Fathom Analytics

PECR Compliance

Disclaimer: The information below is not legal advice, and we don’t accept any legal liability. We have received our own legal advice, and this page is our interpretation of the law. If you have any concerns regarding PECR compliance, please forward this page to your legal team.

PECR, the Privacy and Electronic Communications Regulations, is derived from European law and is how the UK implemented the ePrivacy Directive* (ePD) in their national law. Now that the UK has broken away from the EU (Brexit), if the EU brings in the anticipated ePrivacy Regulation, the UK won’t be required to abide by it as law immediately. However, this could change, as the UK may sign an agreement with the EU that says otherwise. But for now, we treat the PECR separately from the ePrivacy Directive (and future ePrivacy Regulation).

* A directive from the EU is a legal act that stipulates goals the member states must achieve. How they achieve it, i.e. implement the directive in their national laws, is up to the member state. In contrast, a regulation (like the GDPR) from the EU is a legal act that must be adopted in its entirety. Read more here.

What is PECR?

As mentioned above, PECR comes from the ePrivacy Directive. It regulates electronic communications like marketing calls, SMS, emails, and if you’re living in 1980, faxes. It’s also known, alongside ePrivacy, as the “cookie law”, because it regulates cookies and similar technologies within the UK. It also covers the security of public electronic communications services, and privacy of customers using communications networks, and more. But we’re interested in how it regulates website analytics.

Does PECR apply to you?

We aren’t going to take an opinion on whether PECR applies to you but, if you’re processing any data on UK residents, it’s safe to assume that it does. For Fathom, we will always consider PECR as we build our software.

Is Fathom PECR compliant?

We have a good amount of customers in the UK, and we take PECR very seriously. Because of this, we’ve consulted with lawyers, spoken with various experts and reviewed the legal instrument ourselves. The legal justification we rely on is similar to the one we rely on with the ePrivacy directive. As always, we’re not lawyers, so we can’t give you legal advice, but here’s our stance:

Article 6(1) and 6(2) of The Privacy and Electronic Communications (EC Directive) Regulations 2003 states the following:

6.—(1) Subject to paragraph (4), a person shall not use an electronic communications network to store information or to gain access to information stored in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment—

(a)is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b)is allowed to refuse the storage of or access to that information.

So the summary, in the context of website analytics, is that if you’re going to store information, or gain access to information stored, in the terminal equipment (their device: watch, laptop, tv, etc.), then you must gain consent.

As with the ePrivacy Directive, we do not gain access (or store) anything on your website visitors’ devices. We rely on IP Address and User-Agent (temporarily) for our analytics. The IP Address is sent and assigned by the ISP, not the Terminal Equipment, and the browser sends the User-Agent by default. In the future, we expect browsers to change and stop sending the User-Agent, but we want to be clear that we never access Terminal Equipment for that User-Agent string; we only process it temporarily if it’s sent to us. You can read more about the specifics of all of this on the ePrivacy page, as we’re very transparent about our reasoning.

Are Google Analytics cookies exempt from PECR?

If you use Google Analytics and do not obtain consent, you may not be compliant with PECR. At the time of writing and like the ICO states: analytics cookies are not exempt. Google Analytics deploys through the use of cookies. If you’re in the UK, you’re required to obtain consent for using Google Analytics on your website, meaning consent that’s actively given (it’s not enough to rely on consent through browser settings, as in some other countries).

The future

We don’t know what to expect with PECR in the future. Will the UK follow suit with the ePrivacy Regulation (when it comes into play), or will they stick with what they’ve got? We’re not sure. But we’ll be keeping our finger on the pulse and adapting as required. Fathom Analytics will always do our best to comply with laws that protect your digital privacy.

Check out our compliance to other privacy-focused laws:

Or return to our main compliance page.