In December 2022, the Information Commissioner’s Office (“ICO”) updated its guidance on direct marketing. This was welcome, bearing in mind the ICO’s draft Code of Practice on Direct Marketing was issued back in 2020 and has yet to be finalised. In addition to this, the ICO has issued numerous related publications including:
- A guide to PECR
- A guide for SMEs
- Business-to-business marketing
- Public sector marketing
- Using personal data in political campaigning
- Using data brokers for marketing
- Choosing a lawful basis when marketing
To complement the above, the ICO has also published useful tools to assist organisations in applying the rules in practice. These tools include:
- Marketing checklists
- Frequently asked questions
- Quick guides
- Self-assessments and
- Training resources.
For full details see Direct marketing guidance and resources | ICO
Background of the PECR
The PECR are derived from the ePrivacy Directive of 2002/58/EC. This is European law which was introduced back in 2002 and, as the UK was part of the EU at that time, the UK was required to implement it into local law. Hence, the PECR were enacted in 2003.
Since that date, the PECR have been amended several times as follows:
- In 2004 a provision was introduced to enable companies and other corporate bodies to register with the Corporate Telephone Preference Service.
- In 2011 the rules on cookies were changed, as well as the rules on breach notification and the Information Commissioner’s powers.
- In 2015 a provision was made to allow emergency alert texts to be sent and to make it easier for appropriate action to be taken for serious breaches of the marketing rules.
- In 2016 a provision was made requiring anyone making any kind of marketing call to display their number.
- In 2018 two changes were made, namely, a ban on cold calling by claims management services and director liability for serious breaches of the marketing rules.
- In 2019 the ban on cold calling was extended to cover calls relating to pension schemes (in some situations).
The UK government has recently issued the Data Protection and Digital Information (No.2 Bill) Data Protection and Digital Information (No. 2) Bill: European Convention on Human Rights Memorandum – GOV.UK (www.gov.uk) which, if enacted, will further amend the PECR. In particular, it will expand on the list of cookies and similar technologies for which consent is not required and will also increase the maximum fine for non-compliance from £500,000 to 4% of global turnover or £17.5 million, whichever is greater, bringing it in line with the maximum fine under the UK GDPR.
What do the PECR cover?
The PECR cover four key areas including:
- Marketing by electronic means which includes marketing phone calls, emails, texts, in-app messaging, voicemail messages, picture or video messages, direct messaging on social media and faxes.
- Security of public electronic communication services.
- The privacy of customers using communications networks or services insofar as this relates to traffic and location data, itemised billing, caller ID and call return services and directory listings.
Who do the PECR apply to?
The PECR apply to organisations that:
- Provide a public electronic communications network (such as a mobile phone network) or
- Carry out electronic marketing (such as sending marketing emails or texts) or
- Compile a telephone directory (or similar).
At this stage, it is worth highlighting that, whilst the PECR apply to the organisations and situations explained above, it is important to also remember that, if the business activities involve processing personal data, the UK GDPR will apply as well as the PECR. This means that the UK GDPR needs to be read alongside the PECR and both pieces of legislation need to be adhered to. For example, when processing personal data for marketing purposes, it is a legal requirement that, for each case, a lawful basis is identified under Article 6 of the UK GDPR and that it is documented to satisfy the accountability principle under Article 5 of the UK GDPR. Further detail on this will be provided later in this guide when we focus on electronic marketing.
We would also highlight that, although we have mentioned above that the UK government has proposed changes to the UK data protection law, those proposals do not affect the requirement to identify a lawful basis and satisfy the accountability principle. These obligations will remain.
When conducting direct marketing by electronic means, whether in a business-to-consumer (“B2C”) or a business-to-business (“B2B”) scenario, it is important to ensure that the applicable legislation is adhered to. In particular, the Privacy and Electronic Communications Regulations (“PECR”) need to be complied with and, if the marketing also involves processing personal data, the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA”) also need to be observed.
