Technology & Digital Technology and digital platforms

Privacy and Electronic Communications Regulations

PECR sits alongside UK GDPR and gives specific privacy rights relating to electronic communications, including marketing calls, emails, texts, cookies, and traffic data.

UK-wide
Guide summary

Follow special rules for marketing calls, emails, texts, and website cookies. Get consent before sending marketing messages or using cookies. Check call lists against do-not-call registries every 28 days. Fines can reach £17.5 million.

  • Get consent before sending marketing emails or texts
  • Check call lists against TPS and CTPS every 28 days
  • Provide clear opt-out in every marketing message
  • Get consent before using non-essential cookies
  • Keep records of consent and opt-outs
  • Fines can be £17.5m or 4% of turnover
  • Screen pension and claims calls extra carefully
  • Treat sole traders like individuals not companies
  • Accept and reject cookie buttons must look equal
  • Block non-essential cookies until consent given
On this page
UK-wide

Related guides in Digital & Technology

Tech Sector Compliance Overview

Comprehensive guide to regulatory compliance for technology businesses - UK GDPR, data protection, online safety, cybersecurity, and sector-specific …

The Privacy and Electronic Communications Regulations 2003 (PECR) set specific rules for electronic marketing — including emails, texts, phone calls, and faxes — and for cookies on websites. PECR sits alongside the UK GDPR and provides channel-specific rules that take precedence over general data protection provisions for electronic communications.

PECR applies to all businesses that send marketing electronically or use cookies and tracking technologies on their websites, not just technology companies.

The Data (Use and Access) Act 2025 significantly increased PECR penalties from £500,000 to £17.5 million or 4% of annual worldwide turnover (whichever is higher), aligning them with UK GDPR levels.

Electronic mail marketing

'Electronic mail' under PECR includes emails, SMS text messages, picture messages, voicemail drops, in-app messages, and direct messages over social media — not just email.

Default rule: You need prior consent before sending marketing electronic mail to individual subscribers. Consent must be freely given, specific, informed, and unambiguous (the UK GDPR standard). Pre-ticked boxes are not valid consent.

The soft opt-in exception: You can send marketing without consent if all four conditions are met:

  1. Contact details were obtained during your sale or genuine negotiation for a sale
  2. Marketing is for your similar products or services only
  3. An opt-out opportunity was given when details were first collected
  4. A simple opt-out mechanism is included in every subsequent message

Soft opt-in does not apply to third-party marketing lists, contacts from competitions or free services, or automated calling systems.

Corporate vs individual subscribers

PECR consent requirements only apply to individual subscribers. Corporate subscribers have fewer protections.

Corporate subscribers (less restricted) include limited companies (Ltd), public limited companies (plc), LLPs, Scottish partnerships, and government bodies.

Individual subscribers (consent or soft opt-in required) include sole traders, ordinary partnerships (non-LLP), unincorporated associations, and named individuals at any type of organisation.

Practical test: An email to info@company.com at a limited company is a corporate subscriber. An email to jane.smith@company.com is an individual subscriber regardless of the company type. When in doubt, treat the recipient as an individual.

Even for corporate subscribers, you must identify yourself, provide a valid opt-out mechanism, and comply with UK GDPR if processing personal data.

Telephone marketing

Live marketing calls operate on an opt-out basis (unlike electronic mail which is opt-in). You can make live marketing calls without consent, but you must not call:

  • Numbers registered on the TPS (Telephone Preference Service) for 28 days or more — unless the subscriber has given specific consent to your calls
  • Numbers registered on the CTPS (Corporate Telephone Preference Service)
  • Anyone who has previously asked you not to call them

You must screen your call lists against TPS and CTPS registers at least every 28 days.

Automated calls (robocalls): Prior consent specifically for automated calls is always required. General marketing consent or consent for live calls is not sufficient. Soft opt-in does not apply.

Cold calling bans: Claims management services (since 2018) and pension calls (since 2019) require consent — TPS screening alone is not sufficient.

Cookies and tracking technologies

You need prior consent before setting non-essential cookies or using similar tracking technologies (web beacons, pixels, local storage, device fingerprinting) on user devices.

Strictly necessary cookies are exempt — these include shopping baskets, authentication sessions, security tokens (CSRF), and cookie consent preference cookies themselves.

DUAA 2025 new exemptions (phased from June 2025 to June 2026):

  • Statistical/analytics: Permitted without consent if you provide clear information and an easy opt-out
  • Functionality/appearance adaptation: Language preferences, dark mode — permitted with information and opt-out
  • Emergency assistance: Location identification for emergency services

Advertising, targeting, and cross-site tracking cookies always require consent. Accept and Reject buttons must be equally prominent — no dark patterns. Cookie consent must be obtained before non-essential cookies are set.

Maximum penalty (post-DUAA 2025)
£17.5 million or 4% of annual worldwide turnover, whichever is higher
Previous maximum penalty
£500,000 (a 35-fold increase)
ICO PECR fines (2019-Sep 2025)
119 monetary penalty notices totalling approximately £10.5 million
TPS screening frequency
At least every 28 days
Record retention for consent evidence
Keep for duration of the marketing relationship

ICO enforcement is active

The ICO regularly issues fines for PECR breaches. Recent examples include:

  • £250,000 — Green Spark Energy Ltd (September 2025) for 9.5 million automated marketing calls without consent
  • £90,000 — AFK Letters Co Ltd (April 2025) for 95,000+ calls to TPS-registered numbers
  • £50,000 — sole trader (May 2025) for 194,000+ unlawful marketing calls
  • £340,000 — two companies (April 2024) for aggressive unwanted marketing calls

With the new £17.5 million maximum, these fines could be significantly higher for future cases. Sole traders and directors face personal liability.

  1. 1

    Audit your marketing database

    Categorise every contact by legal basis — valid consent (with evidence), soft opt-in (all 4 conditions documented), or corporate subscriber. Remove contacts with no valid basis.

  2. 2

    Screen call lists against TPS and CTPS

    Subscribe to TPS (tpsonline.org.uk) and CTPS (ctps.org.uk). Screen all call lists at least every 28 days before making marketing calls.

  3. 3

    Implement compliant cookie consent

    Audit all cookies on your website. Block non-essential cookies until consent is given. Provide equally prominent Accept and Reject buttons with granular category choices.

  4. 4

    Include an unsubscribe mechanism in every message

    Every marketing email, SMS, or electronic message must include a simple, working opt-out mechanism and identify the sender. Process opt-outs promptly.

  5. 5

    Keep consent records

    Record who consented, when, what they were told, and how they consented. Maintain a suppression list of everyone who has opted out — never delete opt-out records.

PECR guidance and resources

ICO guidance on electronic marketing and cookie compliance.

ICO guidance on PECR (opens in a new tab)