What is PECR?
In February of this year, the Information Commissioner’s Office (ICO), or UK’s Data Protection Regulator, published additional guidance on the Privacy and Electronic Communications Regulations (PECR), initially passed in 2003, on applying PECR to the DPA.
How does PECR apply?
There is frequently a lot of discussion around the e-Privacy Directive (Directive 2009/136/EC) and very little surrounding the UK. Although the UK is no longer part of the EU, it has adopted a GDPR national privacy law, The Data Protection Act (DPA). PECR applies in the context of UK residents specifically. The e-Privacy Directive applies to GDPR and EU residents. The chart below provides the similarities and distinctions between the two.
Differences from the E-Privacy Regulation
|
| PECR | E-Privacy Directive |
Scope | PECR applies to the transmission of unsolicited electronic messages to individuals in the UK. | ePD applies to the processing of personal data and security of the transmission of electronic Communications within the EU.
|
Application | PECR specifically covers the following areas:
Marketing communications marketing texts (sms), calls, faxes, and emails B2B and B2C; Website tracking technologies, such as cookies and beacons; Communications related to data breaches; Security requirements for ISP, telephone, and network providers and Businesses that create, manage, or maintain email, telephone, or fax directories.
| ePD the security of services and networks; the confidentiality of communications; access to stored data; processing of location and traffic data; caller identification (caller-id); public directories (name, Telephone, fax number, email); and unsolicited commercial Communications ("spam") notification of data breaches.
|
Exemption | Exceptions: Law enforcement, national security, and compliance with other laws. | Exceptions are narrow and apply to:
Compliance with law or judicial order processing carried out for journalistic purposes or academic, artistic, or literary expression.
|
Differences | PECR allows for soft opt-in (implied consent). Companies can send texts and emails to existing customers. Regulation 5A PECR requires communications service providers (CSPs) to notify the ICO within 24* hours of becoming aware of a personal data breach
| GDPR requires active opt-in for marketing consent. Soft-in is not allowed. Customers must opt-in to marketing emails. Art. 33 GDPR, Sec 1 Controllers have 72 hours to notify the Data Protection Authority of a data breach.
|
B2B Communications | PECR does not require consent for B2B marketing. Sender must identify their telephone/fax/email number and entity/business sending the message and provide the user with an option to unsubscribe or opt-out or unsubscribe of the messages.
| Depends on the country. Irish Data Protection Authority has said prior consent is not necessary in B2B communications. However, the French Data Protection Authority, CNIL, states that prior consent even in a B2B situation is required. |
Fines | The maximum fine for breaching the PECR is £500,000. | Fines are up to 4% of annual revenue per violation or 20 million Euros. |
How do Businesses comply with PECR or the ePD?
Here are the many ways businesses can work toward compliance with PECR and ePD:
1. Taking inventory of the marketing data in the business process (store and collect);
2. Determining the source of the personal data (the UK or the EU);
3. Classify the personal data (B2B or B2C);
4. Update your privacy notices and marketing consent language per applicable law; apply location detection tracking to display and provide the proper marketing consent notices and
5. Maintain records of processing around obtaining and updating users' consent.
6. Maintain an incident management plan to effectively and timely respond to data breaches. ( see ICO will use discretion when enforcing the 24-hour notice period for data breaches so long as they receive notice within 72 hours.)
The EU has proposed an e-Privacy Regulation (ePR) to replace the e-Privacy Directive (ePD), which will become a part of GDPR. The UK is no longer part of the EU, so any updates to the ePR will not become part of the UK Data Protection Act. Presently, PECR guides businesses on how to comply with UK privacy law and will be updated accordingly.
Comments
Post a Comment
all comments to this blog are moderated