• Home
  • Login
  • Welcome to the Staff Intranet
YOU ARE HERE: Skip Navigation LinksEdinburgh Napier Staff Intranet > Service Depts > Governance & Compliance > Governance Services > Data Protection > Privacy & Electronic Communications Regulations

​Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003)

The Privacy and Electronic Communications Regulations were originally introduced in 2003 to regulate direct marketing activities by electronic means (by telephone, fax, email or other electronic methods). They also regulate the security and confidentiality of such communications, with rules governing the use of cookies and 'spyware'. The Regulations complement Data Protection Legislation in the regulation of organisations' use of personal data and in ensuring appropriate safeguards for individuals' rights and privacy. The Regulations apply different rules to individual subscribers and corporate subscribers, although some rules apply to both. Where personal data is used Data Protection legislation always applies and the Regulations cannot be used to avoid the requirements of Data Protection.


The European Directive on which the Regulations are based was revised in 2011. As a result the existing Regulations in the UK were amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.


Many of the 2003 Regulations have stayed the same, but some important changes were made, which included:

  • rules for websites using cookies and similar technologies (see section 9 of the Code of Practice);
  • new powers for the UK Information Commissioner (ICO) to serve a monetary penalty on an organisation when very serious breaches of the Regulations occur; and
  • new powers for the ICO to investigate breaches of the Regulations by obtaining information from certain third party organisations.


Most of the rules on marketing by live phone call, automated phone call, fax, email and text message stayed the same.


'Direct marketing' means 'the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals' (s.122 of the DPA 2018). The ICO considers "'direct marketing' as covering a wide range of activities which will apply not just to the offer for sale of goods or services, but also to the promotion of an organisation's aims and ideals."


Where the University wishes to communicate via electronic means with individuals, such as prospective students (e.g.
marketing the University) or alumni (e.g. fundraising) they must comply with the following rules in order to use these media for marketing communications to individual subscribers:

  • automated calling systems: the University must have prior consent. You must not make an automated marketing call – that is, a call made by an automated dialling system that plays a recorded message – unless the person has specifically consented to receive this type of call from you. General consent for marketing, or even consent for live calls, is not enough – it must specifically cover automated calls
  • faxes: the University must have prior consent, you must not send marketing faxes to individuals or to any number listed on the Fax Preference Service (FPS), unless they have specifically consented to your faxes. You can send marketing faxes to companies that are not listed on the FPS.
  • live voice telephone calls: the University must honour individuals' "Do not Call" requests, you must not make unsolicited live calls to:anyone who has told you they don’t want your calls; or any number registered with the TPS or CTPS, unless the person has specifically consented to your call
  • e-mail/SMS: You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’. You can send marketing emails or texts to companies. However, it is good practice to keep a ‘do not email or text’ list of any companies that object.
    The University must have the opt-in consent of subscribers OR meet the soft-opt-in test: he University must have the opt-in consent of subscribers OR meet the soft-opt-in test:
    • Contact details are obtained during negotiation or sale of goods or services to the recipient AND
    • marketing is conducted by the same entity as previous dealings with the individual AND
    • marketing relates to "similar products and services" AND
    • an opt-out mechanism is provided at the point of data collection and is provided with each new communication.


The ICO has published this updated ‘plain language’ guidance on PECRs.


Enforcement of PECRs

The Privacy and Electronic Communications Regulations are enforced by the ICO, who may impose a civil monetary penalty of up to a maximum of £500K if a business is found to have committed a very serious breach of the Regulations. In other cases an Information Notice requesting further information or an Enforcement Notice will be issued and a fine may be imposed for breach of an Enforcement Notice.