PECR UK: Privacy And Electronic Communications Rules Explained

If you send marketing emails, run online ads, use analytics cookies, or pick up the phone to call prospects, the UK’s Privacy and Electronic Communications Regulations (PECR) apply to you.

PECR sits alongside UK GDPR and the Data Protection Act 2018. It adds extra, specific rules for electronic marketing and cookies. In practice, that means the way you collect consent, design your cookie banner, or run a sales campaign can make the difference between compliant activity and a regulatory headache.

In this guide, we’ll break down what PECR covers, when it applies, and the practical steps you can take to stay compliant without derailing your marketing goals.

What Is PECR In The UK?

PECR is short for the Privacy and Electronic Communications (EC Directive) Regulations 2003. In simple terms, PECR controls two big areas that most small businesses touch every day:

• Direct marketing by electronic means - email, SMS, instant messaging, live and automated calls, and fax.
• Cookies and similar technologies - anything that stores or accesses information on a user’s device (e.g. cookies, SDKs, pixels, local storage).

PECR is enforced by the Information Commissioner’s Office (ICO). The ICO can investigate complaints, require changes, and issue fines. While headlines usually involve big brands, small businesses are regularly on the receiving end when basic rules are ignored.

Importantly, PECR applies regardless of whether personal data is involved. For example, dropping an analytics cookie is regulated even if you never see a user’s name. When personal data is involved, PECR and UK GDPR both apply and you must meet the requirements of each.

When Does PECR Apply To Small Businesses?

PECR kicks in across a range of everyday activities. You’ll need to follow the rules if you:

• Send promotional emails or SMS to individuals (including sole traders and some partnerships).
• Call people with sales messages, or use recorded/automated calls.
• Place cookies, pixels or SDKs on your website or app (including for analytics, advertising, or A/B testing).
• Use remarketing or retargeting tools that rely on device identifiers or cookies.

There are nuances. For instance, some marketing to corporate subscribers (like many limited company work emails) is treated differently from marketing to individual subscribers (like personal Gmail addresses or sole traders). You still need to comply with PECR and UK GDPR, but consent requirements and opt-out mechanisms can vary by audience and channel.

If you’re unsure which rules apply to your list, segment it. Separating individuals from corporates, and separating acquisition emails from emails to existing customers, will help you apply the right approach and evidence your compliance.

Direct Marketing Rules Under PECR (Email, SMS, Calls)

PECR sets out clear rules for electronic marketing. Here’s how the main channels work in practice for UK small businesses.

Email And SMS Marketing

For individual subscribers, you generally need prior consent to send marketing emails or texts - unless the “soft opt-in” applies. For corporate subscribers, you can usually send marketing without prior consent, but you must still offer a simple opt-out in every message and respect data protection principles.

The soft opt-in allows you to market similar products/services to existing customers without fresh consent if:

• You obtained their contact details during a sale (or sale negotiations) of a product or service; and
• You’re marketing your own similar products or services; and
• You gave a clear chance to opt out at collection; and
• You include an easy opt-out in every message.

This is a narrow exemption - it doesn’t apply to brand-new prospects or third-party promotions. If you’re building a list from scratch, consent remains the safest route. Make it freely given, specific, informed, and signalled by a clear, affirmative action (no pre-ticked boxes).

For a deeper dive on these rules, it helps to review the basics of email marketing laws and when the soft opt-in actually applies to your campaigns.

Live Sales Calls

Live (person-to-person) calls for direct marketing are allowed unless the number is registered on the Telephone Preference Service (TPS) or the Corporate TPS (CTPS), or the person/company has told you not to call. You must display your number, say who you are, and provide a contact address or freephone number on request. Keep suppression lists and honour opt-outs quickly.

Automated (Recorded) Calls

Automated calls require the subscriber’s prior consent, regardless of whether they are an individual or a corporate subscriber. Recorded message campaigns without consent are usually a fast track to complaints and enforcement.

WhatsApp, In-App And Instant Messaging

Messages sent over apps are generally treated like email/SMS under PECR. If you’re sending promotional messages to individual subscribers, you’ll need consent or a valid soft opt-in scenario. Make sure your opt-outs work through the same channel where possible.

What Must Every Marketing Message Include?

