PECR Compliance for UK Telecoms
Understanding the Privacy and Electronic Communications Regulations for telecom providers and resellers.
What You Learn
- ✓ PECR marketing rules
- ✓ Consent requirements
- ✓ Cookie compliance
- ✓ Enforcement penalties
Who It's For
- • Marketing teams
- • Data controllers
- • Business owners
- • Anyone sending electronic communications
PECR governs electronic marketing and communications privacy in the UK. Telecom providers must comply as service providers (cookies, CLI) and as marketers (consent, TPS). ICO can fine up to £500,000 for serious PECR violations.
What is PECR?
The Privacy and Electronic Communications Regulations 2003 (as amended) implement the EU ePrivacy Directive. PECR works alongside UK GDPR but has specific rules for electronic communications.
For telecom providers, PECR applies in two ways:
- As a service provider: Rules about traffic data, CLI, directories
- As a marketer: Rules about consent for marketing calls, emails, SMS
Marketing Rules
Telephone Marketing
| Recipient Type | Consent Required? | TPS Check Required? |
|---|---|---|
| Consumer (individual) | No (but recommended) | Yes - mandatory |
| Business (corporate) | No | CTPS check recommended |
| Sole trader | No (but recommended) | Yes - treated as individual |
TPS Checking
Before making marketing calls to individuals, you must screen against the Telephone Preference Service:
- Check numbers against TPS within 28 days of calling
- Maintain your own suppression list of opt-outs
- Keep records of TPS checks for at least 6 months
- Honour opt-out requests within 28 days
Email and SMS Marketing
Electronic mail (including SMS) requires prior consent unless the "soft opt-in" applies:
- Obtained contact details during a sale or negotiation
- Marketing relates to similar products/services
- Customer given opportunity to opt-out at collection
- Every message includes easy opt-out mechanism
CLI Requirements
Caller Line Identification (CLI) must be presented on outbound calls:
- Display a valid, dialable number on marketing calls
- The number must be contactable (no dead lines)
- CLI must identify the calling organisation
- Withheld CLI on marketing calls is prohibited
Reseller Liability: If your customers use CLI spoofing on your network, you may be held responsible. Implement CLI validation and acceptable use policies.
Data Retention Rules
PECR specifies retention limits for traffic and location data:
| Data Type | Retention Purpose | Maximum Period |
|---|---|---|
| Traffic data | Billing purposes | Until bill paid + disputes resolved |
| Traffic data | Marketing (with consent) | As needed + consent valid |
| Location data | Value-added services | Only while needed + consent |
| Communications data | Legal compliance | Per Data Retention Regulations |
Compliance Checklist
- Register for TPS/CTPS checking if making marketing calls
- Implement 28-day TPS screening cycle
- Maintain internal suppression list
- Ensure valid CLI on all outbound calls
- Document consent for SMS/email marketing
- Review traffic data retention policies
- Include easy opt-out in all marketing
- Train staff on PECR requirements