Direct marketing code of practice
To assist organisations in complying with the rules on direct marketing, the Information Commissioner’s Office (“ICO”) prepared a draft Direct Marketing Code (“the Code”) and ran a public consultation on it from 8th January 2020 to 4th March 2020. Direct marketing code of practice Draft code for consultation (ico.org.uk) The responses to the consultation are now available to view online Responses to the 2020 consultation on a draft direct marketing code of practice | ICO
Once the Code is finalised it will become a statutory code, issued under section 122 of the DPA 2018 and the ICO will take into account whether or not an organisation has complied with the Code when considering any enforcement action for breach of the marketing rules. This means that, whilst the Code will not become law, organisations would be wise to adhere to it because, if they do, it is likely that they will also comply with the law.
What is “direct marketing”?
To understand how the legislation applies to marketing activities, it is first necessary to understand exactly what constitutes “direct marketing”. This term is defined in section 122 (5) of the DPA 2018 as:
“…the communication (by whatever means) of advertising or marketing material which is directed to particular individuals.”
The above definition also applies to PECR, as any undefined terms within PECR take their meaning from DPA 2018.
As you can see, the definition of “direct marketing” is very broad. Below, we break it down into sections to fully understand it.
The phrase “by whatever means” includes marketing sent by post as well as by electronic means and therefore, includes marketing sent by:
- In-app message
- Push notifications
- Social networking
However, as PECR only applies to electronic mail (not hard copy post), we will focus only on electronic marketing in this part of the guide.
What is advertising or marketing material?
There is no definition of what marketing material is in the legislation but the ICO interprets this very widely. According to the ICO, it includes promoting aims and ideals and any activities that promote political parties, the use of public services and charities. In assessing whether a message is marketing or not the tone, content and context should be taken into consideration. Importantly, if any part of the message is promotional in nature, it will constitute marketing, whereas if it has a neutral tone and is simply informative in nature, it will not be classed as marketing.
Directed to particular individuals
If the marketing message is addressed to a specific named person, for example, Jo.Bloggs@gmail.com, it will be regarded as “directed to a particular individual” and will fall within the definition.
Therefore, providing the electronic communication constitutes “advertising or marketing material” and it is “directed to particular individuals”, it will be classed as direct marketing.
Lawful basis – Legitimate interests or consent
As mentioned above, if the processing activity also involves processing personal data, it is important to ensure that a lawful basis for the processing is identified. The most appropriate lawful bases for marketing are consent or legitimate interests.
If legitimate interests is relied upon as a lawful basis, a legitimate interests assessment should be carried out to document why you have determined you can rely on legitimate interests as your lawful basis for processing. This is a three-part test including:
- The purpose test (Identify the purpose for which the personal data will be processed)
- The necessity test (Is it really necessary to process the personal data in this way?)
- The balancing test (Balance the interests of the individual against the interests of the organisation)
When documenting your assessment you should ensure that you adopt a balanced, holistic approach to ensure your assessment is not weighted unfairly to justify a commercial interest but instead considers data subjects’ rights and your commercial interests equally.
If consent is relied upon as a lawful basis, it must satisfy all the elements of the definition set out within Article 4 of the UK GDPR i.e. it must be freely given, specific, informed and unambiguous and the consent must be given by a statement or a clear affirmative action. The consent must also satisfy the conditions specified within Article 7 of the UK GDPR. This means that the consent must be:
- Presented in a manner that is clearly distinguishable from other matters. For example, it should not be ‘hidden’ within the small print or within lengthy terms or conditions or privacy notices.
- Written in an intelligible and easily accessible form. For example, a link to the consent statement should be displayed in a prominent place.
- Written in clear and plain language (that is suitable for the intended audience).
In addition to the above, individuals should be able to withdraw their consent at any time and it should be as easy to withdraw it as to provide it. Finally, the consent should not constitute a condition of a contract if it is not necessary to obtain the consent for the performance of that contract. For example, it would not be valid consent if an individual had to provide their consent to receive marketing material from numerous third parties before they were permitted to purchase a product from an organisation.
