It’s been almost two months since May 25th – and we’ll go ahead and name those four letters that have been haunting marketers around the world for quite some time.

The GDPR, better known as the European Union’s General Data Protection Regulation is now in full swing.

Some companies were prepared for the May deadline, some are still preparing, and as inboxes continue to flood with GDPR-related emails, users are trying not to go completely insane.

But let’s forget about GDPR for now… kind of.

Let’s talk about PECR, the seemingly lesser-known sister regulations of GDPR, also known as the EU’s Privacy and Electronic Communications Regulations.

What are PECR?

PECR are existing e-Privacy regulations derived from European law, originally put in place in 2003. These laws have to do with data protection and currently sit alongside the GDPR.

PECR have been amended four times in their lifetime, with the latest amend being in 2017. Due to GDPR coming into the picture, the EU is in the process of making changes to PECR that have not yet been agreed upon.

These changes are set to be decided in late 2018 or early 2019, and as PECR already does, affect online advertising, media and digital services.

In the interim, the existing PECR rules are to be followed alongside GDPR, as of May 25th.

PECR and GDPR are not One in the Same

Unfortunately, these are two separate sets of rules and it is important for marketers to comply with both GDPR and PECR when marketing to citizens of the EU, as one does not replace the other (although the rules may overlap at some point, as the main concern of both is privacy).

Unlike GDPR, which dictates how personal data should be handled in general, PECR strictly focusses on consent for data gathered through electronic communications such as email, social media, phone call, text message, cookies and other related technologies (with a few exemptions).

Each type of electronic communication has its own rules for contacting users and subscribers, that marketers must adhere to under PECR – and marketing to businesses as opposed to individuals has a more lenient set of guidelines to follow.

What Marketers Should Know

If you’re a marketer that is electronically interacting with your clients and prospects (you probably are) – it should be no surprise that PECR will affect the way you handle your efforts – and if you don’t comply, you may face hefty fines, similar to those of GDPR.

Here is what you should know:

Under PECR, subscribers and users must give consent or in other words, opt-in to receive any sort of contact from you, where applicable. It is also important to note here that the subscriber and user may not be the same person.

  • The Subscriber: a subscriber is a customer that has a contract with the person or business providing a service
  • The User: a user is the direct person who is using the service (this can differ from the subscriber if the subscriber is a person representing a company)

As Marketers, when moving forward with electronic communications, you must never conceal who you are. This means making your phone number and address readily available and providing clear options to opt-out of your communications, whether via phone call (automated and/or live), email, text message or other electronic way of marketing your business.

Email and Text Message Marketing

The Cant’s

Marketers must not send email communications or text messages to any individual unless they:

  • Have consented to emails and/or texts from you
  • Are an existing customer who bought or almost bought a similar product or service from you in the past (and they’ve previously been given an option to opt-out of communications from you) – this is known as a soft opt-in

The Cans

There are some exceptions with emails belonging to corporations, unless they object, you can email or text them.

Tip: Keep a ‘do-not-email’ or text list.

Note: These rules also apply to direct messages via social media, and/or any similar message that is stored electronically.

Website Monitoring Technology:

The Cant’s

Marketers can’t have a website running with cookies unless they:

  • Mention cookies are being used on the website
  • Explain what cookies are, and gain the consent of the individual to store a cookie on their device

Note: These rules don’t just apply to cookies, but to any technology that gains access to a user’s information.

The Cans

Marketers can use cookies and other related technologies as long as (common theme) they gain consent. Consent from either the subscriber or the user (or both if the same person) is valid. If there is a conflict with consent (for example: subscriber and user do not agree), the most recent update will be acknowledged.


The Cant’s  

Live Phone Calls: Marketers must not make unsolicited calls to any individual who:

  • Has in some way stated they do not want them
  • Has a phone number registered with the Telephone Preference Service (TPS) or it’s counterpart for corporations (CTPS) – which basically means they’ve been placed on a ‘do-not-call’ list.

Automated phone calls: When organizing automated phone calls, marketers must not make automated calls that:

  • Play back a recorded message, unless the person has specifically consented to receiving these types of automated calls (different from consenting to receive live calls).

The Cans

While there are strict rules that apply, you can:

  • Make automated or live calls to anyone who has consented
  • Make live calls to those who have not consented (if they haven’t objected to these calls in the past), as long as they aren’t registered on the TPS or CTPS.

Tip: Make sure you have a ‘do-not-call’ list and that you’re continuously keeping it up to date.


The Cant’s

Marketers can’t sell their marketing lists, unless:

  • They have consent from all the users on the list
  • The users have opted in to be contacted through a certain means by the company which the list is being sold to

The Cans

  • Marketers can use contact lists which they’ve purchased, however the same rules apply for them.
  • If you’ve purchased a list, it is essential to screen the contacts against ‘do-not-call’ lists and the TPS and CTPS, and confirm their opt-ins or opt-outs to cover your bases of consent – although, as previously mentioned lists should not be sold unless all contacts on the lists have agreed to it.


As marketers, especially within the financial services industry, it’s important to keep up with ever-changing regulations and guidelines and we’ll be keeping an eye out for any PECR updates that will be coming in the future. If you would like to learn more about PECR, you can read an in-depth report on the Commissioner’s Office website.

If you’d like to learn how StoneShot can assist you with your compliant digital marketing efforts, we’d love to chat.