PECR Cookie Consent – ICOs Guidance On Cookies & Consent
What is the Privacy and Electronic Communications Regulations (PECR)?
Put simply, the Privacy and Electronic Communications Regulations, otherwise abbreviated as PECR, are a set of guidelines that govern how electronic communications should be used in the United Kingdom. This includes regulating how companies can send marketing material to customers, as well as what type of cookies can be used on websites.
They are a reiteration of an existing European law known as the ePrivacy Directive, which was implemented in recognition of the increasingly high level of privacy risk consumers face on digital networks. While initially introduced in 2003, the PECR have been revised on a number of occasions in order to maintain their relevancy to current technologies. The most recent changes include an amendment in 2018 to ban the cold-calling of claims management services and another in 2019 to ban the same act for pension schemes.
As of now, the PECR covers the following broad categories of digital privacy:
- Marketing via electronic means such as call, text, email and fax
- The security of public electronic communications services
- Consumer safety regarding the use of communications networks for traffic and location data, itemised billing, line identification services and directory listings
What’s the Difference Between the PECR and GDPR?
If you’re already familiar with the world of cookie consent, you may be wondering where one of the UK’s other prominent pieces of privacy legislation, the General Data Protection Regulation (GDPR), fits into all of this.
The key difference to be aware of between the two is the sub issues they address. While the GDPR was instituted in 2016 to create a broader, all-encompassing framework for the regulation of data privacy in the UK, the PECR has been designed to specifically focus on electronic marketing communications.
How the Two Pieces of Law Work Together
The PECR is one of many privacy laws to sit alongside the GDPR in the UK. Because they both address the same issue, there is inevitably some overlap between the two. To make things easier for you, we’ve listed the most important things to know about their relationship through the following points.
The PECR Follow the GDPR’s Interpretation of Consent
The definition of consent is a major element in any piece of privacy legislation, as it dictates how organisations should go about obtaining the permission of individuals before carrying out certain actions.
The PECR use the GPDR’s standard of consent, which follows an opt-in framework and requires:
- That individuals are given a genuine choice over whether they want to give their consent or not
- That they are provided with enough information to make an informed choice
- That they must take a deliberate action, such as ticking a box, in order to give their consent
The PECR Take Precedent Over the GDPR for Service Providers
Article 95 of the UK GDPR states that its provisions do not apply to service providers when there are existing PECR rules on the matter. This means that, in the case of a conflict between the two, the PECR will take precedence.
The PECR Can Apply to Contexts in Which Personal Data Is Not Involved
While the GDPR only applies when personal data is being processed, the PECR also covers situations where this is not necessarily the case. This is due to the fact that the PECR covers electronic marketing communications, which can be sent without involving any personal data.
How the PECR Are Enforced
The Privacy and Electronic Communications Regulations are governed by the UK’s Information Commissioner’s Office, which has several powers to enforce the law. These include audits of non-compliance, non-criminal enforcement and criminal prosecution. The ICO can also impose organisations or their directors in violation of the PECR with a fine of up to £500,000.
Best Practices for Remaining Compliant With the UK’s PECR
Considering the above, it’s not hard to see why it’s in organisations’ best interests to remain compliant with the PECR and its related laws. After all, fines, penalties and even investigations alone can spell disaster for a business, using up their time and resources while also damaging their reputation.
To help you stay on the right side of the law, we’ve put together some best practices for PECR compliance. By following these tips, you can ensure that you’re taking the necessary steps to protect the personal data of your customers and website visitors, while also minimising the risk of being fined or penalised by the ICO.
Audit Your Cookies
Build an Opt-in Consent Mechanism
There are a few ways that you can go about doing this, but one of the simplest and most effective is to build a consent mechanism into your website. This can be in the form of a pop-up or banner that appears when someone visits your site, and which explains what cookies are being used and why, as well as giving visitors the option to opt-in or out.
Keep Records of Consents Received
Another important best practice is to keep records of the consents that you’ve received from individuals. This is important for a few reasons. Firstly, it helps to demonstrate that you’re complying with the law by proactively obtaining consent from users. Secondly, it can act as a defence against any claims of non-compliance, should the ICO ever investigate your organisation.
While the digital world is always changing, one thing remains constant: the importance of protecting people’s personal data. By learning more about and working to comply with the PECR, organisations can help to ensure that they’re doing just that.