PECR Explained: UK E-Privacy Compliance For Businesses

If you’re running a small business, marketing is often the lifeblood of growth. But the moment you start sending email campaigns, running SMS promotions, using cookies on your website, or making sales calls, you’re stepping into a regulated area of privacy law.

In the UK, the key rules here come from PECR (the Privacy and Electronic Communications Regulations).

PECR sits alongside UK GDPR and the Data Protection Act 2018. It sets specific rules for electronic marketing and certain types of online tracking. And while it can feel like “just another compliance thing”, getting it right early can save you real headaches later - including complaints, regulatory action, and having to rebuild marketing lists from scratch.

Below, we’ll break down what PECR in the UK means for your business in plain English, with practical steps you can take right away. This guide is general information only and isn’t legal advice.

What Is PECR UK (And When Does It Apply To Your Business)?

PECR (often referred to as “PECR UK”) is the legal framework that governs privacy rights in relation to:

• Direct marketing by electronic means (for example email, SMS, automated calls);
• Telephone marketing (including rules around consent and preference services);
• Cookies and similar tracking technologies (like pixels, advertising identifiers, and some analytics tools); and
• Security and confidentiality in relation to electronic communications services (more relevant to telecoms providers, but the cookie and marketing rules affect almost everyone online).

In practical terms, PECR UK matters if your business does things like:

• sends marketing emails or newsletters;
• runs abandoned basket emails or promotional SMS messages;
• uses website cookies for analytics, advertising, or personalisation;
• uses a CRM and builds marketing lists;
• does outbound sales calls; or
• runs lead generation campaigns online.

Even if you only have a small list or you’re “just testing marketing”, PECR can still apply - so it’s worth setting up your processes properly from day one.

PECR UK vs UK GDPR: What’s The Difference (And Why Do You Need Both)?

A common trap for small businesses is assuming that if you’re compliant with UK GDPR, you’re automatically compliant with PECR UK. They overlap, but they’re not the same.

Think of it like this:

• UK GDPR is the broader framework about how you collect, use, store and share personal data (like names, emails, phone numbers, IP addresses, customer profiles, etc.).
• PECR UK is more specific - it focuses on electronic communications, especially marketing and cookies/tracking.

For example:

• You might have a lawful basis under UK GDPR to process a customer’s email (such as performance of a contract), but PECR may still require consent before you send them marketing emails (unless an exception applies).
• You might have a UK GDPR lawful basis to process website analytics data, but PECR still requires clear cookie rules (including consent for many types of cookies).

That’s why many businesses need both:

• a clear Privacy Policy explaining how they use personal data; and
• a compliant Cookie Policy and consent setup for tracking technologies.

If you’re unsure where PECR ends and UK GDPR begins, you’re not alone. The good news is you can usually build one joined-up compliance approach - you just need to know the PECR “extras” that apply to marketing and cookies.

Direct Marketing Under PECR UK: Emails, SMS, Phone Calls And Consent

PECR UK is especially well-known for its rules about direct marketing.

“Direct marketing” is a broad concept. It’s not just “spam”. It includes most promotional messaging aimed at individuals - including offers, discounts, “new product” announcements, and sometimes even brand awareness campaigns.

Email And SMS Marketing: The Key Rule

For most small businesses, the big question is:

Do you need consent to send marketing emails/texts?

Often, yes - especially when you’re marketing to individuals (including sole traders and some partnerships).

However, there’s also a major exception that many ecommerce and service businesses rely on: the “soft opt-in”.

The “Soft Opt-In” Exception (A Practical Lifeline For SMEs)

You may be able to send marketing emails/SMS without express consent if all of the following apply:

• You got the person’s contact details during a sale or negotiations for a sale (for example, they bought from you, requested a quote, or started a checkout);
• You’re marketing your own similar products or services (not someone else’s, and not unrelated offers);
• You gave them a clear chance to opt out at the time you collected their details; and
• You give them an easy way to unsubscribe in every marketing message.

If you’re relying on soft opt-in, it’s worth documenting your logic and making sure your sign-up/checkout flows are designed properly.

Marketing To Companies (B2B): Is It Easier?

In many cases, the PECR rules on consent are less strict when you’re emailing a corporate subscriber (for example a limited company email address like info@ or sales@).

But don’t treat B2B as a free-for-all. You still need to:

• clearly identify your business in the message;
• provide a valid contact address; and
• include a simple opt-out/unsubscribe mechanism.

Also, be careful with named business email addresses (like firstname.lastname@company.com). While PECR’s “corporate subscriber” rules can still apply, UK GDPR may still be relevant depending on how you source, use and profile those contacts - and poorly targeted outreach can trigger complaints quickly.

Phone Marketing And Preference Services

If your business does phone-based sales, PECR UK interacts with rules around live marketing calls and automated marketing calls.

Practical steps that help reduce risk include:

• training staff on what counts as “marketing” vs “service calls”;
• keeping suppression lists (people who have opted out);
• screening outbound marketing lists against relevant preference services (for example TPS/CTPS) where required;
• avoiding calling people who have clearly objected; and
• making sure you provide your identity and contact details on calls and don’t conceal your calling line identity where rules require it to be presented.

If you use a third-party agency to generate leads or make calls on your behalf, be careful - you can still be exposed if the campaign is non-compliant. This is where having the right contracts in place (and clear allocation of responsibilities) matters, such as a properly drafted Lead Generation Agreement.

