Skip Navigation
Privacy and Electronic Communications Act & Regulations (UK)
Answer ID 9778   |   Last Review Date 01/16/2019

Do you have any information to share regarding the Privacy and Electronic Communications Act & Regulations (UK)?


Email Deliverability (EDG), Outbound Emails


This answer is part of the Email Deliverability Best Practices doc community. Each answer's intention is to contribute to the betterment of the email community. These answers are only related to outbound messages, and do not have any impact to the improvement of inbound deliverability. For more information regarding deliverability's role at RightNow, please review the following answer page: Answer ID 2195: Email Deliverability Group (EDG) and Spam Considerations and Policy.

Furthermore, this is not intended as legal advice and you should consult with your own legal counsel for questions regarding compliance. This answer provides a high level summary but may not reflect the latest requirements. You should always discuss in greater detail with your legal counsel to ensure you are in compliance.

Quick Look

»  The PECA is part of the UK implementation of the EU Directive on privacy and electronic communications.

»  It recognizes rights of individuals regarding data collected about them, and sets obligations for how businesses must act in regards to how they collect, store, and dispose of personal information.

Companies operating within the UK must consult their legal counsel to determine their compliance obligations under PECA and its implementing regulations.                


The United Kingdom passed the Privacy and Electronic communications regulations in December 2003. These regulations implement the standards defined by the EU in Directive on privacy and electronic communications Directive 2002/58/EC. Sections 22 and 23 relate to email.

Requirements for senders of email: General opt-in requirement

Marketers can only send direct marketing mail to consumers in the UK if the recipient has specifically opted to receive the mail. However, there is an exception for mail sent to recipients with whom the sender has had prior dealings (see below)

Opt-out requirement

Senders must provide a valid address to which the recipient of email may send an opt-out request.

Sender information requirement

The sender must not disguise or conceal the identity of the sender.

Exception to opt-in requirement: prior sale/negotiation

In complying with the EU standards, businesses are also allowed to send mail to consumers who have previously purchased products if the following rules are met:

»  the sender obtained the contact details of the recipient in the course of a sale or negotiations for the sale of a product or service to that recipient;

»  the direct marketing material you are sending relates to your similar products and services only; and

»  the recipient has been given a simple means of refusing (free of charge except for the cost of transmission) the use of their contact details for marketing purposes at the time those details were initially collected and, where they did not refuse the use of those details, at the time of each subsequent communication.


Private Suit

Section 30 allows a person who suffers damage because of a contravention of the regulation to bring proceedings for compensation.

Information Commissioner

Section 31 extends the enforcement provisions in the Data Protection Act to cover these regulations.

Data Protection Act

Mailers in the UK also need to comply with the UK data protection act. This act regulates how personal information is used and requires organizations to comply with eight principles of information collection and handling. Data must be:

»  processed fairly and lawfully

»  processed for one or more specified and lawful purposes, and not further processed in any way that is incompatible with the original purpose

»  adequate, relevant and not excessive

»  accurate and, where necessary, kept up to date

»  kept for no longer than is necessary for the purpose for which it is being used

»  processed in line with the rights of individuals

»  kept secure with appropriate technical and organizational measures taken to protect the information

»  not transferred outside the European Economic Area (the European Union member states plus Norway, Iceland and Liechtenstein) unless there is adequate protection for the personal information being transferred.

Organizations, with a few exceptions, are also required to register with the Information Commissioner's Office if they are collecting personal information.


The Privacy and Electronic Communications (EC Directive) Regulations 2003

Data Protection Act

Notify Me
The page will refresh upon submission. Any pending input will be lost.