Solicited and unsolicited marketing
At this stage, it is worth noting that the PECR only applies to unsolicited electronic marketing i.e. marketing that was not requested by the individual receiving it. If it was requested, it will be classed as solicited and it will not fall within the scope of the PECR.
Methods of communication
Direct marketing communications may be sent in various ways including all of those mentioned above and the rules vary depending on how the message is sent and in what context, as explained below.
Direct Marketing by phone
In terms of marketing by phone, the position differs depending on whether the calls are automated calls or live calls. The PECR require prior consent from the data subject for automated calls to be made and this rule is the same whether the calls are made to individuals or to organisations. The definition of consent under the PECR is the same as under the UK GDPR. Therefore, all the criteria listed above, need to be satisfied for the consent to be classed as valid consent.
However, in most circumstances, when making live calls no such consent is required and, again, the position is the same whether the calls are made to individuals or organisations.
That said, it is necessary to screen against the Telephone Preference Service (“TPS”) and the Corporate Telephone Preference Service (“CTPS”) before making any marketing calls. The TPS is an organisation with which individuals can register in order to opt out of receiving marketing calls and the CTPS provides the same service for organisations. If an individual or organisation is registered with the TPS or CTPS, no marketing calls should be made to them, unless they have specifically informed you that they wish to hear from you.
It is worth noting that some sole traders and partnerships register with the TPS, rather than the CTPS. As such, it is advisable to check against both when proposing to contact these smaller organisations. The checks should be carried out at least once every 28 days. Telephone Preference Service (tpsonline.org.uk)
One of the most common ways of conducting a marketing campaign is via electronic mail. In this context, electronic mail has a very broad definition and includes, not only traditional email but texts, picture messages, video messages, direct messages on social media and any similar such message that is stored electronically.
The rules regarding electronic marketing differ depending on whether the activity is B2B or B2C. Further details are set out below.
B2B electronic marketing
No consent is required when sending marketing material to businesses by electronic mail. However, if an organisation wishes to use a personal corporate email address, such as Jo.email@example.com , the data protection implications should be considered. For example, if the individual objects to receiving the email and wishes to be removed from the marketing list, such request should be honoured in accordance with Article 21 of the UK GDPR.
B2C electronic marketing
The position is more complicated for B2C scenarios. In this case, prior consent is required to send electronic mail to individuals, unless the “soft opt-in” can be relied upon. The following criteria need to be satisfied in order to rely on the soft opt-in:
- You obtained the individual’s contact details yourself (not from a third party) as a result of a sale or negotiations for a sale of the same or similar products or services;
- You gave the individual the opportunity to opt-out when you first collected their personal data and;
- You give the individual the opportunity to opt-out every time you contact them.
The soft opt-in does not presently apply to non-commercial promotions such as charity fundraising or political campaigning, although this may change under the UK data protection reforms, as it has been proposed that the soft opt-in rule be broadened to encompass non-commercial organisations and purposes.
Marketing by fax
These days, organisations rarely use faxes and individuals even less so. However, if an organisation does plan to send marketing material by fax to an individual, it must obtain prior consent. However, if it wishes to send a marketing fax to an organisation, whilst prior consent is not required, businesses can opt-out by registering with the Fax Preference Service (“FPS”). Therefore, organisations should screen the fax numbers they intend to use with the FPS and refrain from sending marketing material to any such numbers registered with the FPS. Organisations should conduct this screening at least once every 28 days. What is FPS (fpsonline.org.uk)
Managing a marketing list
Consequently, it is important for organisations to be familiar with the rules relating to electronic marketing under PECR and to adhere to these alongside the provisions for processing personal data under the UK GDPR, where applicable. Both pieces of legislation should be complied with in relation to the entire lifecycle of an organisation’s marketing list from beginning to end including:
- Creating the list and buying in new leads, being careful to only collect and process the personal data that is required for marketing and ensuring that it is only used for this purpose;
- Ensuring individuals are informed that their personal data is being processed for marketing purposes;
- Collecting consent, where necessary, or conducting a legitimate interests assessment;
- Sharing the list with third parties (where appropriate and lawful);
- Keeping the personal data secure;
- Regularly checking that the marketing list is accurate and up to date;
- Providing an unsubscribe function so that individuals can opt-out and exercise their right to object to their personal data being used for marketing purposes;
- Supporting an individual’s right to be forgotten (request for erasure) and other data subjects’ rights;
- Ensuring the secure and permanent deletion of personal data when it is no longer necessary for the purpose for which it was collected i.e. marketing.
