Big issues still to tackle in 2022: Keep your PECR up

In the final instalment of our series re-examining the industry’s “big issues to tackle in 2017” we look at the regulations governing email, phone and text marketing – one of the biggest areas of enforcement – to see what progress, if any, has been made.

Five years ago, the Privacy & Electronic Communications Regulations (PECR) had already been in force nearly 15 years and had been used mainly to clamp down on rogue telemarketing practices, including the blatant disregard for people registered on the Telephone Preference Service.

At that time the TPS itself was in disarray, sparking a Decision Marketing campaign which in no small part ultimately led to a major overhaul.

Fast forward to the present day and the long-awaited update to PECR, the EU’s ePrivacy Regulations, appears to have sunk without trace; post-Brexit it might not even matter.

As while the UK Information Commissioner’s Office has faced accusations of being too slow on GDPR enforcement, action against BA and Marriott notwithstanding, few would argue against the regulator’s record on PECR.

Of course, getting rogues to cough up fines has been an issue for years; many simply shut up shop and relaunched under a different name. A 2018 revamp to PECR tackled that in part, by making directors personally liable for fines of up to £500,000, yet there has not been a single case to date.

This has been backed by joint action with the Insolvency Service, which to date has seen over 20 company directors banned for a total of over 110 years.

A new clampdown is on the cards under the Government’s shake-up of data laws, currently under consultation, which proposes to bring PECR in line with UK GDPR – or whatever it will be called in the future – meaning potential fines could be increased from a maximum of £500,000 to up to £17.5m or 4% of annual global turnover.

While this may – just may – put off some of the rogues, it should also set off alarm bells for all legitimate companies too.

Back in March 2017, as companies started to prepare for GDPR, it emerged that many were contacting customers who had already opted out of marketing under the guise of service messages to get them to opt back in.

At the time, the ICO said it recognised that companies would be reviewing how they obtained customer consent for marketing to comply with GDPR but head of enforcement Steve Eckersley said: “Businesses must understand they can’t break one law to get ready for another.”

Honda and Flybe were the first brands to be fingered but since then they have been joined in the “Hall of PECR Shame” by Morrisons, BT, Royal Mail, Amex, We Buy Any Car, Sports Direct, Saga, The Conservative Party, and the Unite Union, which have all been caught with their trousers down – and whacked with fines – for contacting customers who were off limits, either by phone or email.

And, earlier this month, Virgin Media was found guilty of circumventing privacy regulations to send marketing emails to hundreds of thousands of customers who had already opted out in an effort to get them to change their minds.

Interestingly, while 451,217 received the email, only one person – who just so happened to be a Decision Marketing reader – complained to the ICO, triggering an investigation, enforcement action, a fine and ultimately reputational damage for Virgin Media.

Admittedly, the ICO has resisted headline grabbing monetary penalties for such breaches so far; under the UK’s new data protection regime – and a new Information Commissioner – there is no guarantee this leniency will continue.

The question is, can you afford not to ensure your PECR policies are in order?