PECR and ePrivacy telecoms privacy advice - Bratby Law

PECR and ePrivacy

Telecoms privacy, direct marketing and cookie compliance under the Privacy and Electronic Communications Regulations

Rob Bratby, Managing Partner
Last updated: March 2026

PECR: two distinct regimes in one instrument

The Privacy and Electronic Communications Regulations 2003 (PECR) sit alongside the UK GDPR and impose additional obligations on electronic communications providers and organisations using electronic marketing. Regulation 6 requires consent for the storage of, or access to, information on a user’s terminal equipment (cookies and similar technologies), subject to the strictly necessary exemption. Regulation 22 prohibits unsolicited direct marketing by electronic means without prior consent, with a limited soft opt-in exception for existing customers. PECR also regulates traffic data (regulation 7), location data (regulation 14), and the security of public electronic communications services (regulation 5).

Telecoms privacy under PECR

The telecoms-specific provisions in PECR impose obligations on providers of public electronic communications networks and services that go well beyond the marketing and cookie rules. These are operational requirements that affect how communications providers handle the data generated by their networks on a continuous basis.

Traffic data (Regulations 7 and 8)

Traffic data is any data processed for the purpose of conveying a communication on an electronic communications network or for billing. For telecoms providers, this includes call records, session logs, routing information, connection timestamps and IP address assignments. Regulation 7 requires that traffic data be erased or anonymised when it is no longer required for the purpose of the communication. Retention beyond that point is permitted only for billing purposes (until the limitation period for disputes expires), for marketing or value-added services (with the subscriber’s consent), or where required by law, including under the Investigatory Powers Act 2016 data retention regime. Regulation 8 requires providers to give subscribers clear information about the types of traffic data processed and the duration of retention.

Location data (Regulation 14)

Regulation 14 restricts the processing of location data derived from electronic communications services. This covers GPS positioning, cell-tower triangulation, Wi-Fi-based location estimates and any other method of determining a user’s physical location through their use of a communications service. Location data may only be processed with the consent of the subscriber or user, after they have been informed of the type of data processed, the purpose and duration of processing, and whether the data will be shared with third parties. Users must have a simple means to withdraw consent at any time. For telecoms providers offering location-based services, fleet tracking, or geofencing capabilities, Regulation 14 compliance requires careful design of consent mechanisms and data processing workflows.

Calling line identification and itemised billing

Regulations 10 and 11 address calling line identification (CLI). Regulation 10 requires providers to offer subscribers a simple means to prevent the presentation of their calling line identity on a per-call and per-line basis. Regulation 11 allows recipients to reject incoming calls where CLI has been withheld. These provisions interact with Ofcom’s General Conditions of Entitlement, which impose separate requirements on CLI presentation and network interoperability. Regulations 12 and 13 address itemised billing, giving subscribers the right to receive non-itemised bills to protect the privacy of call details. Regulation 18 requires subscriber consent before personal data is included in public directories, whether print or electronic.

Breach notification for communications providers

Providers of public electronic communications services have a separate breach notification obligation under PECR Regulation 5A, in addition to their UK GDPR obligations. The Data (Use and Access) Act 2025 (DUAA) aligned the PECR breach notification deadline with the UK GDPR 72-hour standard, replacing the previous 24-hour deadline. This means telecoms providers now have a single 72-hour notification window under both regimes, but must assess each breach against both sets of requirements. Our data breach response page covers the practical management of breach incidents in detail.

Direct marketing (Regulations 21 to 24)

PECR’s direct marketing provisions are the most frequently enforced part of the regulations. Regulation 22 requires prior consent for unsolicited electronic mail (email and SMS) sent for direct marketing purposes, subject to the soft opt-in exemption for existing customer relationships. The soft opt-in under Regulation 22(3) permits electronic marketing without prior consent where the contact details were obtained in the course of a sale or negotiation of a sale, the marketing relates to similar products or services, and the recipient was given a simple opportunity to opt out at the time of collection and in every subsequent communication. The DUAA 2025 extended the soft opt-in to registered charities for fundraising communications.