What are cookies and similar technologies?
Before we analyse the rules, it is important to understand exactly what we mean by cookies and ‘similar technologies’.
A cookie is a small text file (i.e. just letters and numbers) that is downloaded onto your device when you visit a website, app or other online service that is using this technology. Cookies enable the online service to recognise your device and, as a result, store information about you, such as your preferences. Cookies can be broken down into several different categories including:
First-party cookies – These are set directly by the website you are visiting.
Third-party cookies – These are set by a domain other than the website you are visiting. This can happen if, for example, the website you are visiting uses social media plug-ins or sells advertising space on its website and third parties market their goods and services in that space. Those third parties can set cookies.
Session cookies (also known as transient, non-persistent or temporary cookies) – Only last for as long as your browsing session on that website lasts. Once your session ends, so does the cookie. For example, these cookies are used in e-commerce, as they enable the website to remember the items you have in your shopping bag as you browse through their website.
Persistent cookies – remain on your device after a session has ended. These cookies are used for to remember things like settings, preferences and sign-on credentials so that you do not have to re-enter these each time you visit the website. That said, persistent cookies will not usually last forever and will have an expiry date.
Each of the above cookies will also fall into one of the following categories:
Essential cookies – Also known as strictly necessary cookies, are, as the name suggests, vital for a particular function or to comply with other legislation. For example, banking websites will use essential cookies to perform security-related functions on their website or app.
Performance cookies – Monitor the performance of a website as someone uses it and the information collected is used to improve the site. For example, performance cookies count page visits, idle time of a user on a particular page and bounce rates.
Functional cookies – Used to improve the functionality of a website. For example, functionality cookies can be used to allow video playback or remember a user’s region.
Marketing cookies – Used for targeted advertising. For example, these cookies create user profiles and track users on a website or across numerous websites for marketing purposes, such as to show them adverts that fit their profile.
Unclassified cookies – Cookies that have not yet been categorised.
It is important to categorise the cookies being used on a website for two main reasons. Firstly, users must be able to choose which cookies to accept and which to reject and it is more user-friendly to present the options according to the category of cookie, rather than a long list that may be confusing or even meaningless to the average user. Secondly, one type of cookie, namely the essential cookie, is exempt from the cookie rules. See below for further details on the exemptions.
Similar Technologies – For example, fingerprinting, tracking pixels and plugins, have a similar purpose and end result to cookies but work in slightly different ways. We explain some of the most commonly used ones below.
Tracking Pixels – Also known as marketing pixels, are pixel graphics which are used to track users as they move around the web. Such pixels are tiny and are usually hidden in banner adverts and emails. This allows businesses to follow previous website visitors as they are surfing the web and continue to show them their adverts.
Plug-ins – Such as social media plug-ins (e.g. Facebook, Instagram, LinkedIn) allow a website owner to display the social media icon on its website so that users can click on the link and post information about the website on their social media pages, thereby providing further publicity for the product or service offered by the website owner.
Cookies or similar technologies are also used in emails by organisations to gather information on open rates and click rates. For example, in order to assess how well a particular email marketing campaign has run, organisations will insert a cookie into the emails which then reports back to the sender, confirming how many people opened the email, who opened the email and when and whether they clicked on any links within the email. Read our blog on Email Marketing.
What are the rules for using cookies and similar technologies?
