Privacy and Electronic Communications Regulations (PECR)

The General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR) are two sets of rules that govern data protection and electronic marketing communications in the UK.

PECR was introduced in 2003 and updated in 2011, while GDPR came into effect in 2018, replacing the Data Protection Act 1998.

Their full title of PECR is The Privacy and Electronic Communications (EC Directive) Regulations 2003 which is derived from European law. PECR implement European Directive 2002/58/EC, also known as ‘the e-privacy Directive’.

The Information Commissioner’s Office (ICO) publish a Guide to Privacy and Electronic Communications Regulations.

Consent and opt-in

One of the key principles of both GDPR and PECR is that marketers must obtain the consent of individuals before processing their personal data or sending them electronic marketing messages. This means that individuals must actively opt-in to receive marketing messages and must be given the opportunity to easily opt-out of receiving future messages. Examples of electronic marketing messages include emails, text messages, and direct messages on social media platforms.

Cookies and online tracking

Both GDPR and PECR govern the use of cookies and other tracking technologies on websites. Websites must obtain consent from users before placing cookies on their devices, except in cases where the cookies are strictly necessary for the functioning of the website. The regulations also require website owners to provide clear and comprehensive information about the types of cookies used on their sites and their purposes.

There are two exemptions which apply where:

  • the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • the cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.

Direct marketing

Direct marketing is a type of marketing that involves sending messages directly to individuals, such as through email or direct mail. GDPR and PECR require that individuals are given the opportunity to opt-out of receiving direct marketing messages, and that marketers must stop sending messages to individuals who have opted-out. The regulations also prohibit the use of pre-ticked boxes or other forms of consent that are automatically applied to individuals.


The concerns section of the ICO website contains more information on when and how individuals can report their concerns to the ICO.

If someone complains about your electronic marketing (eg spam calls or texts), cookies or other privacy issues regarding electronic communications, we will record and review their concerns, and we may investigate your compliance with PECR. If we decide it is likely you have failed to comply with PECR or other data protection legislation, we may ask you to take steps to remedy this and avoid similar complaints in future. If appropriate, we may decide to take enforcement action.

Guide to PECR ICO

Enforcement and penalties

Both GDPR and PECR are enforced in the UK by the Information Commissioner’s Office (ICO). The ICO has the power to investigate and take enforcement action against organisations that breach the regulations, including imposing fines and other penalties.

In 2021, the ICO fined British Airways and Marriott International for breaching GDPR, with fines of £20m and £18.4m respectively.


GDPR and PECR are important sets of regulations that govern data protection and electronic marketing communications in the UK.

Marketers must obtain the consent of individuals before processing their personal data or sending them marketing messages, provide clear and comprehensive information about the use of cookies on their websites, and give individuals the opportunity to opt-out of receiving direct marketing messages.

Failure to comply with GDPR and PECR can result in significant fines and other penalties, so it is essential for organizations to ensure they are following the regulations carefully.

We recommend you should always seek formal legal advice if required, from a qualified and reputable lawyer (solicitor or barrister).

We have a number of links to Free Legal Resources and Legal Organisations on our Free Legal Advice , Legal Aid and Pro Bono pages.

Read the reviews of Gavin Howe Barrister

“He is awful, underhanded and should not be practising law!”

Latest Articles

All articles can be found in our Sitemap

By Dom Watts

Dom Watts is the founder of the Ministry of Injustice. Dom works in IT and has no legal training and is not a lawyer. You can find Dom on X or Google.

In 2002 Dom Watts was an unlikely consumer champion. The dad of three from Croydon took on the power and might of Kodak – and won………

Dom on BBC Working Lunch

Dom Watts interviewed by Gerald Main BBC Radio Cambridgeshire

Dr Laurence Godfrey (Godfrey v Demon Internet Ltd [1999] EWHC QB 244) wrote: “I am very pleased to read that there appears to have been a remarkable U-turn."

Rule of Law - Open Justice - Policing By Consent

Access To Justice Is A Right Not A Privilege
Equal Justice Under Law