GDPR- PECR and Marketing

GDPR is not aiming to stop businesses from marketing to individuals. This would be damaging to business and many individuals want to hear about your products and business news. GDPR will hit those that were not following good practice most.
GDPR strengthens the rights of the individual to control the use of their data and provides for greater penalties for those that abuse consumer trust. You will need to check and modify the way you market to individuals, how you gain consent and hold evidence of compliance. The Privacy and Electronic Communications Regulations 2003 provide a guide to marketing by electronic communication and provide a greater context in which to work out how you will move forward in your marketing campaigns.

We have set out the Information Commissioner’s (ICO) view here and provided some useful documents which can also be found on the ICO website.

Recital 47 of the GDPR says direct marketing is a legitimate use of personal information, which is true. It is important to remember, however other rules also apply for example the Privacy and Electronic Communication Regulations 2003 (PECR). PECR restricts the circumstances in which you can market people and other organisations by phone, text, email or other electronic means. So when sending electronic marketing messages – you have to comply with both the data protection law and PECR.

Does PECR apply to me?

Some of the rules only apply to organisations that provide a public electronic communications network or service. But even if you are not a network or service provider, PECR will apply to you if you:

  • market by phone, email, text or fax;
  • use cookies or a similar technology on your website; or
  • compile a telephone directory (or a similar public directory).

Marketing campaigns

If you’re planning a marketing campaign, you’ll have to comply with a number of regulations. Some of these apply to unsolicited electronic messages sent by telephone, fax, email or text, while others apply to marketing material sent by post.

Electronic mail marketing

The most important thing to remember is that you can only carry out unsolicited electronic marketing if the person you’re targeting has given you their permission.

However, there is an exception to this rule. Known as the ‘soft opt-in’ it applies if the following conditions are met;

  • where you’ve obtained a person’s details in the course of a sale or negotiations for a sale of a product or service;
  • where the messages are only marketing similar products or services; and
  • where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don’t opt out at this point, are given a simple way to do so in future messages.

When you send an electronic marketing message, you must tell the recipient who you are and provide a valid contact address.

The rules on emails don’t apply to emails sent to organisations, though you must still identify yourself and provide an address.

The Telephone Preference Service (TPS) and Fax Preference Service (FPS) are operated by the Direct Marketing Association, and allow people to register their numbers to opt out of receiving unsolicited calls or faxes. You must not market individuals or organisations who have registered their numbers with the TPS or FPS.


It is recommended that your marketing campaigns are always permission-based and you explain clearly what a person’s details will be used for. Provide a simple way for them to opt out of marketing messages and have a system in place for dealing with complaints.

The documents below help to outline the basics.

The first document from the Information Commissioner is a check sheet for smaller business. The second a more comprehensive guide on privacy and electronic communications regulations (PECR) which has been undated for GDPR to help you to manage your approach.

PECR and GDPR go hand in hand in constructing a fair and lawful approach to marketing campaigns.