Every message should clearly identify your business, include a valid contact address, and provide a simple, obvious way to opt out (unsubscribe). Don’t hide the unsubscribe link or require a login to make it work. Keep evidence of how and when you obtained consent (or why the soft opt-in applies) so you can demonstrate compliance if challenged.

Cookies, Analytics And PECR (Including Cookie Banners)

PECR requires you to obtain consent for storing or accessing information on a user’s device unless the cookie is “strictly necessary” to provide the service the user asked for (for example, a cookie that keeps items in a shopping cart).

In practice, most analytics, advertising, social media, and personalisation cookies are not strictly necessary - so you should not set them until the user has made a genuine choice to accept them.

What Does A Compliant Cookie Banner Look Like?

ICO guidance expects consent to be equally easy to refuse and accept. That typically means:

• No tracking cookies fire before the user accepts.
• Prominent “Accept” and “Reject” options presented at the same time, with equal prominence.
• Granular controls (e.g., toggles for analytics, ads) and a link to your Cookie Policy.
• Avoiding “nudging” designs that steer users unfairly.

If you’re reviewing your approach, it’s worth sanity-checking your cookie banners and whether you offer clear Reject All Cookies buttons for non-essential cookies.

Analytics Cookies

Even first-party analytics cookies usually need consent. Some vendors provide “privacy-friendly” modes, but if the technology still stores or accesses info on a device for analytics that aren’t strictly necessary, consent is expected. If you rely on analytics, plan for a drop in data when users say no - that’s a compliance cost many UK sites now accept.

Cookie Policy And Transparency

Alongside your banner, publish a clear Cookie Policy describing what cookies you use, what they do, and how users can change their preferences. Keep it consistent with your broader Privacy Policy, and ensure both are easy to find from every page. If you don’t have one, consider a dedicated Cookie Policy page linked directly from your banner.

PECR Vs UK GDPR: How Do They Fit Together?

Think of PECR as the “channel-specific” rulebook, and UK GDPR as the overarching data protection framework. You must comply with both when you’re dealing with personal data in electronic communications.

• PECR decides whether you can send a marketing message or set a cookie (e.g., do you need consent?).
• UK GDPR governs what you then do with any personal data (e.g., your lawful basis, transparency, security, retention, and individuals’ rights).

For example, if you rely on soft opt-in under PECR to email existing customers, you still need a lawful basis under UK GDPR (often “legitimate interests”), and you must meet GDPR obligations (like providing privacy information and allowing unsubscribes and objections).

Similarly, if you obtain consent for advertising cookies under PECR, make sure that consent also meets UK GDPR standards (freely given, specific, informed and unambiguous). Keep records of consent and provide an easy way for users to withdraw it later.

Practical Compliance Checklist For Small Businesses

If you want a clear starting point to bring your marketing and websites into line with PECR, work through this practical checklist.

1) Map Your Marketing Channels And Audiences

• List every channel you use: email, SMS, WhatsApp, live and automated calls, in-app messages.
• Segment your audiences: individual subscribers (consumers, sole traders) vs corporate subscribers (limited companies, LLPs).
• Identify whether the soft opt-in may apply to any of your existing customer lists.

2) Review Consent And Opt-Out Mechanisms

• Use unticked checkboxes and clear language when collecting consent.
• Include a working unsubscribe link in every email or SMS; process opt-outs promptly.
• Keep records: timestamp, source, and content of the consent statement or the conditions for soft opt-in.

3) Fix Your Cookies And Banner

• Classify cookies: strictly necessary vs non-essential (analytics, ads, social).
• Block non-essential cookies until consent; offer both “Accept” and “Reject” with equal prominence.
• Provide granular choices and link to your Cookie Policy.

4) Update Your Policies And Notices

• Make sure your Privacy Policy covers your marketing activities and explains users’ rights.
• Publish a clear, up-to-date Cookie Policy with a cookie table and easy preference controls.
• Ensure marketing sign-up forms and checkout screens include concise privacy information and opt-out wording.

5) Put The Right Contracts In Place With Vendors

• If a supplier processes personal data for you (e.g., your email service provider, CRM, or analytics platform), you’ll likely need a Data Processing Agreement.
• Where you exchange marketing data with another controller, consider whether a Data Sharing Agreement or other arrangement is needed.
• Check your adtech and analytics vendors’ settings for UK compliance (e.g., consent mode, IP masking, data retention).

