The GDPR may have made a big splash in the headlines, but quietly ticking away in the background is the GDPR sister regulation, the ePrivacy Directive. The ePrivacy Directive has now been updated from the earlier version from 2002 (amended in 2009). You will probably know the regulation as the “cookie law”, aka that annoying regulation that is behind all of those pop-up boxes on websites.
In the UK, the ePrivacy Directive is the driving force behind our own Privacy and Electronic Communications Regulations (PECR). The PECR, unlike the GDPR, is highly specific, relating to the privacy of electronic communications and communication networks as well as the security of those services and networks. The PECR has had, to date, 9 amendments. The latest PECR update took effect on the 17th December 2018. This article will look at what the PECR is and how the regulation affects UK businesses.
What is the difference between the PECR and GDPR?
The GDPR is a wide-scope regulation covering the privacy of personal data. The GDPR has set the consent to process data as a lawful basis for the regulation. It then has a number of “data subject rights” under that umbrella, including the right to data erasure, to data access, and the right to data rectification. The GDPR was developed to reflect Article 8 of the European Charter of Human Rights which is all about respecting personal data and affording privacy in life.
The PECR is specifically about the privacy of data processed using electronic communications and networks. You can view it as symbiotic to the GDPR – both working in synchronicity to protect user data across the spectrum of personal data use.
One thing to note. Where the GDPR is all about the personal data of an individual, the PECR covers these data and also corporate data. For example, “traffic data” is covered by the PECR. This is data that pertains to a communication, including the routing details and timing of a phone call, text, email, etc. Under PECR you must comply with the regulation extending the compliance to corporate subscribers as well as individuals.
What does the PECR cover?
The PECR covers:
- Electronic marketing: this is any marketing that uses any type of electronic device, including emails, telephones/mobile devices, apps – e.g., WhatsApp, Messenger services, faxes, etc.
- Cookies: Tracking and cookies is a fundamental layer of the PECR’s remit. Cookies are held in the code of a website and are used to help to make the use of a site more seamless. For example, a cookie might hold information about your preferences when you use a site regularly – each time you subsequently go to that site those preferences are used to tailor your experience. However, cookies can also be used to track your online movements and are a way for data privacy to be breached. In 2009, the ePrivacy Directive (and thus the PECR) required a ‘consent’ to use “non-essential” cookies – hence those annoying cookie pop-up boxes.
- Security of public communication services: This is specifically applicable to organisations who supply communication services. For example, it covers the security provisions of companies that compile directories of email addresses or phone numbers.
- Privacy of communication networks: This part of the regulation covers areas such as location data, itemised billing, and directories. Network providers must provide “appropriate measures” for security as required by service providers. These measures are similar to those set out in the GDPR in protecting personal data. These measures include the use of security policies and controlling access to personal data.
What new amendments have been added to the PECR in 2019?
The most recent amendments made to the PECR include:
- Cold-call banning. Unsolicited calls from claim management services and some pension schemes are banned under the new powers of the regulation.
- Addition of director liability. The Information Commissioner’s Office (ICO) is empowered to apply fines to directors of companies who violate the privacy requirements of the PECR; fines can be as high as £500,000
Are there any exemptions or exceptions in PECR compliance?
In general, no exemptions are made to the PECR unless for abidance with law enforcement or national security. Even in those circumstances, a certificate is required to prove that your organisation is exempt from the PECR. All other organisations of all sizes must comply with the requirements of PECR. In addition, you cannot use a contract to remove your obligations to comply with the PECR. However, there are some derogations:
Soft Opt-in: This can be used with existing customers but does not apply to new customers or contacts. Soft opt-in is used where you have already made contact with an individual and they have not chosen to opt-out of marketing on giving you their details. You can’t use the soft opt-in rule for charitable or political campaigns.
Cookies: exemptions to consent to collect cookies can be applied if the cookie is used to carry out the transmission of a communication or is needed to carry out a service over the Internet as requested by the user. In other words, you don’t need consent for cookies that are needed to keep track of goods in an online basket, or when used for load-balancing or session cookies.
Regulations like the PECR and GDPR have come into force to help to protect our privacy in an era where we are always connected, and our personal data is continually collected. The PECR is a specific regulation covering the communications of personal data using electronic means. However, if your communication methods fall outside of that remit, you can be sure that the GDPR will then kick in. To make sure that you cover all of your bases and tick the data privacy requirements of the umbrella of data privacy directives across Europe, you need to stay aware of the reach and scope of these regulations.