Now that we understand what cookies and similar technologies are, we will explain what the rules are. (For ease of reference we will refer to cookies and similar technologies simply as “cookies” throughout the remainder of this guide). The rules are set out within Regulation 6 of the PECR and they apply whether or not the cookies collect any personal data. In plain English, regulation 6 of PECR provides that:
- You must tell the user that your website, app etc is using cookies
- Most of us in the UK will be familiar with the cookie banners that regularly pop up when we first land on a website. To be compliant, the banners should clearly explain to the user that cookies are being used.
You must clearly and comprehensively explain what the cookies will do (what they are for);
- As the number of cookies used on a typical website can be enormous and it is not particularly user-friendly to present a very long list to users as soon as they land on the website, most organisations do not provide great detail in the cookie banner but display a link for users to click on for more information. This link will take users to another page upon which the cookies are listed and users can choose which to accept and which to reject. With a view to making the experience less arduous for users, organisations commonly group the cookies into the categories mentioned above, namely essential, functional, performance, marketing and uncategorised and provide them with the option to accept or reject each category.
- However, in order to fully comply with the requirement for the information on cookies to be ‘comprehensive’, further details of each cookie should be made available, should the user wish to view it, and this should include the name of the cookie, the type of cookie, what it is used for, what information it collects and how long it lasts. This is also needed in order to ensure that the consent for using cookies is informed. See further details on consent below.
You must collect consent to use the cookies;
- As mentioned in the second part of this series, the definition of consent in the PECR is the same as in the UK GDPR. This means that, for the consent to be valid, it must be freely given, specific, informed and given by an unambiguous indication of the individual’s wishes by a statement or a clear affirmative action.
- In order to be valid consent, the pop-up cookie banner should contain a link to another page where users are provided with all they need to know about the cookies being used and the explanations should satisfy the requirements for the consent to be specific and informed. Also, as the consent needs to be freely given, there should be no pre-ticked boxes for accepting the cookies and everything should be defaulted to reject. Users should be given clear options to accept or reject the cookies. Cookie walls that force users to provide consent for cookies before access to the content will be given will not fulfil the ‘freely given’ element of consent.
It is also important to note that consent must be collected before any cookies are set. Organisations should ensure that this is made clear to the employees who manage their websites to avoid falling foul of the regulations.
Another condition of consent is that it must be as easy to reject as it is to accept. With this in mind, organisations commonly present buttons at the top of their cookie notices providing options for users to “reject all” or “accept all”.
In both exemptions referred to above, prior consent is not needed to use the cookies.
Therefore, as explained above, under the present legislation, prior consent is required for all cookies and similar technologies, unless an exemption applies. Under the UK data protection reforms it is proposed that the exemption list will be expanded and is likely to include analytics cookies, provided they fit the definition set out in the legislation and certain criteria are met. However, until then we need to comply with regulation 6 of the PECR.
What are communications and network services?
Before explaining the requirements that the above services are subject to under the PECR, it is important to first understand the following key concepts:
- ‘Electronic communications’ is a term that is not defined by the PECR but it is interpreted by the Information Commissioner’s Office (“ICO”) to mean any information sent over the phone or internet connection and, therefore, includes emails, phone calls, text messages, video messages, in-App messages, direct messages on social media and faxes.
- ‘Public electronic communications service’ (“service provider”) is defined in the Communications Act 2003 and simply means the service that people can sign up to send and receive electronic messages i.e. the organisation that provides telephone or internet services.
- ‘Public electronic communications network’ (“network provider”) is also defined in the Communications Act 2003 and means any transmitter or transmission system (including the associated equipment, software etc) over which electronic messages are sent i.e. the underlying network equipment used to convey the communication.
The obligations that the network providers and service providers must comply with under the PECR fall into six main categories, as set out below.
