You know what GDPR is...but don't forget PECR


In May, organisations across Europe and beyond were frantically trying to get their houses in order before the General Data Protection Regulation (GDPR) came into force. Whilst an important step-change for data protection, it overshadowed the long-standing Privacy and Electronic Communications Regulation (PECR).  


Also known as the e-Privacy directive, PECR must be considered alongside GDPR. Covering a broad range of electronic communications, it has a direct impact on marketers and how they communicate with their prospects and clients.  


The GDPR does not replace PECR, although it changes the underlying definition of consent. Existing PECR rules continue to apply but using the new GDPR standard of consent. This means that if you send electronic marketing or use cookies or similar technologies, you must comply with both PECR and the GDPR. 


How does this affect marketing? 

Implemented in 2003, PECR introduces specific privacy rights in relation to electronic and digital communications and has been updated to incorporate the requirements of GDPR. For marketers, PECR will affect: 

  • marketing communications including calls, texts emails and faxes 
  • use of cookies and other similar digital tracking technology 
  • the privacy of customers, such as location data and directory listings 

Marketing communications 

GDPR has brought the principle of lawful processing of data into the limelight; specifically obtaining consent. Under PECR, there are stricter rules around unsolicited marketing communications which will often requires explicit consent.  

Unsolicited communication includes anything that has not been specifically requested from you, which will cover the majority of marketing campaigns. Many organisations have already incorporated consent into the data capture processes, which will enable them to comply with both GDPR and PECR. 


Marketing lists 

If you use purchased marketing lists, you will need to screen call lists against the Telephone Preference Service (TPS) and ensure any bought in data has full consent given.  

For in-house generated lists, use opt-in boxes as much as possible. Consent must be given for each type of contact option and you will have to gain separate consent if you plan to pass the details onto a third party. You will also need to name the third party.  

You should keep records showing consents as well as list of data you are not permitted to contact.  



If anyone has indicated that they do not want to receive live calls from you or has registered with the TPS or Corporate Telephone Preference Service, then you must not ring them. You must also display your telephone number when calling and provide an address or freephone number if requested.  

There are stricter rules when automated telemarketing calls are place. The individual must have freely given consent specifically for automated calling; consent for live calls does not cover this. However, as with live calling, you must also display your telephone number or alternative contact number, an address and freephone number.  


Electronic mail marketing 

The ICO define this as: “any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service”. 

You are only permitted to send marketing e-mails and texts to individuals if you have specific consent, although you can consider you have a soft-opt in for previous customers. You must clearly show who you are in any communication and always feature an e-mail address for opt-outs.  

The rules are different for using these forms of communications with companies. You can contact these freely but it’s advisable to compile a list of companies who get in touch asking you need to contact them again. 



A cookie is a text file that is downloaded onto a phone or computer that allows a website to recognise and store information about the individual’s preferences and history with that site.  

If you’re using cookies, you have to tell people you’re doing so, let them know why and obtain the person’s consent before the cookie is downloaded. You only have to do this with the initial installation, not for each time the individual accesses your website. 



Although GDPR has taken the limelight in recent years, marketers who ignore PECR do so at their peril. Both regulations are designed to protect the integrity of the individual’s privacy and their data. They work together in unison to enable organisations to continue communicating with their prospects and clients without intrusion or becoming a nuisance.  By complying with both, your marketing communications strategy will become stronger, more relevant and more interesting.  


Get in touch to find out how Secret Source can help you identify the markets, the audience, and the messaging to help your business grow.  

Written by Nick Carlson