The ICO exists to empower you through information.

In detail

What is the relationship between PECR and the data protection regime?

PECR sits alongside the data protection regime, which is the UK GDPR and Data Protection Act 2018 (DPA 2018). Data protection and PECR aim to protect people’s privacy. Data protection complements PECR. You may find that complying with PECR helps you comply with data protection requirements, and vice versa.

PECR takes some of its definitions from data protection. For example, it takes the UK GDPR’s standard of consent and the DPA 2018 definition of direct marketing.

Data protection also applies if you are using personal data when sending electronic mail marketing (eg because you know the name of the person you are texting).

A person’s email address identifies a unique user and distinguishes them from other users, which means it is personal data. Likewise, someone’s business email address may identify them and therefore constitute personal data, eg [email protected]

If you are using personal data, you must make sure that you comply with the data protection rules as well as PECR.

Further reading

What do the data protection rules mean for electronic mail marketing?

If the address you are sending electronic mail marketing to identifies a unique user, or if you know the person’s name, then you must comply with data protection law as well as PECR.

For example, this means you must make sure what you want to do is fair, lawful and transparent. You must also comply with people’s data protection rights (such as the right to object).

Fairness means not doing things with personal data that people would find unexpected, misleading or detrimental. Transparency means being clear, open and honest about what you want to do with their information. For example, you must make it clear to people when collecting their details that you want to send them electronic mail marketing. People have the “right to be informed” about what you intend to use their personal data for.

Lawfulness includes having a valid data protection reason (known as a “lawful basis”) when you use personal data in order to send electronic mail marketing. There are six of these to choose from in the UK GDPR. However, it’s likely that the most relevant ones in the context of electronic mail marketing are consent and legitimate interests. This depends on whether you are relying on consent or the soft opt-in under PECR.

If you are relying on consent to send electronic mail marketing then it’s likely your lawful basis is also consent. However, if you can meet all of the requirements of the soft opt-in, then it’s likely you can rely on legitimate interests as your lawful basis. See our separate guidance on legitimate interests for help on how to assess if it does apply to your particular circumstances.

People also have the absolute data protection right to object to you using their personal data for direct marketing purposes (including using their personal data to send marketing by electronic mail). If someone exercises this right you must stop using their personal data for direct marketing purposes. There are no grounds for you to refuse.

You should keep a ‘do not contact’ or suppression list to make sure that you don’t inadvertently send electronic mail marketing to someone who has exercised this right. Failing to opt-out of the PECR soft opt-in won’t override the fact that someone has used this right. You can only send electronic mail marketing to them if they subsequently decide to consent to such marketing from you.

Further reading

  • The ICO has produced lots of guidance on how to comply with data protection law. You can find it in the Guide to the UK GDPR, which includes topics such as fairness, transparency, lawfulness and rights.

Are tracking pixels covered by the electronic mail marketing rules?

Many marketing emails include tracking pixels. For example, some record information such as the time, location and operating system of the device used to read the email.

The electronic mail marketing rules in PECR only cover the email itself, not the tracking pixels. Using such tracking pixels are instead covered by PECR’s separate rules on cookies and similar technologies.

This means that you must comply with the electronic mail rules when sending the marketing email itself. You must also comply with the rules on cookies if that email uses tracking pixels. See our separate guidance on cookies and similar technologies for more information.

Further reading

What happens if we don’t comply with PECR when sending marketing by electronic mail?

The ICO’s aim is to help and empower you to comply with the law. In cases where you refuse or fail to comply voluntarily, we have a range of options available for taking formal action where necessary.

We take a risk-based, effective and proportionate approach to enforcement. Our aim is to create an environment which protects people, while supporting organisations to ensure they can operate and innovate efficiently in the digital age. We will be as robust as necessary in upholding the law, while ensuring that enterprise is not constrained by red tape, or by concern that we would use sanctions disproportionately.

We have several ways of taking action to change the behaviour of anyone who breaches PECR. This includes serving an enforcement notice that requires an organisation to stop sending direct marketing that is in breach of PECR. We can also serve a monetary penalty notice imposing a fine of up to £500,000 which we can issue against the organisation or its directors. These powers are not mutually exclusive. We can use them in combination, where justified by the circumstances.

Further reading