In detail
- What is the relationship between PECR and the data protection regime?
- What do the data protection rules mean for electronic mail marketing?
- Are tracking pixels covered by the electronic mail marketing rules?
- What happens if we do not comply with PECR when sending marketing by electronic mail?
What is the relationship between PECR and the data protection regime?
PECR sits alongside the data protection regime, which is the UK GDPR and Data Protection Act 2018 (DPA 2018). Data protection and PECR aim to protect people’s privacy. Data protection complements PECR. You may find that complying with PECR helps you comply with data protection requirements, and vice versa.
PECR takes some of its definitions from data protection. For example, it takes the UK GDPR’s standard of consent and the DPA 2018 definition of direct marketing.
Data protection also applies if you are using personal data when sending electronic mail marketing (eg because you know the name of the person you are texting).
A person’s email address identifies a unique user and distinguishes them from other users, which means it is personal data. Likewise, someone’s business email address may identify them and therefore constitute personal data, eg [email protected].
If you are using personal data, you must make sure that you comply with the data protection rules as well as PECR.
Further reading
- See our separate guidance on: What is personal data?
What do the data protection rules mean for electronic mail marketing?
If the address you are sending electronic mail marketing to identifies a unique user, or if you know the person’s name, then you must comply with data protection law as well as PECR.
For example, this means you must make sure what you want to do is fair, lawful and transparent. You must also comply with people’s data protection rights (such as the right to object).
Fairness means not doing things with personal data that people would find unexpected, misleading or detrimental. Transparency means being clear, open and honest about what you want to do with their information. For example, you must make it clear to people when collecting their details that you want to send them electronic mail marketing. People have the “right to be informed” about what you intend to use their personal data for.
Lawfulness includes having a valid data protection reason (known as a “lawful basis”) when you use personal data in order to send electronic mail marketing. There are six of these to choose from in the UK GDPR. However, it’s likely that the most relevant ones in the context of electronic mail marketing are consent and legitimate interests. This depends on whether you are relying on consent or the soft opt-in under PECR.
If you are relying on consent to send electronic mail marketing then it’s likely your lawful basis is also consent. However, if you can meet all of the requirements of the soft opt-in, then it’s likely you can rely on legitimate interests as your lawful basis. See our separate guidance on legitimate interests for help on how to assess if it does apply to your particular circumstances.
People also have the absolute data protection right to object to you using their personal data for direct marketing purposes (including using their personal data to send marketing by electronic mail). If someone exercises this right you must stop using their personal data for direct marketing purposes. There are no grounds for you to refuse.
You should keep a ‘do not contact’ or suppression list to make sure that you don’t inadvertently send electronic mail marketing to someone who has exercised this right. Failing to opt-out of the PECR soft opt-in won’t override the fact that someone has used this right. You can only send electronic mail marketing to them if they subsequently decide to consent to such marketing from you.