An acronym that has resurfaced lately, typically when a data protection regulator mentions the General Data Protection Regulation, is PECR.
For media and marketing businesses that have had their heads buried in GDPR compliance (or the sand depending on their strategy) over the last year or so, the sudden re-emergence of references to PECR within GDPR compliance documents, is causing confusion.
Today — Jul. 3 — the U.K. data protection authority the ICO has released further guidance on the restrictions around cookie use under PECR. For any business that does email marketing, understanding PECR is a must, and given the regulators have begun to step up their policing of GDPR within the media and advertising markets, it’s worth being able to distinguish the two laws.
Here’s a primer.
What is PECR?
How does this sit with GDPR?
GDPR introduced new requirements around the need for businesses to obtain consumer consent in order to use their personal data for their own purposes, such as targeted advertising. In order to keep the separate laws from conflicting, that meant PECR’s rules on consent also had to change to coincide with GDPR’s. In a nutshell, consent under PECR must now be opt-in, not opt-out, or as sometimes referred to as: “soft” opt-in. Direct marketers need to be able to show consent was knowingly and freely given.
Are fines for PECR as high as GDPR?
Nowhere near as high. PECR fines only go up to a maximum £500,000 ($630,000) for breaches, similar to those that were used under the former Data Protection Act (GDPR’s predecessor.) Under GDPR law, the European Commission has given EU regulators the power to fine up to €20 million ($23 million) or 4% of global revenue, whichever is higher. That’s why GDPR has been a far more high-profile, and feared, law. A business running direct marketing can also use the legitimate interest clause, but under the GDPR’s definition.
Sounds like PECR enforcement is quite lax?
In a way, yes. Although, prior to GDPR’s enforcement the ICO did fine two companies, albeit softly. Airline Flybe was fined £70,000 ($88,000) for sending more than 3.3 million emails to people who had already unsubscribed from its email marketing. Honda received no more than a £13,000 ($16,000) wrist slap for sending 289,790 emails to clarify certain customers’ choices for receiving marketing. While Honda believed it was ensuring its data protection compliance was water-tight by rechecking details, which it classed as customer service — rather than marketing — emails, the ICO didn’t agree. Honda couldn’t provide evidence that the customers had ever given consent to receive that kind of email in the first place — a no-no under PECR.
Wait, didn’t hundreds of companies do just that ahead of GDPR enforcement?
Absolutely. Consumers were hit with an avalanche of emails ahead of GDPR’s enforcement in which they were asked to resubscribe. In doing so, businesses hoped to avoid any risk of a GDPR fine. In reality, that merely drew attention to the fact those companies may have been in breach of PECR for years. They’ve likely most escaped any kind of penalty because the ICO had its hands full with GDPR. Plus, there would have been a grace period allowed for companies attempting to do the right thing, and any inevitable chaos stemming from an early misunderstanding of a new law.
Did they need to send those emails?
Probably not. But the fear of the more eye-watering GDPR fines would have been motivation to do so. That, plus a healthy dose of misunderstanding and the industry’s pretty broad interpretation of GDPR would have contributed to the panicked email stampede.