Cookies And Tracking Under PECR UK: The Rules For Websites, Analytics And Ads

If your business has a website (or app), PECR UK will likely affect you through the cookie rules.

In simple terms: you usually need consent to store or access information on a user’s device (like placing cookies), unless the cookie is strictly necessary for a service the user asked for.

What Counts As A Cookie (In Practice)?

It’s not just the traditional “cookie file”. PECR cookie rules generally cover similar technologies, including:

• tracking pixels;
• advertising identifiers;
• some SDKs within apps;
• local storage technologies; and
• device fingerprinting techniques.

That’s why cookie compliance isn’t just a “website footer link” problem - it can affect your marketing stack.

Strictly Necessary Cookies vs Optional Cookies

A practical way to think about it:

• Strictly necessary cookies are essential to provide a service the user actively wants (for example, shopping basket functionality, checkout security, user login sessions).
• Optional cookies are anything that isn’t essential - commonly analytics, advertising, and personalisation cookies.

For optional cookies, you typically need:

• clear information about what cookies do and why they’re used;
• a genuine choice (accept/reject); and
• consent before they’re set (not after).

This is also where your documentation matters. A tailored Cookie Policy (and a properly configured cookie banner/consent tool) is one of the most practical, visible compliance steps you can take.

Common Small Business Cookie Mistakes To Avoid

We regularly see small businesses fall into avoidable traps like:

• Pre-ticked boxes or “by continuing to use this site you agree” banners (usually not enough for consent);
• Bundling consent (for example, forcing users to accept marketing/ads cookies to access basic content, unless there’s a lawful model behind it);
• No real reject option (or hiding it behind multiple clicks);
• Not recording consent (you should be able to evidence it); and
• Forgetting third-party cookies (embedded videos, maps, ad networks, and social media plugins can all set cookies).

If your marketing relies heavily on tracking (for example retargeting or conversion measurement), it’s worth reviewing both PECR and UK GDPR together - because consent, transparency, and data processing roles all need to line up.

A Practical PECR UK Compliance Checklist For Small Businesses

PECR UK compliance is much easier when you treat it as a set of repeatable business systems - not a one-off legal task.

Here’s a practical checklist you can work through.

1) Map Your Marketing Channels

List out every channel you use (or plan to use):

• email marketing;
• SMS marketing;
• phone calls;
• website retargeting ads;
• analytics tools and pixels.

This helps you spot where PECR rules apply, and which teams or suppliers touch personal data.

2) Review How You Collect Contact Details

Look at every place you collect emails and numbers:

• checkout pages;
• lead magnets;
• quote request forms;
• account sign-up pages;
• event signups;
• manual collection (in-store, on calls, at networking events).

Then ask:

• Are we relying on consent or soft opt-in?
• Is the wording clear and specific?
• Do we tell people how to opt out?
• Do our systems record when/how we got the details?

3) Build A Proper Unsubscribe And Suppression Process

This sounds simple, but it’s one of the biggest “real world” compliance issues.

Make sure:

• unsubscribe links work and are easy to use;
• opt-outs are actioned promptly across all platforms;
• you keep a suppression list (so you don’t re-add people later); and
• any staff who do outreach understand the process.

4) Get Your Website Cookie Consent And Documents In Order

On the website side, your action plan usually includes:

• auditing cookies and trackers currently in use;
• categorising them (strictly necessary vs optional);
• implementing a consent mechanism that blocks optional cookies until consent is given;
• keeping consent records; and
• publishing/updating your Cookie Policy and Privacy Policy.

If you use third-party vendors to process customer or website data (like CRMs, email platforms, analytics providers), it’s also smart to check the contract position - a well-scoped Data Processing Agreement can help clarify what the supplier does with the data and what security standards apply.

5) Align PECR With Your UK GDPR Compliance

PECR compliance works best when it’s aligned with the rest of your privacy obligations, including:

• lawful bases under UK GDPR (consent, legitimate interests, contract, etc.);
• privacy notices and transparency;
• data minimisation (only collecting what you actually need);
• data retention (not keeping old marketing lists forever); and
• handling opt-outs and objections properly.

If you’re building this out for the first time (or you’ve grown quickly and your processes haven’t kept up), a structured approach like a GDPR package can be a practical way to get your core documents and compliance foundations consistent.

Key Takeaways

• PECR UK applies to most small businesses that send electronic marketing (email/SMS), make marketing calls, or use cookies and tracking technologies.
• PECR and UK GDPR work together: UK GDPR governs personal data broadly, while PECR adds extra rules for electronic marketing and cookies.
• Email and SMS marketing often requires consent, but many businesses can rely on the soft opt-in if they meet the conditions and include clear opt-outs.
• Cookie compliance is a major PECR area: optional cookies (analytics/ads/personalisation) generally require consent before they are set.
• Practical systems matter: record how you collected contacts, maintain suppression lists, make opt-outs easy, and ensure your website’s cookie banner and policies reflect what you actually do.
• Get advice on the tricky parts: small wording differences and technical cookie setups can change your compliance position, so getting tailored advice can be worthwhile.

If you’d like help getting your PECR UK compliance sorted - including your Privacy Policy, Cookie Policy, and marketing consent processes - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.