Privacy and Electronic Communications Regulations (PECR) is a UK law that implements the European Union’s ePrivacy Directive (Directive 2002/58/EC). This law governs how companies send electronic marketing messages, use cookies, and handle customer data.
PECR works alongside the General Data Protection Regulation (GDPR) to protect people’s privacy rights in the digital world, and it applies to:
- SMS, MMS, email, phone call, and fax marketing
- Cookies and similar technologies
- Security measures
- Customer privacy
PECR compliance requirements
If your brand is sending marketing messages to UK-based recipients, you must comply with PECR by following these key principles:
Obtain consent
Obtain explicit consent from your target audience before sending them marketing messages. State what type of messages they’ll receive and how often.
Here are two main ways to gain consent from your audience:
- Sign-up forms on your website or social media pages
- Short codes for customers to reply and opt in
Remember that you must obtain consent for each marketing channel you’re using.
Provide sender identification
Clearly identify your business as the sender in all your marketing messages. Use virtual contact cards for email flows or provide accurate information about your brand by including:
- Contact details like brand name, phone number, email address, and business address
- Sender ID for SMS communications
Add an unsubscribe option
Include an easy unsubscribe option in all your marketing messages. This can be a link to an unsubscribe page in your emails, or a reply code for sent SMS messages. Once someone unsubscribes, stop sending them marketing messages.
Protect customer data
Protect your subscribers‘ data, including their name, address, contact details, and purchasing history. Securely store this data and only use it for the purpose stated when obtaining consent. If a security breach occurs that compromises user data, you must notify the affected individuals and the Information Commissioner’s Office (ICO).
Inform website visitors about cookies and similar technologies
If your website uses cookies or similar tracking technologies, you must inform your website visitors and obtain their consent before placing these cookies on their devices. You can do this using a cookie banner or pop-up that clearly explains the types of cookies used and allows users to accept or reject them.
Penalties for non-compliance
The ICO enforces PECR and can issue fines of up to £500,000 for serious breaches like failing to obtain consent or sending unsolicited direct marketing messages.
Other consequences of non-compliance include:
- Enforcement notices: The ICO can issue an enforcement notice requiring you to stop sending marketing messages or using cookies without consent.
- Criminal prosecution: In extreme cases, the ICO may take criminal action against you if you’re deliberately and seriously in breach of PECR.
- Compensation claims: Customers also have the right to take legal action against your business if they believe you misused their data or breached their privacy.
- Audits and investigations: The ICO may conduct audits and investigations into businesses to ensure PECR compliance and may take enforcement action if they find any violations.
Staying compliant with PECR
To stay compliant with PECR and ensure successful digital marketing campaigns, follow these steps:
- Review and update your privacy policy regularly to include information on handling customer data, using cookies, and processing opt-outs.
- Keep a record of consent, including when and how it was obtained.
- Inform your staff about PECR compliance and best practices for handling customer data.
- Seek legal advice if you need clarification about your PECR obligations or have experienced a data breach.
- Conduct regular audits to identify any potential non-compliance issues and address them promptly.
A marketing automation platform like Klaviyo can help you stay compliant with PECR. Sign up for Klaviyo to obtain and manage consent, automate targeted marketing messages, and centralize customer data.