Email is PECR not GDPR!

Learn how email marketing rules are PECR, not GDPR

Many get the Privacy rules on email marketing wrong.  For a start, they’re not in GDPR as commonly thought, they were set out in the EU e-Privacy Directive, which means in the UK they’re in what we call PECR.

Stick around and we’ll break down this aspect of this vastly misunderstood and highly emotional area.

This is the first in our series on e-Privacy.  You can watch this blog’s accompanying video: Email Marketing Rules are in PECR not GDPR in Privacy Kitchen – FREE video help with GDPR and all things Privacy.  If you’re new to Privacy Kitchen, please do check it out and click subscribe and notify to hear about awesome Privacy Kitchen videos.

So, is that right? e-Privacy rules are not in GDPR?  Yes, yes, it is, and we’ll show you right now.

Email is PECR not GDPR

Those rules on email marketing, including whether you need consent or not, are in the EU e-Privacy Directive, a law that effectively takes priority over GDPR when it applies.  As a Directive, it’s been implemented differently in every Member State.

That’s why they brought in GDPR – to replace the Data Protection Directive.  And there’s a lot of negotiation going on to replace this e-Privacy Directive with a Regulation, that’s got bogged down for years now in negotiations, in the final stages, and lots of lobbying – it’s so contentious, and it’s so broad.

So we’re still dealing with the 2002 EU e-Privacy Directive, as amended in 2009. That’s been implemented in the UK by the Privacy and Electronic Communications Regulations, which is why everyone calls it PECR for short.


By the way, if you’re thinking Brexit will save you here, PECR is a UK law not an EU law so PECR’s not going to be affected by Brexit. And if you’re in an EEA Member State, the rules will be in your national law implementing that e-Privacy Directive.

Not just email

Now, importantly, email, for these reasons, isn’t just email – it’s also WhatsApp, Facebook, LinkedIn messages…  There are separate rules on phone calls, there are separate rules on faxes – if you still have one – and also PECR includes all the cookie rules, but it’s not just cookies, but that’s why it’s called the Cookie Law sometimes.  But all of that’s for a different video.

Right now we’re talking about email marketing rules.


Now, for sure, GDPR applies whenever you process personal data – you need to comply with the seven principles, you need to have one of the six legal bases of processing, such as consent or necessary for legitimate interest, which are the two that are most relevant on email.

But the rules on email: whether you need consent, etcetera are all in the e-Privacy Directive.

Still don’t believe it?   Okay, here’s Article 13 of the e-Privacy Directive.

EU e-Privacy Directive

Now, you can see that the use of electronic mail for direct marketing is allowed only in respect of subscribers or users who have given their prior consent.

That ‘or users’ was added by the 2009 Directive and we’ll come back to the impact of this later.

So what about PECR that implements this?


Here’s Regulation 22 of UK’s PECR, implementing that Article, and it covers using electronic mail for direct marketing purposes, specifically sending unsolicited communications by means of electronic mail to individual subscribers.

Note again, the word there: ‘individual‘.  The big difference in e-Privacy rules throughout Europe comes from those words ‘subscriber’, ‘user’ and ‘individual’ and essentially means Europe’s split in how it treats B2B email marketing, where you’re emailing a legal entity, and B2C email marketing, where it’s a consumer, sole trader or unincorporated partnership.

Now we’ll look at the rules themselves in another video.  But there you have it – proof that the rules on email marketing are in the EU e-Privacy Directive, implemented by the UK’s PECR.  They’re not in GDPR.

Yes, if you need consent, you go to GDPR to look at it.  And yes, GDPR always applies in terms of security, processors, etcetera.  But the rules are in the e-Privacy Directive and, if you’re in the UK, that’s PECR.

Isn’t that simple?

So why all the confusion about email marketing and GDPR? Here are three quick reasons.

  • First, it’s hard to remember pre-GDPR now, but few enough people knew about the 1998 Data Protection Act let alone a specific law like PECR.  And then when GDPR came out with loads of fanfare, including big changes to consent, they just assumed everything was in GDPR – and no judgement, there were very few Privacy experts around before GDPR came in, there just wasn’t the demand.
  • Second, as we’ve mentioned, GDPR does still apply to all processing of personal data and for example, defines consent if PECR says you need it. So it’s really PECR then GDPR.
  • And third, because the EU e-Privacy law is a Directive at the moment, it had to be implemented by Member States separately.  This predictably meant a significant difference in how they did it, from the UK style to the German style, which is a lot stricter on B2B – and it is mostly around B2B – but there’s also a lot of difference in cookies still.  Again, that’s for another video.  But people do try to interpret EU laws by looking at the practice in different EU Member States and guidance from those Member States, which means there is that confusion in implementation here.

And as we say, don’t hold your breath on that European Regulation on e-Privacy, which is a real shame because we could do it – we could do with that harmonisation on all of these rules.


So there you go: email marketing rules (in the UK) are in PECR.  If you’re in an EEA Member State, look to the national law implementing the e-Privacy Directive(s) in your Member State.

Nice and quick!

Do get involved – use #privacykitchen to tell us the questions and topics you want covered.

Stay well in the meantime, and see you soon in Privacy Kitchen!



The UK ICO’s Guide to PECR

The 2002 EU e-Privacy Directive (2002/58)

The 2009 EU Directive amending the e-Privacy Directive (2009/136)

Related Articles

Privacy Kitchen
Top 4 Brexit Impacts on your GRPR Program

In Part 1 of our series on Brexit, we saw that Brexit definitely did not kill GDPR.  In fact, it split GDPR into two: the UK GDPR and the EU…

Read More
Privacy Kitchen
7 Steps to Prepare for a Personal Data Breach

How prepared are you for the inevitable personal data breach?  Did you know that good preparation can double your chances of not having a breach at all? Cisco’s excellent 2020…

Read More