GDPR and PECR go hand in hand
A short guide to understanding how the two laws work together
Everyone’s heard of GDPR. But let’s not forget data protection law existed way before this new kid arrived on the block. And let’s also not forget it has an equally important cousin in the UK, called PECR.
I still get blank faces when I mention the UK’s Privacy and Electronic Communications Regulations. PECR’s been around for a couple of decades and is still very much in play.
Why marketers need to pay attention
It might surprise you there are more fines issued by the ICO for falling foul of the PECR marketing rules than there are under UK GDPR. Under UK data reform plans, the amount the Regulator can fine under PECR is set to increase substantially. So its worth taking notice.
What’s the difference between UK GDPR and PECR?
In a nutshell:
UK GDPR tells us how we should handle personal data – information which could directly or indirectly identify someone. It tells us what requirements we need to meet and our obligations. This includes making sure we have a lawful basis for our activities (such as consent, contract or legitimate interests). It also provides individuals with certain privacy rights in relation to their personal data.
Other EU countries have their own equivalent regulation which, whilst covering similar areas, have different requirements. Sadly there’s very little harmonisation of ePrivacy requirements across UK / EU.
How do UK GDPR and PECR work together?
Marketers need to consider the core principles of GDPR when handling people’s personal information. They need to have a lawful basis for each data activity. Of the six lawful bases, two are appropriate for direct marketing activities; Consent and Legitimate Interests.
Consent: PECR tells us, for certain electronic marketing activity, we have to get people’s prior Consent. UK GDPR tells us the standards we need to meet for this Consent to be valid. See Consent – Getting it right
Legitimate interests: If the types of marketing we conduct don’t need Consent under PECR, we may choose to request Consent anyway, or we could rely on Legitimate Interests. Under GDPR, we need to be sure to balance our legitimate interests with the rights and interests of the people whose personal information we are using – i.e. the people we want to market to. See the ICO’s Legitimate Interests Guidance.
What about cookies?
Again, PECR gives us specific rules when we’re using cookies and similar targeting or tracking technologies. Plus we also need to consider UK / EU GDPR.
PECR requires opt-in Consent for most cookies or similar tech, regardless of whether they collect personal data or not. And we’re told this Consent must meet the GDPR standards.
In a nutshell, the rules are:
- Notify new users your website/app users about cookies or similar technologies and provide adequate transparent information about what purposes they are used for.
- Users need to be able to give or decline Consent before the cookies are dropped on their device.
Also see the ICO’s Cookie Guidance.
Changes are on the cards
The new Data Protection and Digital Information Bill is currently progressing through Parliament. This is the Government’s move to shake up data laws post Brexit. It will usher in some changes to both UK GDPR and PECR.
The core data protection principles aren’t going away, nor are the lawful bases under UK GDPR. And there will still be a requirement under PECR, in many circumstances, to collect Consent.
We’ll be sure to keep you up to date with developments in our regular email updates.