Regulation 21 prohibits unsolicited direct marketing calls to subscribers registered with the Telephone Preference Service (TPS) unless the subscriber has specifically consented. Regulation 23 prohibits concealing the sender’s identity in electronic marketing and requires a valid opt-out mechanism. Regulation 24 requires callers to display their number and identify their organisation on request. The ICO’s enforcement record on direct marketing is extensive: in January 2024, HelloFresh was fined for sending over 80 million unsolicited marketing messages in breach of Regulation 22. In the same month, Skean was fined for over 614,000 unsolicited calls to TPS-registered subscribers. In February 2026, TMAC Ltd received a 100,000 pound fine for breaches of Regulations 21 and 24.

Cookies and similar technologies (Regulation 6)

Regulation 6 requires prior informed consent before storing or accessing information on a user’s terminal equipment. This covers cookies, tracking pixels, device fingerprinting and local storage. The consent standard is aligned with the UK GDPR: freely given, specific, informed and unambiguous, demonstrated by a clear affirmative action.

The DUAA 2025 introduced five new exemptions to the Regulation 6 consent requirement, effective from 5 February 2026. Consent is no longer required for cookies that are strictly necessary for service provision, used for system security or fraud detection, used for service functionality or interface tailoring, used for analytics or statistical measurement to improve the service, or used for software updates. Marketing cookies, advertising trackers and cross-site profiling technologies remain subject to prior consent. In January 2025, the ICO’s review of the UK’s top 1,000 websites found that 134 of the top 200 sites failed cookie compliance, with 30% of the top 100 setting advertising cookies without consent. Cookie compliance remains an active enforcement area despite the DUAA reforms.

UK/EU ePrivacy divergence

The UK and EU are now on diverging paths on ePrivacy regulation. In the UK, the DUAA 2025 amended PECR directly, introducing the cookie exemptions and penalty alignment described above. The UK has no plans to replace PECR with a new instrument; instead, it is reforming the existing regulations incrementally through primary legislation.

The EU took a different approach. After years of stalled negotiations on the proposed ePrivacy Regulation (intended to replace the 2002 ePrivacy Directive), the European Commission published a revised proposal in January 2026 that would bring EU ePrivacy rules into closer alignment with the GDPR. The EU proposal would introduce a directly applicable regulation (replacing the directive, which required national implementation), extend the scope to cover over-the-top (OTT) communications services such as WhatsApp and Signal, introduce metadata protection provisions that go beyond the current directive, and impose GDPR-level penalties. The EU proposal remains subject to trilogue negotiation and is not expected to be finalised before 2027.

For businesses operating across both jurisdictions, the divergence creates practical compliance challenges. The UK’s DUAA cookie exemptions do not apply in EU Member States, where the stricter consent-based regime continues. Direct marketing rules differ in detail between UK PECR and national implementations of the ePrivacy Directive. Telecoms providers with operations in both the UK and EU must maintain dual compliance frameworks, tracking the evolving requirements in each jurisdiction. Bratby Law advises on the practical implications of UK/EU divergence for telecoms providers, technology companies and data-driven businesses, with a focus on identifying where a single compliance approach can serve both regimes and where separate treatment is required.

PECR penalties and enforcement

The DUAA 2025 raised the maximum penalty for PECR breaches from 500,000 pounds to 17.5 million pounds or 4% of global annual turnover, whichever is greater, bringing PECR enforcement into line with UK GDPR penalty levels. The ICO has enforcement powers including information notices, assessment notices, enforcement notices and monetary penalty notices. The ICO issued 4.63 million pounds in PECR fines during 2025. Direct marketing violations account for the majority of enforcement actions, with cookie compliance an increasing area of focus. The ICO’s enforcement page publishes all actions.

