Skip to main content

Don’t Panic About PECR

25 Jul 2019
Victoria Wallace

Email and online marketing is a diverse and ever-changing animal. It’s obvious that the Internet has completely transformed the way that people shop, the relationships businesses have with their customers and the volume and complexity of data that those businesses hold on every one of us.

Whilst ecommerce and emarketing really first took off in retail, it’s very apparent that this is an unrelenting trend across sectors. Anyone in the transport industry will appreciate the need for a strong command of digital. A combination of necessity and innovation has seen car parking move online, airports develop digital strategy, and industries across Transport develop competitive advantage through the power of CRM.

However, with great power comes great responsibility (or the possibility of a hefty fine). Remember the preparations for the GDPR? When new data laws came into force in May 2018, they represented the biggest change for data use since the boom in ecommerce. They also framed an opportunity to reassess and reinvigorate emarketing strategies.

It may come as news, but the GDPR isn’t the only data law. Sitting alongside the Data Protection Act and the GDPR, there’s another very important piece of legislation called The Privacy and Electronic Communications Regulations (PECR). PECR gives people specific privacy rights in relation to electronic communications.

PECR also creates challenges for marketers. Where GDPR preparations focused on gaining explicit consent for the retention and processing of data, the latest version of PECR, which came into force in January 2019, covers:

  • Marketing calls, emails, texts and faxes
  • Cookies (and similar technologies)
  • Keeping communications services secure
  • Customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings

Why is this relevant?

While companies were keen to achieve GDPR compliance, the majority of infringements that have attracted fines from the ICO were actually for breaches of PECR. This is because the most common complaints to the ICO relate to nuisance emails and calls, and this is unlikely to change under the new regulation.

Flybe got caught out by PECR during its attempts to get ready for GDPR. The airline sent more than 3.3 million emails to people who had told them they didn’t want to receive marketing messages, asking customers to update their marketing preferences. The breach resulted in a fine of £70,000.

Another fine was levied on London Heathrow Airport (LHR), but in this case it was the result of a security breach. A member of the public found a memory stick that had been lost by LHR. Around 1% of files on the USB stick contained personal data, some of which was sensitive, but the USB was unencrypted. The Commissioner found that while the use of removable media was widespread within the airport organisation, little was being done to secure the data, either in case of loss of the removable media, or technically, in preventing its download onto other devices. LHR received a fine of £120,000.

Whilst physical data security is an important part of the regulations, PECR does have implications for marketing and sales teams. The latest draft offers clarification that both non-targeted adverts and targeted ads (such as website display adverts) that are not sent to identifiable or identified individuals, and don’t require contact details about the end user, do not fall under the regulations.

However, PECR is due to be replaced by the new ePrivacy regulation and this will have a big impact on B2B sales. Under PECR, B2B sales and marketing teams have enjoyed an exception and do not require consent when selling or marketing to corporate subscribers, but the new ePR, this exception is missing and consent will be required.

The ePR is not due to be passed until later in 2019, but it’s not one to ignore on the offchance it might go away, especially as it’s already clear that European privacy laws will still apply in the UK after Brexit. It’s also important to understand that these laws aren’t just specific to marketing and sales teams. Every single person within a company must understand data privacy in order to avoid a breach.

Practicalities of the ePrivacy Regulation

  • The ePrivacy Regulation will encompass current modern communication services including Facebook Messenger, WhatsApp, Gmail and Internet of Things (IoT) devices
  • Like the GDPR and current PECR regulations, ePrivacy will apply to any business that serves EU-based end-users with an electronic communication service, conducts direct marketing online, or uses technology to track online activity
  • It ensures confidentiality by stipulating that organisations must not store, monitor, scan or otherwise intercept the electronic communications data of their users without their knowledge or consent. This gives data subjects more control over the way their behaviour and movements are tracked online. For example, organisations commonly rely on customer analytics to inform their direct marketing messaging, but under ePrivacy they will have to secure prior consent before tracking behaviour and launching these communications

How will this impact airports and car parking?

