PECR Cookie Consent – ICOs Guidance On Cookies & Consent

The UK’s Privacy and Electronic Communications Regulations are important laws that govern the use of cookies and other tracking technologies, as well as the processing of personal data. In this article, we’ll explore the basics of these regulations, what they mandate and the steps you can take to protect your business.

PECR Cookie Consent – ICOs Guidance On Cookies & Consent

What is the Privacy and Electronic Communications Regulations (PECR)?

Put simply, the Privacy and Electronic Communications Regulations, otherwise abbreviated as PECR, are a set of guidelines that govern how electronic communications should be used in the United Kingdom. This includes regulating how companies can send marketing material to customers, as well as what type of cookies can be used on websites.

They are a reiteration of an existing European law known as the ePrivacy Directive, which was implemented in recognition of the increasingly high level of privacy risk consumers face on digital networks. While initially introduced in 2003, the PECR have been revised on a number of occasions in order to maintain their relevancy to current technologies. The most recent changes include an amendment in 2018 to ban the cold-calling of claims management services and another in 2019 to ban the same act for pension schemes.

As of now, the PECR covers the following broad categories of digital privacy:

• Marketing via electronic means such as call, text, email and fax
• The use of cookies or similar tools that track users’ information when they visit a website
• The security of public electronic communications services
• Consumer safety regarding the use of communications networks for traffic and location data, itemised billing, line identification services and directory listings

What’s the Difference Between the PECR and GDPR?

If you’re already familiar with the world of cookie consent, you may be wondering where one of the UK’s other prominent pieces of privacy legislation, the General Data Protection Regulation (GDPR), fits into all of this.

The key difference to be aware of between the two is the sub issues they address. While the GDPR was instituted in 2016 to create a broader, all-encompassing framework for the regulation of data privacy in the UK, the PECR has been designed to specifically focus on electronic marketing communications.

Both sets of laws share provisions over some things, such as the use of cookies and obtaining consent from website visitors, but the PECR goes into much more detail when it comes to specifying what types of electronic communications may be considered marketing, and how consent should be obtained for them.

How the Two Pieces of Law Work Together

The PECR is one of many privacy laws to sit alongside the GDPR in the UK. Because they both address the same issue, there is inevitably some overlap between the two. To make things easier for you, we’ve listed the most important things to know about their relationship through the following points.

The PECR Follow the GDPR’s Interpretation of Consent

The definition of consent is a major element in any piece of privacy legislation, as it dictates how organisations should go about obtaining the permission of individuals before carrying out certain actions.
The PECR use the GPDR’s standard of consent, which follows an opt-in framework and requires:

• That individuals are given a genuine choice over whether they want to give their consent or not
• That they are provided with enough information to make an informed choice
• That they must take a deliberate action, such as ticking a box, in order to give their consent

The PECR Take Precedent Over the GDPR for Service Providers

Article 95 of the UK GDPR states that its provisions do not apply to service providers when there are existing PECR rules on the matter. This means that, in the case of a conflict between the two, the PECR will take precedence.

The PECR Can Apply to Contexts in Which Personal Data Is Not Involved

While the GDPR only applies when personal data is being processed, the PECR also covers situations where this is not necessarily the case. This is due to the fact that the PECR covers electronic marketing communications, which can be sent without involving any personal data.

How the PECR Are Enforced

The Privacy and Electronic Communications Regulations are governed by the UK’s Information Commissioner’s Office, which has several powers to enforce the law. These include audits of non-compliance, non-criminal enforcement and criminal prosecution. The ICO can also impose organisations or their directors in violation of the PECR with a fine of up to £500,000.

Best Practices for Remaining Compliant With the UK’s PECR

Considering the above, it’s not hard to see why it’s in organisations’ best interests to remain compliant with the PECR and its related laws. After all, fines, penalties and even investigations alone can spell disaster for a business, using up their time and resources while also damaging their reputation.

To help you stay on the right side of the law, we’ve put together some best practices for PECR compliance. By following these tips, you can ensure that you’re taking the necessary steps to protect the personal data of your customers and website visitors, while also minimising the risk of being fined or penalised by the ICO.

Audit Your Cookies

The first step in remaining compliant with the PECR, or any privacy regulations for that matter, is having tabs on your website’s use of cookies. Audit your website’s cookies to determine which ones are absolutely necessary, and which could be done without. Once you’ve got a list of the cookies that you need, you can then start working on obtaining consent for the use of non-essential ones.

Build an Opt-in Consent Mechanism

As we mentioned earlier, the PECR operates under an opt-in consent framework. This means that you cannot assume that website visitors or customers have consented to the use of cookies, or the processing of their personal data. Instead, you need to give them a way to actively opt-in to such things.

There are a few ways that you can go about doing this, but one of the simplest and most effective is to build a consent mechanism into your website. This can be in the form of a pop-up or banner that appears when someone visits your site, and which explains what cookies are being used and why, as well as giving visitors the option to opt-in or out.

Keep Records of Consents Received

Another important best practice is to keep records of the consents that you’ve received from individuals. This is important for a few reasons. Firstly, it helps to demonstrate that you’re complying with the law by proactively obtaining consent from users. Secondly, it can act as a defence against any claims of non-compliance, should the ICO ever investigate your organisation.

Conclusion

While the digital world is always changing, one thing remains constant: the importance of protecting people’s personal data. By learning more about and working to comply with the PECR, organisations can help to ensure that they’re doing just that.