• Home
  • Login
  • Welcome to the Staff Intranet
YOU ARE HERE: Skip Navigation LinksEdinburgh Napier Staff Intranet > Service Depts > University Secretary's Office > Governance Services > Data Protection > Privacy & Electronic Communications Regulations

​Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003)

The Privacy and Electronic Communications Regulations were originally introduced in 2003 to regulate direct marketing activities by electronic means (by telephone, fax, email or other electronic methods). They also regulate the security and confidentiality of such communications, with rules governing the use of cookies and 'spyware'. The Regulations complement the DPA 1998 in the regulation of organisations' use of personal data and in ensuring appropriate safeguards for individuals' rights and privacy. The Regulations apply different rules to individual subscribers and corporate subscribers, although some rules apply to both. Where personal data is used the DPA 1998 always applies and the Regulations cannot be used to avoid the requirements of the DPA 1998.


The European Directive on which the Regulations are based was revised in 2011. As a result the existing Regulations in the UK were amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.


Many of the 2003 Regulations have stayed the same, but some important changes were made, which included:

  • rules for websites using cookies and similar technologies (see section 9 of the Code of Practice);
  • new powers for the UK Information Commissioner (ICO) to serve a monetary penalty on an organisation when very serious breaches of the Regulations occur; and
  • new powers for the ICO to investigate breaches of the Regulations by obtaining information from certain third party organisations.


Most of the rules on marketing by live phone call, automated phone call, fax, email and text message stayed the same.


'Direct marketing' means 'the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals' (s.11 DPA 1998). The ICO considers "'direct marketing' as covering a wide range of activities which will apply not just to the offer for sale of goods or services, but also to the promotion of an organisation's aims and ideals."


Where the University wishes to communicate via electronic means with individuals, such as prospective students (e.g.
marketing the University) or alumni (e.g. fundraising) they must comply with the following rules in order to use these media for marketing communications to individual subscribers:

  • automated calling systems: the University must have prior consent. Prior consent means that the individual has given some positive indication of intention. This does not necessarily require a tick box "opt-in" e.g. if the individual has clearly indicated their consent to the purposes and to the receipt of marketing communications in some other fashion i.e. clicking on an "Accept" button at the end of a marketing notice
  • faxes: the University must have prior consent, and check with the Fax Preference Service on a regular basis, unless the individual has notified the University that such communications can be sent "for the time being"
  • live voice telephone calls: the University must honour individuals' "Do not Call" requests, and check with the Telephone Preference Service on a regular basis, unless the individual has notified the University that such communications can be sent 'for the time being'
  • e-mail/SMS: the University must have the opt-in consent of subscribers. Soft opt-in or opt-out is no longer allowed. It must be as easy for individuals to unsubscribe or withdraw consent as it is for them to give consent e.g. unsubscribe links/options MUST be provided in every subsequent communication. All communications must contain a link to the Privacy Policy dealing with the processing of personal data for the purposes of the communications.

The ICO has published this updated ‘plain language’ guidance on PECRs.


Enforcement of PECRs

The Privacy and Electronic Communications Regulations are enforced by the ICO, who may impose a civil monetary penalty of up to a maximum of £500K if a business is found to have committed a very serious breach of the Regulations. In other cases an Information Notice requesting further information or an Enforcement Notice will be issued and a fine may be imposed for breach of an Enforcement Notice.