PECR_Full

Created by

Patrick Forrest

Cards (231)

Privacy and Electronic Communications Regulations 
Regulations that provide rules about sending marketing and advertising by electronic means, such as by telephone, fax, email, text and picture or video message, or by using an automated calling system
Direct marketing 
The promotion of aims and ideals as well as the sale of products and services
Information Commissioner's Office (ICO) 
The regulator for the Data Protection Act and Privacy and Electronic Communications Regulations
Contents 
Introduction
Overview
Legal framework
Data Protection Act
Privacy and Electronic Communications Regulations
Other regulation
ICO enforcement
Direct marketing
The definition of direct marketing
Market research and 'sugging'
Charities, political parties and other not-for-profit organisations
Solicited and unsolicited marketing
Consent
The definition of consent
Implied consent
Methods of obtaining consent
Opt-in and opt-out boxes
Indirect (third party) consent
Time limits
Proof of consent
Marketing calls
Fairness
The right to opt out
Automated calls
Business-to-business calls
Marketing texts and emails
Existing customers: the 'soft opt-in'
The right to opt out
Business-to-business texts and emails
Other types of direct marketing
Marketing faxes
Marketing online
Marketing mail
Lead generation and marketing lists
Generating leads
Selling a marketing list
Buying a marketing list
In-house marketing lists
Suppression
Other considerations
More information
The Data Protection Act 1998 (the DPA) is based around eight principles of good information handling
Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) 
Regulations that provide rules about sending marketing and advertising by electronic means, such as by telephone, fax, email, text and picture or video message, or by using an automated calling system
PECR also include other rules relating to cookies, telephone directories, traffic data, location data and security breaches
An overview of the main provisions of the DPA and PECR can be found in The Guide to Data Protection and The Guide to the Privacy and Electronic Communications Regulations
This guidance explains the DPA and PECR rules on direct marketing - with a focus on calls and texts to individuals - and how this affects lead generation and the use of marketing lists
The guidance starts with a broad overview of the law, then contains separate sections on what counts as direct marketing, what counts as consent, the specific rules on calls and texts, and the use of marketing lists
Direct marketing covers the promotion of aims and ideals as well as the sale of products and services
In many cases organisations will need consent to send people marketing, or to pass their details on
Organisations will need to be able to demonstrate that consent was knowingly and freely given, clear and specific, and should keep clear records of consent
The ICO recommends that opt-in boxes are used
The rules on calls, texts and emails are stricter than those on mail marketing, and consent must be more specific
Organisations should not take a one-size-fits-all approach
Organisations can make live marketing calls to numbers not registered with the TPS, if it is fair to do so
Organisations must not call any number on the TPS list without specific prior consent
Organisations must not make any automated pre-recorded marketing calls without specific prior consent
Organisations making marketing calls must allow their number (or an alternative contact number) to be displayed to the person receiving the call
Organisations must not send marketing texts or emails to individuals without their specific prior consent
There is a limited exception for previous customers, known as the soft opt-in
Organisations must stop sending marketing messages to any person who objects or opts out of receiving them
Organisations must carry out rigorous checks before relying on indirect consent (ie consent originally given to a third party)
Indirect consent is highly unlikely to be valid for calls, texts or emails
Neither the DPA nor PECR ban the use of marketing lists, but organisations must take steps to ensure a list was compiled fairly and accurately reflects peoples' wishes
Bought-in call lists should be screened against the TPS
It will be very difficult to use bought-in lists for text, email, or automated call campaigns as these require very specific consent (either where the specific organisation is named or it is within a precisely defined category of organisation)
The ICO will consider using its enforcement powers, including the power to issue a fine of up to £500,000, where an organisation persistently ignores individuals' objections to marketing or otherwise fails to comply with the law
Our direct marketing checklist can help organisations to comply
The DPA and PECR both restrict the way organisations can carry out unsolicited direct marketing (that is, direct marketing that has not specifically been asked for)
Direct marketing can engage a wide range of other regulatory and conduct issues
Organisations should ensure they are also familiar with other relevant laws and industry codes of practice
If direct marketing involves the processing of personal data (in simple terms, if the organisation knows the name of the person it is contacting), it must comply with the principles set out in the DPA
Section 11 of the DPA also gives individuals the right to prevent their personal data being processed for direct marketing
Organisations must stop marketing within a reasonable period
Organisations will not always need to process personal data to carry out a direct marketing exercise
PECR were designed to complement the DPA, and set out more detailed privacy rules in relation to the developing area of electronic communications
If an organisation is sending unsolicited direct marketing by electronic means, or employing someone else to do so on its behalf, it must comply with PECR
PECR are broader than the DPA in the sense that they apply even if the organisation is not processing any personal data