PECR and ePrivacy

Cookies, direct marketing and electronic communications privacy

Telecoms privacy, direct marketing and cookie compliance under the Privacy and Electronic Communications Regulations

Rob Bratby, Managing Partner
Last updated: 17 April 2026

PECR governs privacy rights in relation to electronic communications, from cookies and tracking technologies to direct marketing by email, SMS and telephone. It sits alongside UK GDPR as a separate legal regime with its own penalties, consent requirements and enforcement mechanisms. The Privacy and Electronic Communications Regulations 2003 set out specific rules for anyone collecting electronic contact details, deploying cookies on websites, sending marketing communications, or handling traffic and location data on communications networks. Non-compliance carries substantial penalties: as of the Data Use and Access Act 2025, the maximum fine for PECR breaches is £17.5 million or 4% of global annual turnover, whichever is greater.

When PECR compliance becomes urgent

You need specialist PECR advice immediately if you are launching direct marketing campaigns by email, SMS or telephone, deploying cookies or similar tracking technologies on your website, operating an electronic communications service or network, handling traffic data or location data from telecommunications subscribers, or planning a strategy to monetise data derived from electronic communications. PECR compliance deadlines move quickly: cookie consent mechanisms must be in place before you deploy any tracking technology; marketing consent must be documented before you send the first campaign; telecommunications services must implement traffic data retention policies before handling subscriber data. By the time ICO enforcement action begins, it is usually too late to implement compliance retroactively.

Why PECR compliance matters now

PECR enforcement has intensified sharply. Under the Data Use and Access Act 2025, the maximum penalty for PECR breaches increased from £500,000 to £17.5 million or 4% of global annual turnover, bringing PECR penalties into line with UK GDPR enforcement. The ICO issued £4.63 million in PECR fines during 2025 alone. In November 2023, the ICO wrote to 53 of the UK’s top 100 websites warning of cookie compliance failures. That campaign expanded to the top 1,000 websites by 2025, with findings that 30% of the top 100 sites were setting advertising cookies without valid consent and 60% of cookie complaints in 2024 involved users being denied the option to reject non-essential tracking. Cookie consent is a live compliance priority for the ICO.

The regulatory position is also diverging internationally. The EU’s proposed ePrivacy Regulation, which would have replaced the ePrivacy Directive 2002/58/EC with a modern instrument, was withdrawn in February 2025. The UK, meanwhile, has reformed PECR through the Data Use and Access Act 2025, introducing cookie exemptions and penalty alignment but retaining the core structure of PECR. This means UK organisations can no longer assume their PECR compliance approach will work across EU operations: UK rules and EU rules on cookies and direct marketing are now moving in separate directions.

PECR marketing consent under regulation 22 is entirely separate from UK GDPR consent under Article 6. An organisation may have valid UK GDPR consent to use an email address for a particular purpose, but lack the separate PECR consent required to send marketing to it. Conversely, the soft opt-in under PECR regulation 22(3) permits marketing without prior consent in narrower circumstances than UK GDPR allows. ICO enforcement is increasingly focused on nuisance calls and unsolicited texts to subscribers, often investigating both PECR violations under regulations 21 and 22 and Telephone Preference Service compliance simultaneously.

Where PECR compliance goes wrong

The most common PECR failure is assuming that a cookie banner satisfies compliance. A compliant cookie banner must meet regulation 6, which requires prior informed consent before storing or accessing information on a user’s device. Many organisations treat their cookie banner as a box-ticking exercise: they provide a reject button, assume consent has been obtained, and move on. In reality, regulation 6 requires that consent is freely given, specific, informed and unambiguous. A cookie banner that makes rejection difficult, defaults non-essential cookies to accept, or mixes essential and non-essential cookies into a single consent choice will fail this test. The ICO has repeatedly warned that cookie consent must be genuinely informed.

A second major failure is conflating PECR marketing consent with UK GDPR consent. An organisation may lawfully send a marketing email under UK GDPR because the recipient is an existing customer and marketing falls within the organisation’s legitimate interest. That same email will breach PECR regulation 22 if the recipient has not given separate PECR consent to marketing by electronic mail. The two consent regimes operate independently. Marketing emails to individuals (not corporate subscribers) require opt-in consent under PECR; UK GDPR may permit a different basis such as legitimate interest. This is a frequent source of enforcement action.

The soft opt-in under PECR regulation 22(3) is frequently misapplied. Soft opt-in permits marketing without prior consent if the organisation obtained the contact details from the recipient during a previous transaction, the marketing is for similar products or services, and the recipient was clearly given an opportunity to opt out at the point of data collection and in every subsequent message. Many organisations claim soft opt-in without meeting all three conditions. Failing to document that opt-out was offered at the right times is a common breach. The soft opt-in does not apply to marketing by telephone or SMS to numbers registered with the Telephone Preference Service; those communications always require prior consent.

