SaleCycle’s Product Marketing Manager Katie Ash looks at the issues around PECR. Warning: a lot of legal and technical jargon follows…

With the news awash with information and advice about the imminent General Data Protection Regulations (GDPR), many marketers are considering how it impacts their marketing activities.

However Privacy and Electronic Communications Regulations (2003), with the more catchy acronym, PECR, should not be forgotten.


What is PECR?

PECR is a piece of legislation in the UK which implements the European Privacy and Electronic Communications Directive 2002 and has worked alongside the Data Protection Act 1998 (DPA).

GDPR is replacing the DPA and tightening the legislation relating to data privacy more generally. This tightening of the legislation inevitably impacts marketing activities, especially those via electronic communication to consumers in Europe and the UK.

GDPR and PECR legislation weave nicely together as GDPR provides a framework for specific marketing channels set out within PECR. These channels include SMS, email, unsolicited phone calls, automated phone calls and the use of website cookies.

The General Data Protection Regulations will apply to the processing of data and raises the threshold for  transparency in the way data is collected and used (such as the process for gathering compliant consent to market to an individual).The PECR outlines the requirements for compliant marketing activity within the channels it controls.


What’s Changing?

Changes to PECR are to align the requirements more closely with those under the GDPR. Currently, general consent, express consent, or soft opt-in to electronic communication is required.

Consent can be obtained a number of ways including through an opt-in checkbox, email sign-up, or subscribing to a service.

The ICO states:

“Consent must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action.”

This means that user data obtained may now only be used for the specific purpose for which it was collected.

Gone are the days of list building through gated content or competition entries. At the point of collection, people must be made aware of, and positively consent to, each individual intended use of their data.

One exception applies to sending e-communication in relation to similar goods and services to an individual who gave their data in the course of negotiation of a sale. If the individual was given the option to opt out of this communication at the point that they gave their data, then only soft-opt in is required.

Where affirmative consent is required and the soft opt-in exemption doesn’t apply then the use of pre-selected opt-in boxes are no longer considered to be a valid collection method. A positive action must affirm and not withdraw consent.

While these changes are yet to be finalised, the UK Regulator, the Information Commissioner Office (ICO), are continuing to release guidance and it’s worth staying on top of.

There may be a lot of work for companies to do to ensure they remain compliant and don’t fall foul of the enforcement action options open to the ICO, which include fines in line with the new GDPR enforcement regime.


What Does This Mean?

Come May 25th, you’ll need to know (and be able to demonstrate) exactly when and what each user on your list has consented to receive from you, and abide accordingly.

For marketers this may also mean a list clean is in order. If marketing permission was vague when originally collected then that consent may not be valid post GDPR.

If recollection is needed be aware of catch all re-permissioning exercises as the ICO has previously brought enforcement action against organisations who have tried to refresh permissions but got this wrong.

With email marketing, you will only be able to email people content that they have specifically opted in to receive.

This may mean providing multiple tick boxes when collecting consent, for example, separately collecting opt-in to send email newsletters, sale notifications, emails of products users have shown interest in, and emails from named third parties.

Only solicited messages, where a person requests specific contact (for example email my basket), will be exempt from most requirements under PECR.

Whether messages are solicited or not, every communication sent will be required to present the user with a clear path to opt-out of future messages.

Companies will also need to provide users with access to the personal data they have collected, and have processes in place to enable complete deletion of this data if it is requested.

These privacy laws come down to respecting your user base by ensuring that you’re being clear in your intention for collecting and using personal data and putting the control of personal data into the hands of the individual.

But rather than worrying about how these changes will negatively impact marketing strategy, focus on the credibility and trust you will gain from customers from being transparent about your use of their information.

Compliance with these laws can lead to having a truly engaged audience for your electronic communication and stronger results from these marketing channels.