April 10 , 2017

Privacy and Electronic Communication Regulation

Who, what, when?

Honda and Flybe are some of the most recent culprits to be hit with significant fines from the ICO for breach of the Privacy and Electronic Communication Regulation (“PECR”).

Honda, between May and August 2016, sent more than 280,000 emails to individuals, asking them to clarify their marketing preferences. The emails were titled “would you like to hear from Honda?”. These emails went to individuals who had neither opted in or out of marketing. In Honda’s case, the car manufacturer explained the emails were sent in error due to a design flaw in their software portal.

Steve Eckersley, ICO Head of Enforcement, said:

Both companies sent emails for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law”


The PECR gives people specific privacy rights in relation to electronic communications, including marketing calls, emails and texts. It sits alongside the Data Protection Act 1998 (DPA) which acts to protect individual’s personal data. Although most businesses are aware of the DPA (and so they should be), we find the PECR are often put to one side despite their healthy teeth with fines reaching up to £500,000 for breaches.

The rules on electronic mail marketing are contained in regulation 22 of PECR. In summary, you must not send electronic mail marketing to individuals, unless:

(i) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale of negotiations for the sale of a product of service to that recipient;

(ii) the direct marketing is in respect of that person’s similar products and services only; and

(iii) the recipient has been given a simple means of refusing (free of charge except for the costs of transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

How shall I obtain consent?

The crucial consideration is that the individual must fully understand: (a) they are consenting (b) what they are consenting to and (c) exactly what this means.

The ICO recommend that businesses use simple and clear methods of opting in and out of marketing, for example obligatory opt in and opt out boxes which pop up when visiting the business website or the recording of oral consent over the phone. When using opt-in boxes, organisations should remember that they should provide opt-in boxes to obtain specific consent for each type of electronic marketing, for example email, call and text.

Businesses must ensure that when obtaining consent, they must explain to the individual exactly what marketing they have consented to including the involvement of any third parties. How best to obtain consent will depend on how you communicate with your customers.

The Future

The highly anticipated General Data Protection Regulation (GDPR) is due to come into force immediately on 25 May 2018 replacing the Data Protection Act 1998. The GDPR further enhances the consent required for marketing by demanding that businesses secure positive opt-in’s rather than a negative opt in (i.e tick here if you do or wish to receive communications…), silence or pre-ticked boxes. It’s important businesses get this right sooner rather than later as the GDPR introduces fines of up to 4% of annual business turnover or 20 million pounds!

The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

To ensure consistency with the GDPR (including its fining powers), at the beginning of this year the European Commission published its proposals for the new ePrivacy Regulation. As with the GDPR, the Regulations will be directly enforceable and the UK government has confirmed it will be implemented in the UK before we leave the EU. It is hoped that the new regulations will come into force on the same day as the GDPR, however they are still draft form yet to be considered by the European Parliament and the European Council. Although we do not yet know what the final Regulations will look like, much like the GDPR, the draft proposals include tightening of the current rules. Much more to come…

Back to Insights