PECR Regulations: UK E‑Privacy Rules For Marketing, Cookies And Comms

If you run a small business, it’s hard to avoid electronic marketing. You might be sending newsletters, running social ads, using a cookie banner on your website, or picking up the phone to follow up leads.

That’s exactly where the PECR regulation comes in. PECR (the Privacy and Electronic Communications Regulations) sets the UK’s key rules around electronic marketing and certain online tracking technologies (like cookies).

The tricky part is that PECR isn’t “just a privacy law” and it’s not the same thing as UK GDPR. In practice, you often need to comply with both - and small businesses can get caught out because the rules change depending on who you’re contacting, what you’re sending, and how you got their details.

Below we break down the PECR regulation in plain English, with practical steps you can actually apply to your marketing, your website, and your day-to-day communications.

What Is The PECR Regulation (And Why Should Small Businesses Care)?

PECR is the UK law that sits alongside data protection law (like UK GDPR and the Data Protection Act 2018). It’s enforced by the ICO (Information Commissioner’s Office) and it focuses on:

• Electronic marketing (email, SMS, phone calls, some types of direct messaging, and automated calling systems)
• Website technologies like cookies and similar tracking tools
• Security and privacy in electronic communications services (more relevant for telecoms providers, but parts can still affect modern businesses using comms tools)

From a small business perspective, PECR usually becomes relevant in three situations:

• You’re building an email list and sending marketing emails
• You’re using cookies for analytics, advertising, or personalisation
• You’re making marketing calls (or outsourcing lead generation)

PECR breaches can lead to complaints, investigations, reputational damage and, in some cases, significant fines. The good news is that most compliance is about getting your processes and wording right early - so you’re protected from day one.

PECR Vs UK GDPR: How They Work Together

A common misunderstanding is thinking you only need to worry about GDPR. In reality, PECR is often the “front door” rule for marketing and cookies, while UK GDPR governs what you do with personal data more broadly.

Here’s a simple way to think about it:

• PECR tells you whether you can send certain marketing messages or use certain cookies (and what consent rules apply).
• UK GDPR tells you how to handle the personal data involved (lawful basis, transparency, security, retention, individuals’ rights, and so on).

So if you’re sending an email campaign, you may need:

• PECR-compliant consent (or a valid exception) to send the email, and
• a UK GDPR lawful basis to process and store the recipient’s personal data, plus clear privacy information.

This is why having a properly drafted Privacy Policy matters - it’s one of the core ways you tell customers what you’re doing with their data and why.

It’s also why cookie compliance is usually a “two-law problem”: PECR governs consent for cookies (unless strictly necessary), while UK GDPR shapes how you describe and manage personal data collected through those cookies.

When Does PECR Apply To Marketing? (Email, SMS, Phone And More)

PECR is best known for its direct marketing rules. “Direct marketing” is broad - it can include promoting products/services, fundraising, and even messaging that builds brand awareness (not just “buy now” emails).

Email And SMS Marketing Under PECR

For most small businesses, the big rule is:

You generally need consent to send marketing emails or marketing texts to individuals (including sole traders and some types of partnerships).

In practice, that means:

• Consent should be freely given, specific, informed and unambiguous.
• Pre-ticked boxes are risky (and often not valid).
• You should keep records of what someone consented to and when.
• Every marketing message should include a clear way to opt out (unsubscribe).

The “Soft Opt-In” Exception (A Big Deal For E‑Commerce)

PECR includes a well-known exception for email/SMS marketing called the soft opt-in.

This can apply where:

• You got the person’s contact details during a sale or negotiations for a sale (for example, they bought something or started checkout),
• You’re marketing your own similar products or services,
• The person was given a clear opportunity to opt out at the point you collected their details (and in every message).

For many small businesses, this is the difference between being able to run a sensible customer email program and having to get “newsletter consent” from scratch.

Tip: if you sell online, cookie and marketing compliance often sits alongside your customer-facing legal setup - including your Terms and Conditions and your privacy messaging - so everything aligns and you’re not contradicting yourself across documents.

What About B2B Marketing?

PECR treats “corporate subscribers” (like limited companies and LLPs) differently to individuals.

In general, you can send marketing emails to corporate addresses (like info@company.co.uk) without the same consent requirements that apply to individuals, but you still need to comply with:

• UK GDPR rules if personal data is involved (for example, firstname.lastname@company.co.uk)
• clear identification of your business in the message
• a simple opt-out/unsubscribe option

Also, don’t assume “B2B” means risk-free. If you’re emailing a sole trader (even if it feels like a business contact), PECR can treat them like an individual.

Marketing Calls Under PECR

If your business does outbound calling for marketing (or uses a third party to do it), PECR also matters.

Key compliance points include:

• Screen against the Telephone Preference Service (TPS) for individuals (and CTPS for corporate numbers) where required.
• Present a valid caller ID number where possible (so people can see who’s calling and opt out if they want).
• If someone tells you to stop calling, you should record that preference and respect it.

If your team makes calls from work devices, it’s also smart to set internal rules on tools, tracking and acceptable use so staff understand what’s allowed and what isn’t - an Acceptable Use Policy can be a helpful part of that wider compliance picture.

Cookies And Tracking: What The PECR Regulation Requires On Your Website

If your website uses cookies (or similar technologies like tracking pixels, SDKs, device fingerprinting, and some analytics tools), PECR is usually in play.

The main rule is:

You generally need consent to store or access information on a user’s device unless the cookie is strictly necessary for providing a service the user requested.

Strictly Necessary Cookies (Usually No Consent Needed)

“Strictly necessary” cookies are those essential for the site or service to function. Common examples include:

• shopping basket cookies
• login/session cookies
• security cookies (where genuinely needed)
• load balancing cookies

Even where consent isn’t required, you should still be transparent about them (so users aren’t left guessing what’s running on your site).