PECR applies more broadly to B2B marketing than many organisations assume. The corporate subscriber exemption under regulation 21(2)(a) creates a narrower scope: corporate subscribers (companies, government bodies, partnerships with separate legal status) may receive marketing emails without prior consent. However, this exemption does not apply to SMS, telephone calls, or fax marketing to corporate subscribers. It also does not apply to marketing calls to numbers registered with the Telephone Preference Service, whether the subscriber is a company or individual. Organisations routinely breach PECR by sending SMS or making calls to corporate numbers without consent, mistakenly believing the corporate exemption applies more widely than it does.

Another recurring error is failing to distinguish between subscriber and user consent. A subscriber is the party with a contract with the electronic communications provider. A user is anyone using the service (for example, an employee using a company phone line). PECR regulation 6 (on cookies) requires the consent of the user, not necessarily the subscriber. If your website is accessed by employees on corporate networks, you cannot rely on the company’s consent to set cookies on those employees’ browsers. This distinction is especially important for B2B platforms and services used in workplace environments.

Traffic and location data processing without a clear retention policy is a chronic problem in telecommunications services. Regulation 7 requires that traffic data be erased or anonymised as soon as it is no longer required for the communication or billing purposes. Retention beyond that point is permitted only for billing (until disputes are resolved), marketing or value-added services (with subscriber consent), or where law requires it. Many providers retain traffic and location data far longer than necessary without documenting a lawful basis. Even where consent has been obtained, the retention period must be justified and enforced in practice.

Lastly, organisations sometimes treat legitimate interest as a lawful basis for electronic marketing under PECR. It is not. PECR regulation 22 requires opt-in consent for marketing to individuals by electronic mail, or offers the narrow soft opt-in exception. There is no PECR equivalent to the UK GDPR’s legitimate interest basis. If you cannot satisfy regulation 22, you cannot send the marketing. The fact that your organisation has a legitimate interest in marketing to the recipient is irrelevant.

What good PECR compliance looks like

Bratby Law’s approach to PECR compliance starts with a cookie audit methodology. We map every cookie, pixel, tag and similar technology deployed on your website, classify them by purpose (essential, analytics, marketing, functional), identify their legal basis under PECR and UK GDPR, and design a consent architecture that genuinely meets regulation 6 requirements. This means implementing tiered consent flows where essential cookies load without consent, non-essential cookies are withheld until consent is given, and the user can access meaningful content and functionality without accepting all cookies. The ICO expects websites to make non-essential cookies genuinely optional. We document the consent mechanism, the consent record, and any subsequent refreshes or updates to ensure the organisation can demonstrate compliance to regulators.

For direct marketing compliance, we design consent architectures that satisfy both PECR and UK GDPR requirements in parallel. This typically involves separate consent requests (or a single request clearly segmented) for marketing by different channels (email, SMS, telephone), different purposes (product updates versus discounts versus research), and different entities (your organisation versus third-party partners). We maintain records that distinguish between PECR soft opt-in consent, PECR prior consent, and UK GDPR lawful basis. We build opt-out mechanisms that respond immediately and that do not require the user to navigate multiple systems or confirm their request multiple times. For organisations using the soft opt-in, we document the transaction, the data collection point, the opt-out opportunity, and the relationship between the product or service being marketed and the previous transaction.

For telecommunications providers and electronic communications services, PECR compliance requires a more technical approach. We advise on traffic and location data retention policies that balance operational necessity (billing, dispute resolution, network management) against PECR’s requirement that data be erased or anonymised as soon as no longer needed. We document the lawful basis for any retention beyond the immediate period. We implement subscriber consent mechanisms for value-added services that use traffic or location data, and we ensure that subscriber directories and itemised billing comply with regulation 8 and 9. PECR compliance for telecoms differs materially from B2C websites because the data flows are more complex and the regulatory requirements are more prescriptive. Bratby Law’s telecoms regulation practice provides specialist insight into PECR compliance for communications providers that generalist data protection advisors often lack.

When to instruct specialist PECR counsel

Instruct PECR specialist counsel immediately if the ICO has initiated an investigation or enforcement action. PECR investigations move quickly and often result in substantial fines. Early intervention can lead to negotiated compliance undertakings that avoid formal enforcement. Do not wait to be contacted by the ICO; if you have reason to believe you may be non-compliant, seek advice proactively.

Design cookie consent mechanisms only with specialist PECR counsel involved. Cookie compliance is technically complex, legally uncertain in places, and subject to active ICO enforcement. A poorly designed banner can expose you to investigation and fines, and retrofitting a new consent system after deployment is costly and disruptive.

Commission a marketing compliance audit if you run email, SMS or telephone marketing campaigns at scale. Many organisations discover during an audit that they lack proper consent records, have not applied soft opt-in correctly, have accidentally captured consent for the wrong purpose, or have failed to implement opt-out correctly. Fixing these issues before the ICO becomes involved is far cheaper than responding to enforcement action.

If you operate a telecommunications service or electronic communications network, engage PECR counsel to advise on traffic and location data handling, subscriber directories, and itemised billing. These areas are highly specialised and require technical understanding of network architecture alongside regulatory knowledge.

If you process traffic or location data in any context, obtain specialist advice on your retention policy and lawful basis. This applies to internet service providers, VPN services, mobile applications that collect location data, and any business that processes telecommunications metadata.

Frequently asked questions about PECR and ePrivacy

Does PECR apply to my website if I only collect analytics data?

