• Home
  • Login
  • Welcome to the Staff Intranet
YOU ARE HERE: Skip Navigation LinksEdinburgh Napier Staff Intranet > Service Depts > Governance & Compliance > Governance Services > Data Protection > Privacy & Electronic Communications Regulations (Including Marketing)

​Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003)

The Privacy and Electronic Communications Regulations were originally introduced in 2003 to regulate direct marketing activities by electronic means (by telephone, fax, email or other electronic methods). They also regulate the security and confidentiality of such communications, with rules governing the use of cookies and 'spyware'. The Regulations complement Data Protection Legislation in the regulation of organisations' use of personal data and in ensuring appropriate safeguards for individuals' rights and privacy. The Regulations apply different rules to individual subscribers and corporate subscribers, although some rules apply to both. Where personal data is used Data Protection legislation always applies and the Regulations cannot be used to avoid the requirements of Data Protection legislation.


The European Directive on which the Regulations are based was revised in 2011. As a result the existing Regulations in the UK were amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. The most recent changes were made in January 2019.


Many of the 2003 Regulations have stayed the same, but some important changes were made, which included:

  • rules for websites using cookies and similar technologies (see section 9 of the Code of Practice);
  • new powers for the UK Information Commissioner (ICO) to serve a monetary penalty on an organisation when very serious breaches of the Regulations occur; and
  • new powers for the ICO to investigate breaches of the Regulations by obtaining information from certain third party organisations.


Most of the rules on marketing by live phone call, automated phone call, fax, email and text message stayed the same.


'Direct marketing' means 'the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals' (s.122 of the DPA 2018). The ICO considers "'direct marketing' as covering a wide range of activities which will apply not just to the offer for sale of goods or services, but also to the promotion of an organisation's aims and ideals." - this covers all advertising or promotional material, including that promoting the aims or ideals of not-for-profit organisations – for example, it covers a charity campaigning for support or funds. If your communication is designed to change behaviour then it is likely to be considered as marketing or promotional material.


Where the University wishes to communicate via electronic means with individuals, such as prospective students (e.g.
marketing the University) or alumni (e.g. fundraising) they must comply with the following rules in order to use these media for marketing communications to individual subscribers:

  • live voice telephone calls: the University must honour individuals' "Do not Call" requests, you must not make unsolicited live calls to:anyone who has told you they don’t want your calls; or any number registered with the TPS or CTPS, unless the person has specifically consented to your call
  • e-mail/SMS: You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’. You can send marketing emails or texts to companies. However, it is good practice to keep a ‘do not email or text’ list of any companies that object.
    The University must have the opt-in consent of subscribers OR meet the soft-opt-in test: he University must have the opt-in consent of subscribers OR meet the soft-opt-in test:
    • Contact details are obtained during negotiation or sale of goods or services to the recipient AND
    • marketing is conducted by the same entity as previous dealings with the individual AND
    • marketing relates to "similar products and services" AND
    • an opt-out mechanism is provided at the point of data collection and is provided with each new communication.
  • automated calling systems: the University must have prior consent. You must not make an automated marketing call – that is, a call made by an automated dialling system that plays a recorded message – unless the person has specifically consented to receive this type of call from you. General consent for marketing, or even consent for live calls, is not enough – it must specifically cover automated calls
  • faxes: the University must have prior consent, you must not send marketing faxes to individuals or to any number listed on the Fax Preference Service (FPS), unless they have specifically consented to your faxes. You can send marketing faxes to companies that are not listed on the FPS.


The ICO has published this updated ‘plain language’ guidance on PECRs.

and this updated guide to Electronic and Telephone Marketing.


Enforcement of PECRs

The Privacy and Electronic Communications Regulations are enforced by the ICO, who may impose a civil monetary penalty of up to a maximum of £500K if a business is found to have committed a very serious breach of the Regulations. In other cases an Information Notice requesting further information or an Enforcement Notice will be issued and a fine may be imposed for breach of an Enforcement Notice.


3.5 The Electronic Commerce (EC Directive) Regulations 2002

The e-Commerce Regulations 2002 include a requirement that the recipient of an e-Commerce service, including direct marketing, must be provided, in a form and manner that is easily, directly and permanently accessible, with certain information including:

  • The name of the service provider i.e. the University 

  • The geographic address at which the service provider is established

  • The details of the service provider, including staff email address, which make it possible to contact him rapidly and communicate with him in a direct and effective manner

The purpose of this requirement is to ensure that individuals are able to effectively utilise their consumer protection and other rights, including those granted under Data Protection Legislation and PECR 2003 as amended in 2011, by providing them with the necessary information about whom to enforce those rights. The Regulations do not prescribe how the requirement to make information "easily, directly and permanently accessible" should be met.

It is important that colleagues sending communications covered by PECR retain a record of consent to receive communications and a record of requests to unsubscribe from the communications (to ensure individuals are not inadvertently sent communications after requesting that they stop).