Analytics, Advertising And Personalisation Cookies (Consent Usually Needed)

Most cookies used for:

• analytics and performance measurement
• behavioural advertising / retargeting
• personalised content
• social media tracking

will usually require opt-in consent.

This is where cookie banners and preference centres matter. A “by using this site you agree…” banner is generally not enough for non-essential cookies if it doesn’t provide a real opt-in choice.

For many small businesses, the practical compliance stack looks like:

• A clear cookie banner that gives users a genuine choice, and (in most cases) prevents non-essential cookies being set until consent is given
• A preference centre (so users can say yes to analytics but no to marketing, for example)
• A properly drafted Cookie Policy explaining what cookies you use, why, and how to manage preferences
• Record-keeping of consents (particularly important if you’re ever challenged)

“Similar Technologies” Still Count

PECR isn’t limited to old-school browser cookies. If you’re using any tool that stores information on a device or accesses information from it, you should treat it as potentially within scope.

This is why it’s worth getting a proper cookie audit done (or at least regularly reviewing what your website tools are doing). It’s very easy for a site to accumulate plug-ins and tracking scripts over time, and your compliance needs to keep up with the reality of what’s running.

How To Comply With PECR In Practice (A Small Business Checklist)

PECR compliance sounds technical, but for most small businesses it comes down to a few repeatable processes.

1) Map Your Marketing Channels

Start by listing how you market electronically:

• Email newsletters
• Abandoned basket emails
• SMS promotions
• Automated messages
• Phone outreach
• Direct messaging (depending on platform and how you’re using it)

For each channel, ask:

• Who are we contacting (individuals vs corporate)?
• How did we get their details?
• Do we have consent, or can we rely on soft opt-in?
• Do we include a clear opt-out every time?

2) Fix Your Sign-Up And Checkout Wording

A lot of PECR problems start at the point of data collection (for example, a newsletter sign-up box or checkout page).

Good practices include:

• Separate marketing consent from accepting terms of sale (don’t bundle consent)
• Clear language on what the person will receive
• Simple unsubscribe mechanism
• Documenting whether you’re relying on consent vs soft opt-in

If you’re also changing your customer-facing contract terms, make sure everything lines up across your Website Terms and Conditions, your checkout flow, and your privacy notices.

3) Put Cookie Controls In Place (And Keep Them Updated)

Cookie compliance isn’t a “set and forget” job.

As your site changes (new analytics tools, new ad platforms, new embedded content), your cookies can change too. Build a simple routine:

• Review cookies quarterly (or whenever you add a new marketing tool)
• Update your cookie list and descriptions
• Test that non-essential cookies and similar technologies aren’t deployed unless/until the user has given the required consent

4) Train Your Team (Especially Sales And Marketing)

If you have staff (or contractors) doing outreach, it’s worth making sure they understand:

• what counts as “marketing”
• when consent is needed
• how to record opt-outs
• how to respond if someone complains

If you use any AI tools for marketing or customer communications, you should also be thinking about privacy and confidentiality controls more generally - for some businesses, a structured approach (like a GDPR Package) can help pull the moving parts into one coherent compliance framework.

5) Be Careful With Third Parties And Lead Lists

Buying lists or using scraped data is a common way small businesses accidentally step into PECR and UK GDPR trouble.

If you’re working with a third party (like a marketing agency or lead generator), you’ll want to be clear on:

• where the personal data came from
• what the individuals were told at the time of collection
• whether valid consent exists (and what exactly it covered)
• who is responsible for complaints and compliance

In many cases, it’s safer (and better for your brand) to build your own list through opt-ins and clear customer journeys rather than relying on questionable sources.

Common PECR Pitfalls (And How To Avoid Them)

Most PECR breaches we see in small businesses aren’t malicious - they’re usually a result of fast growth, DIY marketing setups, or copying what “everyone else” seems to do.

Assuming “GDPR-Compliant” Means “PECR-Compliant”

You can have a great GDPR privacy notice and still be sending unlawful marketing emails under PECR if you don’t have consent/soft opt-in.

Relying On Pre-Ticked Boxes Or Vague Consent

If your sign-up forms are unclear, you may not have valid consent. Consent should be specific and easy to withdraw.

Not Offering A Real Cookie Choice

If your banner only offers “Accept” (and hides “Reject”), or if it deploys marketing cookies before the user chooses, that’s a red flag.

Forgetting To Keep Suppression Lists

If someone opts out, you need a way to ensure they’re not contacted again. That often means keeping a minimal record (a suppression list) to respect their preference.

Not Aligning Contracts, Policies And Real-World Practice

It’s not enough to have policies on your website if your tools and team behaviours don’t match. Consistency is what protects you when something gets scrutinised.

Key Takeaways

• The PECR regulation sets UK rules for electronic marketing (email, SMS, calls) and for cookies/tracking technologies.
• PECR often applies alongside UK GDPR - PECR typically governs marketing/cookie permissions, while GDPR governs broader data handling and transparency.
• For marketing emails/texts to individuals, you generally need consent unless the soft opt-in applies (existing customer relationship + similar products + clear opt-out).
• For cookies, you usually need opt-in consent for analytics/advertising/personalisation cookies; only strictly necessary cookies are typically exempt.
• Practical compliance comes down to getting your sign-up wording right, offering real opt-in/opt-out controls, keeping records, and training your team.
• Be especially cautious with third-party lead lists and marketing providers - you’ll want clarity on consent and responsibilities before you press send.

If you’d like help getting your marketing and cookie compliance right, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.