Categories
Law

Privacy and Electronic Communications Regulations (PECR)

pecr cookies and privacy

The General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR) are two sets of rules that govern data protection and electronic marketing communications in the UK.

PECR was introduced in 2003 and updated in 2011, while GDPR came into effect in 2018, replacing the Data Protection Act 1998.

Their full title of PECR is The Privacy and Electronic Communications (EC Directive) Regulations 2003 which is derived from European law. PECR implement European Directive 2002/58/EC, also known as ‘the e-privacy Directive’.

The Information Commissioner’s Office (ICO) publish a Guide to Privacy and Electronic Communications Regulations.

Consent and opt-in

One of the key principles of both GDPR and PECR is that marketers must obtain the consent of individuals before processing their personal data or sending them electronic marketing messages. This means that individuals must actively opt-in to receive marketing messages and must be given the opportunity to easily opt-out of receiving future messages. Examples of electronic marketing messages include emails, text messages, and direct messages on social media platforms.

Cookies and online tracking

Both GDPR and PECR govern the use of cookies and other tracking technologies on websites. Websites must obtain consent from users before placing cookies on their devices, except in cases where the cookies are strictly necessary for the functioning of the website. The regulations also require website owners to provide clear and comprehensive information about the types of cookies used on their sites and their purposes.

There are two exemptions which apply where:

  • the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • the cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.

Direct marketing

Direct marketing is a type of marketing that involves sending messages directly to individuals, such as through email or direct mail. GDPR and PECR require that individuals are given the opportunity to opt-out of receiving direct marketing messages, and that marketers must stop sending messages to individuals who have opted-out. The regulations also prohibit the use of pre-ticked boxes or other forms of consent that are automatically applied to individuals.

Complaints

The concerns section of the ICO website contains more information on when and how individuals can report their concerns to the ICO.

If someone complains about your electronic marketing (eg spam calls or texts), cookies or other privacy issues regarding electronic communications, we will record and review their concerns, and we may investigate your compliance with PECR. If we decide it is likely you have failed to comply with PECR or other data protection legislation, we may ask you to take steps to remedy this and avoid similar complaints in future. If appropriate, we may decide to take enforcement action.

Guide to PECR ICO

Enforcement and penalties

Both GDPR and PECR are enforced in the UK by the Information Commissioner’s Office (ICO). The ICO has the power to investigate and take enforcement action against organisations that breach the regulations, including imposing fines and other penalties.

In 2021, the ICO fined British Airways and Marriott International for breaching GDPR, with fines of £20m and £18.4m respectively.

GDPR and PECR are important sets of regulations that govern data protection and electronic marketing communications in the UK.

Marketers must obtain the consent of individuals before processing their personal data or sending them marketing messages, provide clear and comprehensive information about the use of cookies on their websites, and give individuals the opportunity to opt-out of receiving direct marketing messages.

Failure to comply with GDPR and PECR can result in significant fines and other penalties, so it is essential for organizations to ensure they are following the regulations carefully.

The Ministry of Injustice is not the Ministry of Justice nor is it affiliated in any way with the justice system, legal profession, police or any other law enforcement agencies.

Latest Articles

Most Popular

You should always seek formal legal advice from a qualified and reputable lawyer (solicitor or barrister).

There are a number of links to Free and Paid For Legal Resources and Legal Organisations on the Free Legal Advice , Legal Aid and Pro Bono pages.

[post_title] was last updated on the 2nd June 2026

By Dom Watts

Dom Watts founded the Ministry of Injustice in July 2021. Dom is an IT Professional with 30+ years experience in Tier 1 Banking, Government, Defence, Healthcare and Global Blue Chips. Dom has no legal training and is not a lawyer but has previously consulted for a Magic Circle Law Firm. You can find Dom on X or Google.

Dom Watts publishes the Ministry of Injustice as a citizen journalist. The journalism exemption is detailed in the Data protection and journalism code of practice published by the ICO and Section 124 of the Data Protection Act 2018.

Section 2 of the Defamation Act 2013 sets out the defence of truth. Section 3 of the Defamation Act 2013 sets out the defence of honest opinion. Section 4 of the Defamation Act 2013 sets out the defence of public interest. Section 8 of the Defamation Act 2013 sets out the single publication rule.

Section 4a of The Limitation Act 1980 defines the time limit for actions for defamation or malicious falsehood as one year from the date on which the cause of action accrued.

Article 10 of the Human Rights Act 1998 gives the right to freedom of expression. "This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers."

"Free speech encompasses the right to offend, and indeed to abuse another." - Para 43 Scottow v CPS [2020] EWHC 3421 (Admin)

"Free speech is a fundamental common law right" - Para 21 R v Shayler [2002] UKHL 11 [2003] 1 AC 247 per Lord Bingham and Para 42 Phillips -v- Secretary of State for Foreign, Commonwealth and Development Affairs [2024] EWHC 32 (Admin)

Dom is a member of The Free Speech Union

“A key issue here is the need to distinguish between conduct which, however objectionable, does not justify invoking the criminal law and conduct which crosses the line and results in criminal liability" - Para 31 R v O’Neill [2016] EWCA Crim 92 [2016]

“Harassment is generally understood to involve improper oppressive and unreasonable conduct that is targeted at an individual and calculated to produce alarm and distress” - Para 38 R v O’Neill [2016] EWCA Crim 92 [2016]

"The behaviour said to amount to harassment must reach a level of seriousness passing beyond irritations, annoyances....The gravity of the misconduct must be of an order which would sustain criminal liability" - Paras [40-44] Hayden v Dickenson [2020] EWHC 3291 (QB)

"If you tell the truth, you don't have to remember anything"

In 2002 Dom Watts was an unlikely consumer champion. The dad of three from Croydon took on the power and might of Kodak – and won...Dom on BBC Working Lunch

Rule of Law - Open Justice - Policing By Consent