Guide
Privacy and Electronic Communications Regulations
PECR sits alongside UK GDPR and gives specific privacy rights relating to electronic communications, including marketing calls, emails, texts, cookies, and traffic data.
The Privacy and Electronic Communications Regulations 2003 (PECR) set specific rules for electronic marketing — including emails, texts, phone calls, and faxes — and for cookies on websites. PECR sits alongside the UK GDPR and provides channel-specific rules that take precedence over general data protection provisions for electronic communications.
PECR applies to all businesses that send marketing electronically or use cookies and tracking technologies on their websites, not just technology companies.
The Data (Use and Access) Act 2025 significantly increased PECR penalties from £500,000 to £17.5 million or 4% of annual worldwide turnover (whichever is higher), aligning them with UK GDPR levels.
Electronic mail marketing
'Electronic mail' under PECR includes emails, SMS text messages, picture messages, voicemail drops, in-app messages, and direct messages over social media — not just email.
Default rule: You need prior consent before sending marketing electronic mail to individual subscribers. Consent must be freely given, specific, informed, and unambiguous (the UK GDPR standard). Pre-ticked boxes are not valid consent.
The soft opt-in exception: You can send marketing without consent if all four conditions are met:
- Contact details were obtained during your sale or genuine negotiation for a sale
- Marketing is for your similar products or services only
- An opt-out opportunity was given when details were first collected
- A simple opt-out mechanism is included in every subsequent message
Soft opt-in does not apply to third-party marketing lists, contacts from competitions or free services, or automated calling systems.
Corporate vs individual subscribers
PECR consent requirements only apply to individual subscribers. Corporate subscribers have fewer protections.
Corporate subscribers (less restricted) include limited companies (Ltd), public limited companies (plc), LLPs, Scottish partnerships, and government bodies.
Individual subscribers (consent or soft opt-in required) include sole traders, ordinary partnerships (non-LLP), unincorporated associations, and named individuals at any type of organisation.
Practical test: An email to info@company.com at a limited company is a corporate subscriber. An email to jane.smith@company.com is an individual subscriber regardless of the company type. When in doubt, treat the recipient as an individual.
Even for corporate subscribers, you must identify yourself, provide a valid opt-out mechanism, and comply with UK GDPR if processing personal data.
Telephone marketing
Live marketing calls operate on an opt-out basis (unlike electronic mail which is opt-in). You can make live marketing calls without consent, but you must not call:
- Numbers registered on the TPS (Telephone Preference Service) for 28 days or more — unless the subscriber has given specific consent to your calls
- Numbers registered on the CTPS (Corporate Telephone Preference Service)
- Anyone who has previously asked you not to call them
You must screen your call lists against TPS and CTPS registers at least every 28 days.
Automated calls (robocalls): Prior consent specifically for automated calls is always required. General marketing consent or consent for live calls is not sufficient. Soft opt-in does not apply.
Cold calling bans: Claims management services (since 2018) and pension calls (since 2019) require consent — TPS screening alone is not sufficient.
Cookies and tracking technologies
You need prior consent before setting non-essential cookies or using similar tracking technologies (web beacons, pixels, local storage, device fingerprinting) on user devices.
Strictly necessary cookies are exempt — these include shopping baskets, authentication sessions, security tokens (CSRF), and cookie consent preference cookies themselves.
DUAA 2025 new exemptions (phased from June 2025 to June 2026):
- Statistical/analytics: Permitted without consent if you provide clear information and an easy opt-out
- Functionality/appearance adaptation: Language preferences, dark mode — permitted with information and opt-out
- Emergency assistance: Location identification for emergency services
Advertising, targeting, and cross-site tracking cookies always require consent. Accept and Reject buttons must be equally prominent — no dark patterns. Cookie consent must be obtained before non-essential cookies are set.
- Maximum penalty (post-DUAA 2025)
- £17.5 million or 4% of annual worldwide turnover, whichever is higher
- Previous maximum penalty
- £500,000 (a 35-fold increase)
- ICO PECR fines (2019-Sep 2025)
- 119 monetary penalty notices totalling approximately £10.5 million
- TPS screening frequency
- At least every 28 days
- Record retention for consent evidence
- Keep for duration of the marketing relationship
ICO enforcement is active
-
Audit your marketing database
Categorise every contact by legal basis — valid consent (with evidence), soft opt-in (all 4 conditions documented), or corporate subscriber. Remove contacts with no valid basis.
-
Screen call lists against TPS and CTPS
Subscribe to TPS (tpsonline.org.uk) and CTPS (ctps.org.uk). Screen all call lists at least every 28 days before making marketing calls.
-
Implement compliant cookie consent
Audit all cookies on your website. Block non-essential cookies until consent is given. Provide equally prominent Accept and Reject buttons with granular category choices.
-
Include an unsubscribe mechanism in every message
Every marketing email, SMS, or electronic message must include a simple, working opt-out mechanism and identify the sender. Process opt-outs promptly.
-
Keep consent records
Record who consented, when, what they were told, and how they consented. Maintain a suppression list of everyone who has opted out — never delete opt-out records.