PECR: Privacy and Electronic Communications in the UK

If your business sends marketing emails, runs SMS campaigns, makes sales calls, or uses cookies on your website, the Privacy and Electronic Communications Regulations (PECR) apply to you.

PECR sits alongside UK GDPR and sets specific rules for electronic marketing and tracking technologies. In practice, most compliance headaches (and fines) in this area come down to PECR basics: consent where required, clear opt-outs, and not dropping non‑essential cookies before you have permission.

In this guide, we’ll break down what PECR is, when it applies, and what small businesses need to do to stay compliant from day one.

What Is PECR And How It Fits With UK GDPR

PECR is the UK’s Privacy and Electronic Communications Regulations 2003 (as amended). It works alongside the Data Protection Act 2018 and UK GDPR to protect people’s privacy in the digital space.

Here’s how they fit together in plain English:

• UK GDPR covers how you collect, use and protect personal data generally (lawful bases, transparency, security, subject rights, etc.).
• PECR adds extra, specific rules for electronic marketing and tracking – think marketing emails and texts, live and automated calls, and cookies/other trackers on websites and apps.
• When both apply, you must comply with both. For example, if you send a promotional email, PECR dictates whether you need consent first, while UK GDPR governs how you store evidence of that consent and respect unsubscribe requests.

The Information Commissioner’s Office (ICO) enforces both regimes. While fines are a last resort, the ICO expects businesses to get the basics right – and that starts with understanding when PECR is triggered.

When Does PECR Apply To Your Business?

PECR applies whenever you engage in “electronic communications” for marketing or use tracking technologies. Common scenarios for SMEs include:

• Sending promotional emails or SMS messages to consumers or sole traders/partnerships.
• Making live marketing calls, using auto‑diallers or leaving automated voice messages.
• Running a newsletter that includes offers or upsells.
• Using cookies, pixels, SDKs or similar tech for analytics, personalisation, or advertising on your website or app.

It also applies to business‑to‑business (B2B) marketing – but the rules differ depending on whether you market to “corporate subscribers” (e.g. limited companies and LLPs) or to individuals/sole traders/partnerships. The consent bar is generally higher for individual recipients than for corporate recipients.

A helpful way to think about it:

• If you’re tracking users or dropping non‑essential cookies, you’ll usually need consent before doing so.
• If you’re sending electronic marketing, the default is consent unless you fall within a narrow exception (like the “soft opt‑in” for your own similar products).

Email And SMS Marketing: PECR Rules You Must Follow

Email and SMS are subject to strict PECR rules. If you market to individual recipients (including sole traders and some partnerships), you usually need their prior consent. For corporate recipients (e.g. info@company.com), the rules are more flexible, but you still need to provide an opt‑out and comply with UK GDPR.

Consent Vs Soft Opt‑In

Under PECR, consent must be freely given, specific, informed and unambiguous. Pre‑ticked boxes aren’t valid. If you rely on consent, keep clear records of when, how and what the person consented to.

There is a limited exception called the “soft opt‑in” for email and SMS marketing. You can market your own similar products or services to existing customers if all of the following apply:

• You obtained their contact details during a sale or negotiations for a sale.
• You’re marketing your own similar products/services (not a third party’s).
• You gave them a clear chance to opt out at collection and in every message.

Keep in mind, “similar” is interpreted narrowly and won’t cover unrelated offerings. If you’re unsure, it’s safer to obtain consent or adjust the campaign.

If you’re designing a strategy around this, it’s worth reviewing your approach to soft opt‑in and wider email marketing laws so your list building and templates support compliance.

What Must Every Message Include?

Every marketing email or text should:

• Clearly identify your business as the sender.
• Include a simple, no‑cost (or basic rate) way to opt out (unsubscribe) from future messages.
• Honour opt‑out requests promptly and maintain a suppression list.

Buying third‑party lists is high risk. You must be confident the contacts gave valid consent for your specific marketing, which is difficult to verify and prove to the ICO. In most cases, build your own list properly.