Both the network providers and the service providers have obligations to adhere to by law in relation to security. In particular, they need to take appropriate technical and organisational measures to protect the security of the service. Exactly what this means in practice is not specifically set out in the regulation and, much like the UK GDPR, the measures implemented should be proportionate to the nature of the risk, the technology available and the cost. That said, network providers are required to implement any security measures asked of them by the service providers, providing they are reasonable.
In addition to the above, providers are required to inform their customers, without charge, if, despite the measures they have taken to try to ensure their services are secure, they are still subject to a substantial security risk. In such circumstances, the providers need to tell their customers, the nature of the risk, what they can do to protect themselves from the risk and how much this is likely to cost them.
Personal data breaches
The obligations under the PECR relating to personal data breaches relate to service providers (not network providers) and state that service providers must report such incidents to the ICO, maintain a log of all their breaches and, in some circumstances, inform their customers.
In terms of what constitutes a personal data breach under the PECR, this is very similar to the definition of a personal data breach under the UK GDPR with only a slight variation so that it applies directly to service providers. Regulation 2(1) of the PECR provides that a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.
Once a service provider becomes aware of a personal data breach, it is required to act quickly, as it must notify the ICO within 24 hours and failure to do so can result in a fine of up to £1,000.
The reporting requirements under the PECR are similar in many respects to the reporting requirements under the UK GDPR and the ICO has a breach reporting form available on their website for this purpose. The report to the ICO must include:
- The service provider’s name and contact information;
- The date and time of the breach;
- The date and time the breach was detected;
- Basic information about the type of breach and;
- Basic information about the personal data concerned.
In their report to the ICO, service providers should also explain as many details about the event as possible, including how many people have been affected and how likely it is to impact them, any mitigating steps the service provider has taken and details about how and when they have informed their customers (if applicable). If it is not possible to provide all of this information within 24 hours, the service provider can submit a second notification with additional details three days later. Once a personal data breach has been reported under the PECR, there is no need to report it under the UK GDPR.
In addition to notifying the ICO, service providers are also required to notify their customers, without undue delay, if a breach is likely to adversely affect their personal data or privacy. If such notification is needed, it must include similar information as the notification to the ICO but also, most importantly, information on how individuals are likely to be affected, what the service provider has done to mitigate the situation and what individuals can do to reduce any adverse effects on them.
Having completed the notification requirements, service providers must then record details of all the incidents in a breach log (for which there is a template on the ICO website) and submit this to the ICO once a month.
As a practical point, policies and procedures for service providers must draw out the difference between a breach that is reportable under PECR and one that is reportable under the UK GDPR due to the different notification timescales.
The PECR also makes provision for traffic data which is information about the routing, duration or timing of a communication. For example, when an email was sent and the route it took or how long a phone call lasted.
The rules on processing traffic data are very strict and provide that network providers can only use this data to manage billing or traffic, handle customer enquiries and prevent or detect fraud. In line with the transparency principles under the UK GDPR, providers must tell their customers that they are processing traffic data. Further, in accordance with the storage limitation principle, the data should only be kept for as long as is necessary which suggests that once the data has been used to calculate an individual’s bill, it should be deleted. However, since bills can be disputed and/or can be left unpaid, arguably, the data should be kept in line with the limitation period for breach of contract which is 6 years. However, the ICO take the view that only if a bill remains outstanding or has been challenged should the data be kept for this long.
If service providers wish to use traffic data for marketing purposes or any value-added service (such as an email content filtering service), prior consent must be obtained from the customer. The criteria for valid consent is the same as under the UK GDPR, namely that it needs to be freely given, specific, informed, unambiguous and be given by a clear affirmative action.
Location data is information about the whereabouts of a phone or other device that is being used for communication. For example, the location of a mobile phone can be ascertained using information collected by mobile phone towers. The rules relating to this type of data are, as with traffic data, very strict. They provide that location data can only be processed if it is anonymous or the customer has given their consent for a value-added service and the processing of location data is necessary for that purpose. An example of the latter would be where an individual consents to a ‘find my phone’ service so that they can be found if they call for help when the vehicle they are travelling in has broken down.