6) Train Your Team And Document Your Approach

• Train staff on PECR basics: consent vs soft opt-in, TPS screening, and handling opt-outs.
• Keep a marketing compliance playbook covering sign-up flows, message templates, suppression lists, and cookie configurations.
• Run periodic audits to catch “consent creep” (e.g., old forms, copied templates, or new pixels added by third parties).

7) Don’t Forget Phones And Prospecting

• Screen outbound call lists against TPS and CTPS; keep evidence of screening.
• Display your number; train callers to identify the organisation and provide a contact address or freephone on request.
• Automated calls require consent - treat them like email/SMS to individual subscribers.

Common PECR Pitfalls (And How To Avoid Them)

Most enforcement pain for small businesses comes from avoidable mistakes. Watch out for these:

• Pre-ticked boxes or bundled consent - these aren’t valid consent and can’t justify emails or non-essential cookies.
• “Consent first, track later” claims where your site actually drops cookies before the user chooses.
• Hiding the unsubscribe link or making opt-out difficult (e.g., requiring login to unsubscribe).
• Relying on soft opt-in for cold prospects or for products that aren’t “similar” to the original purchase.
• Skipping TPS checks before sales calls, or ignoring individual opt-outs (“do not call” requests).
• Using analytics or ad pixels inserted by plugins or third parties without updating your banner and Cookie Policy.

A quick internal audit every quarter - and whenever you add a new tool - will help you catch these issues early.

How PECR Is Enforced (And Why It Matters)

The ICO can investigate, issue enforcement notices, and impose monetary penalties. Aside from fines, non-compliance risks include reputational harm, email deliverability problems (due to spam complaints), and wasted ad spend if your tracking is switched off after complaints.

On the flip side, getting PECR right increases trust with customers and often improves the quality of your marketing lists. People who genuinely opt in typically engage more, convert better, and churn less - a win for both compliance and growth.

FAQs: Quick Answers To Common PECR Questions

Do I Need Consent To Email A Limited Company Work Address?

PECR allows marketing to corporate subscribers without prior consent, but you must include an opt-out in every message and meet UK GDPR duties (lawful basis, transparency, security). If in doubt about the type of subscriber, treat it conservatively and capture consent.

Can I Use Purchased Marketing Lists?

It’s risky. You need confidence that the list was collected lawfully, for your specific purposes, with valid consent where required. In many cases, purchased lists lead to high complaint rates and poor deliverability. Building your own consent-based list is safer and more effective long term.

Do I Need Consent For Google Analytics?

Generally, yes - analytics cookies are not strictly necessary, so you should obtain consent before setting them. Configure your banner to block analytics until the user accepts, and let users change their choice later.

Does PECR Apply To B2B Cold Calls?

Yes, PECR applies to live sales calls. You must screen numbers against TPS/CTPS, display your caller ID, and respect opt-outs. Automated calls still require consent. If calls are part of your strategy, also consider your broader obligations under GDPR and business calls (lawful basis, privacy information, and keeping suppression lists).

Do We Need To Pay The ICO Fee?

Most UK businesses that process personal data must pay an annual data protection fee to the ICO, though some exemptions exist. It’s worth checking if your business qualifies for any ICO fee exemptions.

Key Takeaways

• PECR adds specific, channel-based rules for electronic marketing and cookies on top of UK GDPR - you must comply with both frameworks.
• Email/SMS to individual subscribers generally require consent unless the narrow soft opt-in applies; corporate subscribers still need a clear opt-out in every message.
• Most analytics and advertising cookies are not strictly necessary, so don’t set them until the user accepts via a compliant banner with equal “Accept” and “Reject” options.
• Keep robust records of consent, screen phone lists against TPS/CTPS, and honour opt-outs promptly across all channels.
• Publish clear, accessible policies: a Privacy Policy and a standalone Cookie Policy, and make sure your banner links to them.
• Put proper contracts in place with martech vendors, such as a Data Processing Agreement, and document your marketing compliance playbook.
• Regular audits will catch common pitfalls early, protect your brand, and improve the quality and performance of your marketing.

If you’d like help implementing PECR compliance - from drafting a Privacy Policy and Cookie Policy to reviewing your email flows, cookie banner and marketing contracts - our team’s here to help. You can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.