What About B2B Emails?

Marketing to “corporate subscribers” is allowed without prior consent if your content is relevant to their role and you include an opt‑out in every message. However, if you’re emailing a sole trader or a general partnership, treat them as individuals and follow the stricter rules.

Don’t Forget UK GDPR

Beyond PECR, make sure the data you hold is handled lawfully under UK GDPR. That means having the right transparency notices and retention practices in place. Most businesses will need a clear, tailored Privacy Policy that explains your marketing activity and people’s rights.

Cookies, Analytics And Other Tracking Technologies

PECR requires consent before you set any non‑essential cookies or similar technologies. “Strictly necessary” cookies (e.g. those needed to make a basket or login work) don’t need consent, but analytics, personalisation and advertising cookies usually do.

Practical Rules For Cookie Compliance

• Don’t set non‑essential cookies until the user has given clear, affirmative consent.
• Offer real choice – the option to reject should be as easy as accept.
• Use plain language to explain what each category does.
• Let users change their preferences and withdraw consent easily.
• Keep records of consent signals and respect them across your site.

Getting your banner right matters. Many businesses need to revisit their design to ensure consent happens before cookies fire and that users can say “no” as easily as “yes”. If you’re reviewing your UX, look at practical steps for cookie banners and why providing clear Reject All Cookies buttons is now essential.

Cookie Policies And Website Notices

Transparency is a GDPR requirement – users should know what you’re doing and why. A well‑drafted Cookie Policy explains the categories you use, purposes, retention and providers, and links to your consent tools. It should sit alongside your Privacy Policy for a complete picture.

What About “Legitimate Interests” For Cookies?

For non‑essential cookies and similar technologies, PECR generally requires consent regardless of your UK GDPR lawful basis. In other words, legitimate interests won’t fix a lack of consent for analytics or advertising cookies under PECR.

Phone Marketing, Live Calls And Automated Messages

PECR also governs marketing calls (including recorded messages and auto‑diallers). Here’s what SMEs should know:

Live Sales Calls

• You must not call anyone who has told you they don’t want your calls (keep internal “do not call” lists).
• Before calling, screen numbers against the Telephone Preference Service (TPS) and Corporate TPS (CTPS). Don’t call registered numbers for marketing purposes unless they’ve consented.
• Display your number (CLI) and identify who’s calling at the start of the call.

Automated Calling Systems And Voicemails

Pre‑recorded marketing messages and auto‑diallers require prior consent. Without it, they are prohibited. This is an area where complaints quickly lead to enforcement, so if you use automation, ensure your consent language is crystal clear and properly captured.

Customer Service Vs Marketing

Non‑marketing service messages (e.g. delivery updates, appointment reminders) are not “marketing” under PECR. However, the line is thin – if your message includes promotional content (discounts, upsells), it becomes marketing and triggers the rules. Keep transactional messaging clean if you want to rely on the non‑marketing route.

Compliance Steps, Documents And Ongoing Governance

PECR compliance isn’t complicated when you break it down into practical steps. Use the checklist below to get your legal foundations in place and reduce risk as you grow.

1) Map Your Channels And Technologies

• List all your marketing channels: email, SMS, live calls, automated voice, in‑app messaging.
• List your tracking tech: cookies, pixels (e.g., Meta/LinkedIn), analytics (Google Analytics), heatmaps, chat widgets, A/B testing tools, SDKs in mobile apps.
• For each, mark whether it’s marketing (PECR marketing rules) or tracking (PECR cookies rules) – or both.

2) Choose The Right Legal Basis And Path

• For email/SMS: decide between consent or soft opt‑in and align your signup flows and message templates accordingly.
• For cookies: implement a consent management platform (CMP) that holds back non‑essential scripts until consent is given.
• For calls: implement TPS/CTPS screening and internal “do not call” processes.

3) Update Your Notices And Records

• Publish a clear Privacy Policy and Cookie Policy that match what you actually do.
• Add compliant consent language at collection points (forms, checkouts, lead magnets).
• Set up consent and unsubscribe logs. You need to be able to show the ICO when and how consent was captured and that opt‑outs are honoured.