PECR covers numerous areas of data, particularly data that can be useful for marketing analytics. There is information about all of these aspects on the ICO website. But, let’s look a bit more closely at some of the things that directly affect operations for airports and car parking…

Email marketing

Email is a significant marketing tool for airports and parking companies. In fact, 81% of SMBs use email as their primary customer acquisition channel. The ICO defines the rules regarding emails thus:

“You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’. You can send marketing emails or texts to companies. However, it is good practice to keep a ‘do not email or text’ list of any companies that object.”

Similar restrictions are in place for other forms of direct marketing such as telephone and fax. It’s a good idea to familiarise yourself with the information on the ICO website so you have a confident knowledge of what constitutes consent.

On the plus side, this is a great opportunity to develop your inbound lead generation, creating great content and generating leads from that content by promoting it alongside appropriate offers.

Location data

Location data, according the ICO, constitutes information collected by a network or service about where the user’s phone or other device is or was located. Location is obviously a huge part of both smart parking and air travel, so the word “Location” in the sidebar of the PECR guidelines is enough to bring the reader out a cold sweat.

However, there’s good news here, as the ICO says:

“In our view, this does not generally include GPS-based location information from smartphones, tablets, sat-navs or other devices, as this data is created and collected independently of the network or service provider. Neither does it include location information collected at a purely local level (eg by wi-fi equipment installed by businesses offering wi-fi on their premises). However, organisations using such data still need to comply with the Data Protection Act.”

CRM Systems

The data held in CRM systems like Rezcomm is securely encrypted in line with GDPR. The relevance to PECR comes with the emarketing capabilities and analytics intrinsic in this software, but working with industry experts like Rezcomm is a stress-free way to ensure compliance.

Your consent information needs to be stored in an auditable way. Consent must be recorded in a way that establishes who has given consent, who has not, who has yet to be prompted for consent, and who has refused consent. This is more sophisticated than a simple ‘opt-out’ checkbox and may require a drop down menu.

Sometimes you might want to have customers automatically opted in to some lists for a limited time after a sale. But remember, if you have given them a previous chance to opt-in and they have not responded positively, it would be incorrect to do this.

The main aim with both GDPR and PECR compliance is to honour consent once it is given or declined.


Under the new ePR, a large number of B2B sales and marketing processes will now require explicit consent. The standard for ‘consent’ is set by the GDPR, and this level applies for ePR and PECR. There will be some work to get things in order for B2B clients, but this is a good opportunity to begin working through your existing lists, phoning old contacts and building new ‘clean’ data.

Obtaining consent doesn’t have to be a huge challenge. As Oliver Jobson says in his blog, simple, practical steps such as asking a contact, “Is it ok if I send you the occasional news update?” Or, “Could I send you a message or email about this?” could get your contact opted in to one-to-one sales emails and your newsletter.

Getting it straight

PECR exists alongside, not instead of GDPR, and ePrivacy will do the same. The two regulations are designed to complement each other, meaning that privacy rules are not about to dramatically change, and companies don’t have to start all over again in 2019.

The main difference between the two laws is that while ePR (or PECR) covers consent for the sending of electronic communications, GDPR ensures a legal basis for retaining and processing personal data. To comply with both regulations, your business needs to establish consent for both. If the work you did in the lead up to GDPR was solid, and you already have a GDPR-compliant method of obtaining consent, you should be off to a good start with ePrivacy.

DPAS Chief Data Protection Officer Nigel Gooding expands:

An example is the AdTech industry. The UK regulator the ICO has already started to investigate areas such as the AdTech industry and the compliance to GDPR and PECR. AdTech is a key plank in travel industry e-commerce activities and it is vital tool for marketing. My advice is before embarking on any e-marketing campaign or mass electronic emailing always seek advice as the law may require a data protection impact assessment and clear documentation of users consents. We can support the develop of new products safely in the knowledge that we have developed products that meet no only PECR but GDPR compliance.

If you have any further questions regarding data protection and the impact of PECR, the team at Data Privacy Advisory Service will be happy to help.

The Rezcomm team brings a wealth of experience and skill to our work with airport and car parking clients. If you would like to find out more about how Rezcomm’s ecommerce, CRM and emarketing software can help your business, or for advice about data law compliance, contact the team today.