The only exemptions to the rules on location data are emergency calls from the customer or emergency alerts from a public authority that need to warn people of an emergency in a particular area.
The rules under the PECR in relation to itemised bills are very straightforward and simply provide that customers are entitled to ask service providers for bills that are NOT itemised. The thinking here is that it is recognised that itemised bills can reveal private information about an individual and, as such, can potentially give rise to privacy risks whereas, if the information is not collated in the first place, there can be no such risks.
Under the PECR, if an organisation wishes to compile a directory containing telephone numbers (landlines and/or mobiles), fax numbers or email addresses or a service whereby such directories can be searched, they must ensure that the individuals they propose to include are informed and given the opportunity to opt-out of such service. For example, it is common knowledge that individuals can opt to be “ex-directory” i.e. excluded from the BT phone book. In addition, express consent is required from individuals for their data to be used in ‘reverse searches’ which is when a phone number is used to look up a name.
The ICO’s view is that this rule only applies to comprehensive lists of subscribers that aim to include everyone within particular areas rather than more specialised lists that constitute trade directories, and church or club memberships.
Calling line identification and connected line identification
Regulations 10 to 13 of the PECR set out the rules relating to calling line identification and connected line identification. Before explaining those rules, we first need to be clear on what these terms mean.
Calling line identification is a service whereby the number of the caller is shown to the person receiving the call.
Connected line identification is the opposite to the above which means that the service allows the caller to see the number of the person receiving the call. This may not be the number they dialled if a call redirection has been set up.
Whilst the above services may be considered useful by some, others may consider them to be privacy intrusive. As a result, service providers are required to inform their customers of these services and provide them with simple ways to effectively opt-out. For example, service providers are obliged to:
- Allow callers to choose to withhold their number from the person receiving the call
- Allow the person receiving the call to choose not to see the number of the person calling them
- Allow the person receiving the call to choose to withhold their number from the caller
Service providers are also required to provide a service whereby anonymous calls are rejected.
Once a customer confirms their choices, their wishes need to be observed, although they can change their mind at any time. For the most part, the customer has control over these choices but there are a few instances in which a customer’s wishes can be overridden such as when it is necessary to trace malicious calls or to facilitate calls to emergency services.
Exemptions to the PECR
Only in very limited circumstances can the rules under the PECR be avoided. For example, when it is necessary to safeguard national security or if complying with PECR would be likely to prejudice the prevention or detection of crime or the apprehension or prosecution of offenders.
That said, some of the rules on cookies have exemptions built into the provisions, such as the soft opt-in.
Non-compliance with the PECR
Above, we have explained what the PECR cover and how they apply to the various organisations that are subject to them. In this section, we explain what happens when the PECR are not complied with and, in particular, how the Information Commissioner’s Office (“ICO”) deal with complaints, the offences and breaches for which formal action can be taken and the maximum fines that can be imposed. We also highlight some of the recent enforcement actions taken by the ICO and identify relevant trends in relation to this.
How the ICO deals with complaints
If an individual considers that an organisation has failed to comply with the requirements of the PECR they can submit a complaint to the ICO. For example, if an individual continues to receive marketing emails from a particular company, even though they have previously objected to this, they may submit a complaint to the ICO for breach of regulation 22 of the PECR.
However, for silent or abandoned calls the link provided takes the individual to the OfCom website to register their complaint Abandoned and silent calls – Ofcom and if the complaint relates to scams the link provided directs the individual to (for England, Wales and Northern Ireland) Action Fraud Reporting fraud and cyber crime | Action Fraud and Consumer Advice for Scotland Knowledge Centre – Consumer advice
An important point to note is that the ICO do not usually respond to individual PECR-related complaints. However, it is still imperative that all valid complaints are registered because, the more complaints that are made about a particular organisation, the more likely it is that the ICO will conduct a full investigation and take formal action, as the complaints submitted will help the ICO understand the extent of the problem.
