability partnerships):
- Unsolicited email, text, picture, video, voicemail, answerphone and some social networking messages: there are no restrictions about using these methods, but it is good practice to offer the ability to opt-out. However, as most employees have personal corporate email addresses, they have a right under the UK GDPR to stop any marketing being sent to that type of email address. You must identify yourself and provide contact details (email address or freephone number).
- Unsolicited recorded marketing calls: these can’t be made to corporates’ without their specific (opt-in) UK GDPR compliant consent. Indirect consent is unlikely to be enough. You must identify yourself and provide contact details (address or freephone number).
- Unsolicited faxes: these can be sent without consent but not to numbers which are registered on the Fax Preference Service (unless the company has specifically said that they don’t object to receiving faxes from you), nor to corporates who have told you that they don’t want to receive such faxes. You must identify yourself and provide contact details (address or freephone number).
- Unsolicited live marketing calls: these can be made without consent but not to numbers which are registered on the Corporate Telephone Preference Service (unless the company has specifically said that they don’t object to receiving calls from you), nor to corporates who have told you that they don’t want to receive such calls. You must identify yourself and provide contact details (address or freephone number).
In addition, where a company is processing personal data for the purposes of such marketing communications (which is highly likely) it must also comply with the UK GDPR, in particular it must have a lawful basis to processing any additional personal data that arises from the direct marketing (e.g., legitimate interests or consent).
What are the fines for breaching PECR?
If you breach any of these PECR rules, the Information Commissioner’s Office (ICO) can impose a fine of up to £500,000 for serious breaches.
What do businesses need to do?
Unwanted marketing calls and texts are two areas where the ICO receives the most complaints, and hence takes the most enforcement action. You therefore need to ensure that your current marketing strategies/campaigns comply with PECR and the UK GDPR.
If you are carrying out direct e-marketing, a typical example of an opt-in box might look like this:
‘Tick if you would like to receive information about our products and any special offers by post □ / by email □ / by telephone □ / by text message □ / by fax □ / by recorded call □.’
If you would like any further information or advice on any aspect of your direct marketing strategy, or PECR and the UK GDPR generally, please contact us.
Disclaimer: This article is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a result of the contents of this article.