4) Sort Your Vendor Contracts And Data Flows

• Put a Data Processing Agreement in place with email platforms, CRM systems, analytics providers and other processors that handle your data.
• Check where data is stored or accessed (UK/EU/overseas) and put appropriate safeguards in place.
• Review what your tags and third‑party plugins actually collect and send – turn off any unnecessary data collection.

5) Implement Robust Opt‑Out And Suppression Processes

• Make unsubscribe links obvious and one‑click where possible.
• Sync suppression lists across tools (ESP, CRM, SMS, dialler) so opt‑outs are respected everywhere.
• Train your team to process manual opt‑outs quickly and politely.

6) Review Your Design And Copy

• Ensure cookie banners don’t nudge or mislead users, and that you offer a genuine “reject” option on first layer.
• Remove pre‑ticked boxes for marketing consent and avoid bundling consent with terms or other permissions.
• Make your marketing identity clear – no spoofing, no ambiguous sender names, and no misleading subject lines.

7) Keep It Under Review

• Run quarterly spot‑checks: do any cookies fire before consent? Do all templates include an unsubscribe? Are new tools covered in your notices?
• Have a process for handling complaints and ICO contacts.
• Document decisions – “why we rely on soft opt‑in for X list” – so you can evidence your reasoning.

Key Documents And Policies

• Privacy Policy – tells people what you collect, why and their rights.
• Cookie Policy – lists the cookies/trackers you use and how to control them.
• Data Processing Agreement – sets out processor obligations for your vendors.
• Marketing consent wording – short, clear statements for sign‑up forms and checkouts.
• Suppression and retention procedures – how you handle opt‑outs and how long you keep data.

Training And Accountability

PECR breaches often come from small process gaps – a new landing page missing an unsubscribe link, a cookie script added without being routed through the CMP, or a hastily uploaded list from a tradeshow. Assign ownership for marketing compliance and run quick refresher sessions for your team so everyone knows the guardrails.

Common PECR Pitfalls To Avoid

• Dropping analytics cookies before consent or burying the reject option behind multiple clicks.
• Using pre‑ticked consent boxes or bundling consent into terms and conditions.
• Relying on “soft opt‑in” for a list that isn’t strictly your customers, or where the product isn’t “similar.”
• Buying third‑party lists without proof of valid, specific consent for your marketing.
• Failing to screen numbers against TPS/CTPS before calling.
• Not updating suppression lists across all platforms (email, SMS, dialler, CRM).

Useful Extras

If you’re refreshing your stack, it’s smart to align your UX with PECR from the start. Review your cookie banners, include clear Reject All Cookies buttons, make sure your Cookie Policy and Privacy Policy match the tech on your site, and build processes that respect the email marketing laws and the limited scope of the soft opt‑in. Where you rely on vendors, lock in a solid Data Processing Agreement so responsibilities are clear.

Key Takeaways

• PECR sets the UK’s specific rules for electronic marketing and tracking and applies alongside UK GDPR – you need to comply with both.
• For email/SMS marketing to individuals, consent is the default. The soft opt‑in is narrow and only for your own similar products to existing customers, with an easy opt‑out.
• Don’t set non‑essential cookies (including analytics and ads) until you have valid consent. Offer a balanced banner with an equally prominent reject option.
• For calls, screen against TPS/CTPS, honour opt‑outs and only use automated calling with prior consent.
• Publish accurate, up‑to‑date transparency notices (Privacy Policy and Cookie Policy), maintain consent and suppression logs, and put the right contracts in place with vendors.
• Train your team, test your tech regularly, and document decisions so you can evidence compliance if the ICO asks.

If you’d like help aligning your marketing and website with PECR and UK GDPR – from consent wording and cookie UX through to policies and vendor contracts – you can reach us for a free, no‑obligations chat on 08081347754 or team@sprintlaw.co.uk.