Here is what you need to know about email marketing rules or other electronic messages sent for direct marketing purposes. If a message is sent via an intermediary (a platform or hosting service, bulk sending provider etc), the sender is responsible for complying with PECR unless it can show that an exemption applies. The Information Commissioner’s Office has powers to issue enforcement notices and other penalties to enforce PECR.
The PECR are the UK’s equivalent of the EU’s GDPR and ePrivacy directive
The Privacy and Electronic Communications Regulations (PECR) are the UK’s equivalent of the EU’s ePrivacy directive. PECR sets out obligations for messages sent for the purposes of direct marketing, including permission to send messages, opt-out mechanisms, methods of obtaining consent, information about how to unsubscribe from receiving them and data retention. It is enforced by the Information Commissioner’s Office (ICO).
PECR sets out obligations for messages sent for the purposes of direct marketing
PECR sets out obligations for messages sent for the purposes of direct marketing. Direct marketing is defined by PECR as:
- Messages that are sent to you by an organisation and that relate to its products or services, including invitations to take part in surveys, competitions, prize draws and other promotions
- Messages which are sent because you have consented to being contacted by an organisation selling similar products or services
- Messages from organisations with which you have a business relationship (like your insurance provider) if they relate to either the provision of their service or something else that’s part of that relationship.
Not all emails have to comply with all the rules in PECR
PECR sets out the rules for direct marketing messages, so any message sent for the purposes of direct marketing must comply with PECR.
However, you don’t need to comply with all of the rules in PECR if:
- Your message is not a direct marketing communication (for example, it’s an email providing contact details for a customer relations representative). In this case, you can send whatever you like as long as it complies with other applicable laws and regulations (such as GDPR).
Intermediaries and Bulk Messages
You may have heard the term ‘bulk messaging’ before. This is when someone sends out a large number of electronic messages at once. It’s usually done using automated systems and software like mass mailing lists and auto-responders. For example, retailers often send out coupons for their products in bulk via email marketing campaigns because they know people will respond by purchasing some of their products through these coupons.
The sender is responsible for complying with PECR through intermediary’s
If you are acting as an agent for someone else and sending on their behalf then that person will also be responsible for ensuring they comply with PECR.
The Information Commissioner’s Office has powers to enforce PECR
While the ICO cannot directly impose fines or other penalties, it can issue enforcement notices and other penalties to enforce PECR. If a company breaches the law, the ICO will usually give them a chance to put things right. The first step is usually an “Information Notice”, which is used when there is a suspected breach of personal data processing rules that doesn’t require urgent attention.
If you don’t comply with an Information Notice, the ICO can escalate their response by issuing an Enforcement Notice requiring you to change your practices. If you fail again after receiving an Enforcement Notice then there are further options available including formal warnings, monetary penalties and even prosecution by criminal courts if appropriate.
In addition to enforcement notices, civil monetary penalties (CMPs) can be issued where there has been persistent contravention or serious breaches of PECR leading up to its investigation or prosecution (the CMP must relate to these particular breaches). Criminal sanctions are also available for those who knowingly break PECR; however, this would normally only apply if someone deliberately flouted the law with malicious intent such as committing fraud or identity theft against their victims’ data security interests (see Data Protection Act 2018 section 141).
The ICO publishes notices of all their intended prosecutions here: https://ico.org.uk/action-weve-taken/
You need to know about privacy law if you send messages for direct marketing purposes
You need to know about privacy law if you send messages for direct marketing purposes.
You must have consent from the person who receives your message before you can send them any marketing material. The only way to get this consent is by asking them directly (and in writing) if they want to receive this information and how often.
It’s also important that you make sure you keep track of all the people who opt out of receiving your messages, as this will help prevent any unwanted issues further down the line.
This article has been a whistle-stop tour of privacy law and the rules that apply to direct marketing. We’ve covered a lot in this article, but it’s essential to understand your legal obligations when you’re sending email messages for marketing purposes, even if you will be using an intermediary (such as an email service provider) to send the messages on your behalf. If you want further advice and guidance on this topic, please get in touch with us about our Marketing Compliance service.