How Bratby Law helps with PECR compliance

We advise on both the telecoms privacy and consumer privacy dimensions of PECR:

  • Telecoms privacy compliance: advising communications providers on traffic data retention, location data processing, CLI obligations, subscriber directory requirements and breach notification under the telecoms-specific PECR provisions
  • Cookie and tracking compliance: auditing cookie implementations and consent management platforms against Regulation 6, including the new DUAA 2025 exemptions
  • Direct marketing compliance: advising on consent requirements, soft opt-in conditions, TPS obligations and electronic marketing campaign compliance under Regulations 21 to 24
  • PECR and UK GDPR interaction: advising on where PECR takes precedence as lex specialis, ensuring compliance programmes address both regimes
  • UK/EU dual compliance: advising businesses operating in both jurisdictions on the practical implications of diverging ePrivacy rules, identifying where separate compliance approaches are required
  • ICO enforcement response: representing organisations in ICO investigations, responding to information notices and assessment notices, advising on penalty mitigation
  • DUAA 2025 implementation: advising on the practical impact of the DUAA amendments, including cookie exemptions, raised penalty thresholds and aligned breach notification

Frequently asked questions about PECR

What is the difference between PECR and the UK GDPR?

The UK GDPR is the general data protection framework governing all processing of personal data. PECR is a separate instrument that applies specifically to electronic communications: direct marketing, cookies, traffic data and location data. Where PECR applies, it takes precedence as lex specialis. Both must be complied with simultaneously. Meeting UK GDPR requirements does not automatically satisfy PECR, and vice versa.

How does PECR affect telecoms providers specifically?

Telecoms providers face PECR obligations that go beyond the marketing and cookie rules. They must comply with restrictions on processing traffic data and location data, offer CLI controls to subscribers, provide non-itemised billing on request, obtain consent before including subscriber details in directories, and notify the ICO of security breaches within 72 hours. These are continuous operational requirements, not one-off compliance exercises.

Do I still need cookie consent after the DUAA 2025 reforms?

Yes, for marketing and advertising cookies. The DUAA 2025 exempted five categories: strictly necessary, security, functionality, analytics and software updates. Advertising trackers, cross-site profiling and marketing cookies still require prior informed consent. Most commercial websites will still need a consent mechanism for at least some of their cookies.

Are UK and EU ePrivacy rules now different?

Yes, and the gap is widening. The UK amended PECR through the DUAA 2025, introducing cookie exemptions and raising penalties. The EU is working on a new ePrivacy Regulation to replace the 2002 Directive, with broader scope covering OTT services and new metadata protections. Businesses operating in both jurisdictions need to track both sets of requirements and cannot assume that UK compliance satisfies EU obligations, or vice versa.

What are the penalties for PECR breaches?

Since 5 February 2026, the maximum penalty is 17.5 million pounds or 4% of global annual turnover, whichever is greater. This is aligned with UK GDPR levels and is a significant increase from the previous 500,000 pound maximum. The ICO determines the penalty based on the nature and seriousness of the breach, the number of people affected, cooperation and previous enforcement history.

Representative experience

Recent and representative matters include:

  • Advised a telecoms operator on PECR compliance for the processing of traffic data and location data, including the conditions under regulations 7 and 14 for value-added services and emergency caller location.
  • Reviewed cookie consent mechanisms for a media company, assessing compliance with regulation 6 and the ICO’s guidance on analytics cookies, advertising technologies and consent management platforms.
  • Advised an e-commerce business on the PECR direct marketing rules, including the regulation 22 consent requirement, the soft opt-in exception, and the interaction with UK GDPR lawful basis requirements.
  • Prepared a PECR compliance assessment for a telecoms provider’s subscriber directory services, addressing regulations 18 and 19 on directory listings and caller line identification.
  • Advised on the ePrivacy implications of a proposed UK ePrivacy regulation following Brexit, assessing the divergence from the EU’s proposed ePrivacy Regulation and the impact on cross-border marketing campaigns.

Related pages

See also our related practice area pages:

Ready to discuss your matter?

Schedule an initial call