If the ICO does proceed with a full investigation, it will consider all the information it has gathered from the complainant(s) and ask the organisation for their side of the story. The ICO will take into account all of this information when deciding on whether or not to take formal action. Such action may include issuing:
- Assessment Notices (compulsory audits)
- Enforcement Notices
- Penalty Notices (administrative fines – see below for the maximum fine)
In deciding whether to exercise its enforcement powers and which of the above measures to apply in any given situation, the ICO will take into account all the relevant circumstances of the case. In particular, the ICO will take a “risk-based approach, effective, proportionate approach to enforcement.” This means that the ICO focuses on organisations that it considers to be high-risk because they cause the most harm to individuals and /or organisations that are recklessly or deliberately flouting the law. The ICO are less likely to take formal action against businesses that can demonstrate that they are attempting to comply with the legislation. Indeed, the ICO asserts that it aims to help organisations adhere to the PECR provisions as this ensures that people are protected. As such, organisations need to be able to show the ICO that it does take the PECR provisions seriously.
Offences and breaches under the PECR
To enforce a breach of the PECR, the ICO can bring a criminal prosecution, take non-criminal enforcement or carry out an audit on the offending company.
In 2018, the PECR were updated so that directors and company officers can now be made personally liable for breaches of the PECR and can, therefore, face fines of up to £500,000. This is only in cases where the offence occurred with the consent or connivance of the director or company officer or arose as a result of their neglect. The thinking behind this change in the law was so that companies could not avoid a fine by simply going into liquidation and then setting up another company, run by the same directors.
Maximum fines under the PECR
Presently, the maximum fine under the PECR is £500,000. However, the proposal under the UK data protection reforms is for the fine to be increased to match the maximum fine under the UK GDPR. Time will tell if this proposal comes to fruition. If it does, organisations may be less likely to risk breaching the PECR as the financial gains are likely to be far less than any potential fine.
Recent enforcement action and trends
As explained above, the ICO has wide powers to take enforcement action against organisations that fail to comply with the PECR and we can see from the ICO website, just how keen they are to use these powers. The ICO publish details of all the enforcement actions they take, including prosecutions, and copies of penalty notices, enforcement notices and reprimands are available to view.
The ICO also collate the information about the security incidents that have been reported to them and presents them in a dashboard which enables those interested parties to view trends over time. This Data security incident trends | ICO provides a dashboard containing:
- Narrative – description of high-level trends.
- Time Series – a chart showing incident trends over time.
- Breakdown – a chart showing the distribution of each category of data.
- Cross-Tabs – a chart allowing cross-tabulation of categories.
Of particular interest is the “Time Series” page Data security incident trends | ICO which shows information about security incidents reported to the ICO over time from 2019 to 2023. This page enables the user to make various selections from drop-down menus and, therefore, obtain more specific information about a certain sector/incident type/data type and so on.
As we`ve mentioned in our previous blogs, organisations need to comply with the PECR when sending marketing material and if they don’t, individuals may complain to the ICO. When selecting “marketing” on the “Time Series” page, the chart shows a spike of complaints in 2019, dropping in 2020 but then rising again in 2023. This suggests that individuals are not afraid to express their concerns to the ICO.
In considering the ICO’s “Action we’ve taken” page Enforcement action | ICO, it is clear that the ICO are very active when it comes to enforcing the PECR. Indeed, they have taken formal action against a long list of organisations for sending unsolicited direct marketing communications in breach of regulations 22 and 23 of the PECR and there’s no suggestion that this activity is slowing. Readers may already be aware that the ICO has recently issued a penalty notice against the well-known food delivery company, Hello Fresh for breach of the PECR. On 12th January 2024, the company were fined £140,000 for sending 79 million spam emails and 1 million spam texts during a seven-month period in breach of the legislation. If the maximum fine under PECR is increased, as proposed under the UK data protection reforms, we are likely to see penalties for this level of breach to increase dramatically.
Therefore, it would appear that the ICO continue to address complaints relating to breaches of the PECR and take formal action, where appropriate.