PECR is the Privacy and Electronic Communications Regulations. The full title is The Privacy and Electronic Communications (EC Directive) Regulations 2003. The legislation derived from European Law. It implements European Directive 2002/58/EC, also known as 'the e-privacy Directive'.1 It was anticipated that, a new EU ePrivacy Regulation (governing electronic communications) would be enforced in line with the GDPR, however the delay until 2019 has now been confirmed2 For this reason, PECR and GDPR will continue to be implemented together until 2019.

PECR complements general data protection regulations and provides more specific protection in the electronic communications. It provides marketers with specific rules, concerning sending marketing emails, text messages or conducting telemarketing calls. However, marketers also need to consider the lawful basis they are relying on under the GDPR for processing personal data for marketing purposes. PECR covers several areas such as; electronic and telemarketing, the scope of using cookies or similar technologies that track information about people who have access to a website or other electronic services, security of public electronic telecommunications, privacy of customers using communications networks or services.

In this areas, PECR will continue to be implemented and GDPR is not completely replaced with the PECR or it does not make radical changes in the PECR. GDPR changes the concept of ''consent'' in PECR. In other words, while applying the PECR rules, the GDPR provides a new standard for consent. Therefore, if you are a marketer who use cookies, similar technologies or send electronic marketing emails, make calls etc., from 25 May 2018 you must comply with both PECR and the GDPR. According to Article 95 of GDPR: This Regulation shall not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC. That means, if you are a network or service provider, the GDPR does not apply where there are already specific PECR rules to avoid duplication. But when you apply rules of PECR, it is necessary to comply with GDPR's new standard of consent.

According to PECR, if you send marketing emails or texts to individual subscribers (sole traders and partnerships), you have to receive their specific consents. If you do not have a consent, you must not send marketing emails or texts. But marketers can send marketing emails or texts without consent in the situation known as soft-opt-in in the PECR. For this, contact details should have been obtained at the time of a product or service sale, transfer of emails or texts for the sale of similar products or services.Moreover, the right of opt out or refuse marketing emails or texts should be given at the time of the receipt of these contact details ( known as legitimate interests). Therefore, you can send marketing emails or texts to your own customers without consent, but not for prospective customers. We have a more detailed standard for consent with GDPR regarding these consent conditions mentioned in the PECR,.

The GDPR sets a high standard for consent, but the biggest change arises in the meaning of your consent mechanisms in practice:

  • Consent must be separate from other terms and conditions. It should not be a general precondition of signing up to a service
  • The GDPR specifically bans pre-ticked opt-in boxes
  • It requires granular consent for distinct processing operations
  • You must keep clear records to demonstrate consent
  • The GDPR gives a specific right to withdraw consent. You are required to inform each person about their right to withdraw, and offer them easy ways to withdraw consent at any time
  • Public authorities, employers and other organisations in a position of power are likely to find it more difficult to get valid consents.3

PECR also orders that you must not make marketing calls to any person who clearly had stated that they do not want to receive marketing calls. Additionnally, you should not make calls to any number registered with the Telephone Preference Service (TPS) or Corporate Telephone Preference Service (CTPS). In other words, you can make marketing calls to any individual who has specifically consented to receive marketing calls from you, or without consent to a number if it is not listed on the TPS(but only if that person did not refuse your calls).

On the other hand, marketers must not make calls through the automated system, without the specific consent of the individuals for automated marketing calls. It is not sufficient to obtain a general consent for marketing calls or live calls. In particular, consent must be specifically given to cover for automated marketing calls.

Under PECR, marketing emails or texts are permissible in business to business marketing (defined as limited, public limited companies and public bodies such as schools and hospitals) environment with no requirement for a prior opt-in, although there must be a clear opt-out option, which means that you do not need prior consent in order to send emails or SMS communications. Marketers may therefore be able to use legitimate interests for B2B campaigns. To rely on legitimate interests for digital marketing, organizations must ensure the following:

  • The email addresses and SMS numbers were collected during the sale of goods or services (although the person has not completed the purchase yet)
  • The marketing communications must be about similar goods or services to those purchased or enquired about
  • Most importantly, anyone must be given an opportunity to object to electronic marketing, each time they are sent a marketing message, as well as at the time the data was collected.4

All this indicates to us that, while receiving information, regarding contact details from people for email or text marketing, making marketing calls; marketers must indicate both the consent of the person and the legitimate interest for the received information. Therefore, when asking for consent, the marketers will also explain that they will use personal data for analytics and targeting, so it can create personalized direct marketing, but offer an opportunity to opt out of this processing.

With the implementation of GDPR, there are some doubts about whether the old regulations would be ignored or not. In the field of electronic marketing, while the former regulation PECR continues, GDPR extends the concept and establishes a different standard of consent. Electronic marketing methods such as marketing calls, marketing e-mails or texts, are required to comply with this standard of consent as well as electronic marketing in accordance with other regulations. Therefore, especially in the electronic marketing area which is an area open to infringements, it is clear that the provisions of the PECR and other existing regulations should be observed (in addition to adapting to the innovations of GDPR) until the new expected regulation (EU e Privacy Regulation) enters in force.


The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.