What are the Privacy and Electronic Communications Regulations? What are the Privacy and Electronic Communications Regulations?

The Privacy and Electronic Communications (EC Directive) Regulations 2003, known as PECR, exist in addition to - but do not override - the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA).

These laws protect individuals’ privacy, and set out rules for organisations to follow when handling personal data. UEA staff must still follow the GDPR/DPA 2018 whenever handling any personal data at work, but the Regulations give people additional privacy rights with specific regard to electronic communications. 

Click on each heading below to find out more. For further advice please contact dataprotection@uea.ac.uk.

Further information: A link to the full text of PECR, which derive from EU law, is on the Information Commissioner’s Office (ICO) website, together with a comprehensive guide to the Regulations. The ICO is the body that oversees compliance with PECR in the UK.  

N.B. As at May 2018, the EU is in the process of drafting a new ePrivacy Regulation, however the PECR rules will continue to apply until the Regulation comes into effect. In the meantime, we must ensure that any consent obtained for processing of personal data for marketing purposes meets the standards of the new General Data Protection Regulation (GDPR).

How do the Regulations affect UEA? How do the Regulations affect UEA?

Marketing and PECR

What do we mean by ‘marketing’?

Direct marketing is defined in the DPA as ‘the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals’. The UK Information Commissioner has confirmed this includes ‘all advertising or promotional material, including that promoting the aims or ideals of not-for-profit organisations’. From this we can assume that some University communications will be direct marketing. For example, telephone requests for donations and emails or texts about UEA events can all be direct marketing.

When do we need to take PECR (and DPA) into account?

Anyone undertaking unsolicited (i.e. not specifically requested) promotional activities, directed at individuals, with the intention of getting them to do/buy/attend or otherwise engage with a UEA product or service, should consider their obligations under the DPA. If the unsolicited marketing is to be done by electronic means then PECR must also be followed. If you pay someone else to undertake your marketing activities, you are both responsible for complying with PECR. 

What is not included?

As these rules only apply to marketing directed at individuals, other activities, such as online advertising, are not covered by PECR or DPA.  Also note that routine communications with existing students and staff are unlikely to count as direct marketing. 

Types of electronic communication 

Under PECR there are different rules for different types of electronic communication. The Information Commissioner’s Office has produced helpful guidance on telephone marketing, fax marketing, and email marketing (includes SMS and direct messaging via social media). If you or your department are considering these kind of marketing activities, read these first.


Gaining consent of the person/people you want to contact is key to PECR compliance. Consent must be knowingly and freely given, relevant to the target audience and relate to the type of marketing activity you wish to undertake. The giving of consent should involve a positive action – i.e. a requirement to ‘opt in’ to receiving marketing communications. 
Avoid ‘opt out’ messages, especially those that are confusingly worded: e.g. ‘untick this box if you agree to not giving consent…’ This is bad practice and does not equate to giving active consent.

Consent is required in almost all cases, however if you are doing email marketing for commercial purposes you may be able to rely on what is known as a ‘soft opt in’ when contacting existing customers. See the Information Commissioner’s guidance on when the soft opt in can be used.

Remember, even once you get consent for marketing, people are entitled to withdraw it at any time. You should therefore make it straightforward for them to do so; e.g. an ‘unsubscribe’ option in all email communications. Keep records of who has, and hasn’t given consent and make sure you screen your communications against your opt out list. Be aware of the Telephone Preference Service and Fax Preference Service and screen your calls/faxes accordingly.

Further information: See the ICO guide on Direct Marketing

PECR, cookies and other tracking software

What are cookies?

Cookies are small text files that are stored on your computer’s hard drive. If you enable cookies to be stored on your computer, websites you visit will be able to identify your device on each subsequent visit to that site, or to other sites that recognise that cookie. 

Cookies can therefore store some information about your preferences (e.g. storing your name to enable quick login) or past actions (e.g. how long you spend on a site, which pages you visit). For the purposes of PECR compliance, this information may be personal data or not; the Regulations apply even when the cookie collects only anonymous data. The Regulations also apply to similar technologies, for example apps which set tracking elements on your device.

Complying with PECR

The first time someone visits a site, they should be:

  • Told that cookies are being used
  • Given a clear explanation of why the site is using the cookies and what they do
  • Given the option to not accept the cookies – i.e. the site must get the user’s consent to install cookies on their device

There are some exceptions to these requirements. See ICO guidance on PECR for further details.

Getting consent

Obtaining consent of the website user is key to PECR compliance. Consent must be knowingly and freely given. The website user should give a clear indication they understand their actions will result in cookies being installed. While website owners are not required to obtain explicit (i.e. ‘opt in’) consent in all cases, we recommend you do so if your site is collecting personal or sensitive data. 

Remember, if your site is collecting personal data (via cookies or otherwise) you also need to take into account your obligations under the Data Protection Act, as well as PECR.

How does the UEA website use cookies? 

See our website privacy notice for details on how the UEA website uses cookies.

Further information: see the ICO guidance on the rules on use of cookies and similar technologies and their guidance on Privacy in mobile apps.

Use of contact lists (directories)

Directories of contact details are also covered by PECR. The Information Commissioner’s definition is ‘…any directory or service whose main function is to allow someone with a minimum amount of information (such as name and approximate address) to look up phone, fax or email contact details (including mobile phone numbers).’
If you need to compile a directory of contact details for staff, students, alumni or other parties, you should:

  • Tell the individuals about the directory – what its purpose is and what data you want to include
  • Give them the chance to choose whether to be included
  • Get their specific consent if the directory will facilitate ‘reverse searches’ (e.g. using a phone number to look up a name)
  • Correct or withdraw entries on request
  • Not charge for opt-outs or corrections

Further information: see the ICO guidance on Directories and PECR