Wednesday October 23, 2019 4:06pm by Tim Stevens

What is e-privacy and how might it affect you?

What is PECR?

The current Privacy and Electronic Communications Regulation (PECR) covers marketing emails, texts and calls, while also relating to the use of online cookies for tracking information about people online and regulating the use of location data by telecoms firms and others. PECR is the way the UK implements the EU’s current ePrivacy and Electronic Communications Directive.

PECR sits alongside the 2018 Data Protection Act (DPA) and GDPR. Where its rules apply, these take precedence over both the DPA and GDPR.

So, if an organisation carries out email marketing and uses cookies, they must comply with both GDPR, which became law across the EU in May 2018, and PECR.

PECR allows businesses communicating electronically to other UK businesses to do so on an ‘Opt out’ basis. i.e. As long as you give the recipient the chance to opt out of future communications, you are compliant. HOWEVER, when sending electronic communications to businesses based in other EU countries (Germany, Netherlands, Spain, Italy etc), under the CURRENT ePrivacy Directive you MUST OBTAIN CONSENT before doing so. You cannot communicate on an opt out basis.

The EU has produced a new ePrivacy Regulation. And so electronic communications that you are sending at the moment may not hold up to the new rules, so you should be prepared for the difference.

What do the new rules say?

The ePrivacy Regulation aims to protect user privacy while data is communicated between parties. It deals solely with electronic communications and is again designed to work in tandem with GDPR[JE1] . But ePrivacy operates below GDPR, which applies broader protection; ePrivacy deals with more specific subjects.

The new regulation replaces the EU ePrivacy and Electronic Communications Directive, and the UK PECR. It aims to provide Europe-wide consistency and update previous law given how digital culture has become a bigger part of all our lives since the turn of the millennium.

As a regulation, like GDPR, it’s enforceable in full across the EU (whereas a directive means each member state can implement its own mechanisms if they meet the spirit of the original.) However, the way it’s applied may vary between countries.

It applies to any business which provides an online communication service or uses online tracking technologies or electronic direct marketing.

What’s covered?

Here are some of the key aspects:

  • Direct marketing and spam

Unsolicited communication via email, MMS, SMS, instant messaging, Bluetooth and automated calling machine will be prohibited under the regulation.

Under PECR, in the UK employees of corporates or public authorities can be sent direct marketing without consent, albeit on an opt-out basis. Under the new law, consent would be needed for B2B marketing to align it with B2C marketing, so there could be no contact without express prior consent.

The Direct Marketing Association says: “This would severely hamper the work of B2B marketers, who rely on prospecting to generate new business. It would also be anti-competitive as SMEs don’t have large amounts of customer data, so rely on third-party lists bought from a supplier. They then contact people, but offer them the chance to opt-out. SMEs would be at a disadvantage in comparison to large companies that already have large customer databases.”

  • OTT services plus metadata
  • ‘Over-the-top’ or OTT services include WhatsApp, Skype, Facebook Messenger and some internet TV services. They will be bound by the same confidentiality of communication rules as traditional telecoms providers.

  • Cookies
  • This addresses ‘cookie fatigue’, under which people don’t know what they’re agreeing to when they tick boxes, or get too many consent requests, or where a lack of response is interpreted as consent.

    Under the new regulation, consent should be positive, unambiguous and freely given.

    Public Wi-Fi and the Internet of Things (IoT)

    Communication of data across cutting-edge IoT networks and devices will also be covered by this regulation.

    What happens after Brexit?

    Little is likely to change, since the UK will want to follow the same rules as the EU in this area following departure from the European Union.


    The penalties for noncompliance are up to €20m or 4% of overall global annual turnover, whichever is greater (currently the maximum penalty for PECR breaches is £500,000.)

    When does this go live?

    The regulation was intended to go live at the same time as GDPR, but EU members still disagree on the text of the final legislation, and lobbyists have consistently sought to block it. There is still no firm live date, but industry bodies suggest it’s unlikely to happen before 2020. Equally, there will probably be an implementation period as GDPR had.


    Most, if not all of the recent hype around data privacy, has centred around GDPR. Many businesses we speak to aren’t aware PECR or ePrivacy Directive, let alone aware of the fact you currently need opted in data when communicating electronically to the majority of markets within the EU – You need to ensure you audit the data you use for electronic communications to certify that it is opted in. Anything that doesn’t meet this requirement, should be removed or put through an opt in process.

    Also, it would be very wise to keep informed about updates to the new ePrivacy. Once this is live there will be significant focus on how you communicate electronically and the risk for fines will be much greater.

    To stay informed, click here to receive updates from us.

    What we do

    At i-4business, we only provide opted in contact information and so will be fully compliant with the new regulation (as currently drafted) once implemented.

    We offer a free trial and access to our specialist EMEA database so that you can evaluate our service for yourself. Try unlimited access and a transparent view of our systems 2 weeks.

  • To book your trial, get in touch with one of the i-4business team

  • Link to GDPR blog from here?