PECR regulation 6 applies to any storage of information on a user’s device, including analytics cookies that do not identify the user. If you place an analytics cookie on a visitor’s browser without consent, you breach PECR, regardless of whether the cookie is anonymous or pseudonymous. The ICO’s position is that regulation 6 consent is required before the cookie is first placed. Some cookies (security, session management) may be considered exempt as strictly necessary, but the burden of proving this falls on you. Obtain specialist advice on which cookies genuinely qualify as exempt.

Can I rely on a third party’s cookie consent platform to manage PECR compliance for my website?

A third-party consent platform (such as OneTrust or Cookiebot) can help automate consent management, but it does not transfer your PECR liability to the vendor. You remain liable for breaches. If the platform fails to obtain valid consent, or allows non-essential cookies to load without consent, the breach is yours. Audit your consent platform regularly, understand how it classifies cookies, and ensure it implements your consent decisions accurately. Some platforms default to weak consent flows; do not assume the default is compliant.

Does PECR require consent to my marketing list if the recipient is an existing customer?

It depends on the channel and whether you can apply the soft opt-in. For marketing by email to an individual, PECR requires opt-in consent unless the soft opt-in applies. The soft opt-in permits email marketing without prior consent if you obtained the email from a previous transaction, the marketing relates to similar products or services, and the recipient was clearly offered the chance to opt out at the point of data collection and in every subsequent email. Even if soft opt-in applies, the first marketing email must include an easy opt-out mechanism. For SMS or telephone marketing to an individual, you always need prior consent, regardless of whether they are a customer. For email to a corporate subscriber, prior consent is not required under PECR regulation 21(2)(a), but the recipient must still be able to opt out easily and you must respect opt-out requests immediately.

What is the difference between PECR consent and UK GDPR consent for marketing?

PECR consent under regulation 22 and UK GDPR consent under Article 6 are separate legal requirements. You may have a valid UK GDPR lawful basis (such as legitimate interest or performance of contract) to use an email address for business purposes, but still lack PECR consent to send marketing. Conversely, if you have obtained valid PECR consent, you still need a separate UK GDPR lawful basis for processing that individual’s personal data for marketing purposes. In practice, most organisations use consent as the lawful basis for both PECR and UK GDPR for marketing. If your marketing is not one-off but ongoing, structure your consent request to satisfy both regimes clearly.

What is the ICO’s current position on cookie compliance?

The ICO expects prior informed consent under PECR regulation 6 before non-essential cookies are placed. Cookie consent must be freely given (no dark patterns or pre-ticked boxes), specific (separate consents for different purposes or categories of cookies), informed (the user understands what data will be collected and how), and unambiguous (clearly affirmative action is required). Reject and accept buttons must be equally prominent. The ICO has flagged that a large number of websites continue to fail these standards. In 2025 the ICO expanded its cookie compliance review from the top 100 to the top 1,000 most visited UK websites. If your website handles substantial traffic, assume you may receive an ICO notice requesting evidence of compliance.

Can I use legitimate interest as the lawful basis for PECR marketing?

No. PECR regulation 22 permits marketing without prior consent only in narrow circumstances: if the recipient is a corporate subscriber and the marketing is by email (regulation 21(2)(a)), or if the soft opt-in conditions are satisfied (regulation 22(3)). If neither applies, you must have prior opt-in consent. Legitimate interest is a lawful basis available under UK GDPR for some types of processing, but it is not a basis for electronic marketing under PECR. If you cannot satisfy regulation 22, you cannot send the marketing, no matter how strong your legitimate interest.

Need advice on PECR or ePrivacy compliance?

Schedule an initial call

Representative experience

Recent and representative matters include:

Advised a telecoms operator on PECR compliance for the processing of traffic data and location data, including the conditions under regulations 7 and 14 for value-added services and emergency caller location.
Reviewed cookie consent mechanisms for a media company, assessing compliance with regulation 6 and the ICO’s guidance on analytics cookies, advertising technologies and consent management platforms.
Advised an e-commerce business on the PECR What PECR rules apply to direct marketing? rules, including the regulation 22 consent requirement, the soft opt-in exception, and the interaction with UK GDPR lawful basis requirements.
Prepared a PECR compliance assessment for a telecoms provider’s subscriber directory services, addressing regulations 18 and 19 on directory listings and caller line identification.
Advised on the ePrivacy implications of a proposed UK ePrivacy regulation following Brexit, assessing the divergence from the EU’s proposed ePrivacy Regulation and the impact on cross-border marketing campaigns.

Rob Bratby advises on PECR compliance and ePrivacy issues, drawing on his telecoms regulatory background at Oftel and Ofcom. Bratby Law is ranked in Chambers UK (Band 2) for telecoms and recognised by Lexology as a Global Elite Thought Leader for data protection.

Related data protection pages

See also our related practice area pages:

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

Chambers & Partners: Rob Bratby is ranked as a band 2 lawyer in the UK Guide 2026 in the “Telecommunications” category: Chambers
The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
Lexology: Rob Bratby is featured on Lexology’s expert profiles as a Global Elite Thought Leader for data: Lexology