UK PECR: What Businesses Need To Know

If your business sends marketing emails, runs online ads, uses cookies, or picks up the phone to generate leads, PECR is something you can’t afford to ignore.

The Privacy and Electronic Communications Regulations (usually shortened to PECR) sit alongside the UK GDPR and the Data Protection Act 2018. In plain terms, PECR is the set of UK rules that controls electronic marketing and privacy in electronic communications.

The tricky part? Many small businesses assume PECR only applies to “big tech” or huge marketing teams. But PECR can apply to a one-person service business, an ecommerce brand, a local gym, a clinic, or any company running digital marketing campaigns.

Below, we’ll walk you through what PECR covers, when you need consent, what “soft opt-in” means, how cookies fit into all of this, and the practical steps you can take to protect your business from day one.

What Are The Privacy And Electronic Communications Regulations (PECR)?

The privacy and electronic communications regulations (PECR) are UK rules designed to protect people’s privacy in relation to:

• Electronic marketing (email, SMS/text, automated calls, phone marketing, and some online messaging)
• Cookies and similar technologies used on websites and apps
• Security and confidentiality in electronic communications services (more relevant to telecoms providers, but still important context)

PECR is not the same thing as the UK GDPR, but they’re closely linked.

A helpful way to think about it is:

• UK GDPR = the broader rules for handling personal data lawfully (how you collect it, use it, store it, share it, retain it, etc.)
• PECR = the specific extra rules about how you market electronically and how you use cookies/similar tech

So even if you’re taking UK GDPR seriously, you can still fall foul of PECR if (for example) you send marketing emails without the right consent, or your cookie banner isn’t set up correctly.

What Counts As “Electronic Marketing” Under PECR?

PECR can apply to marketing sent by:

• email
• SMS/text messages
• phone calls (live calls and automated recorded messages)
• fax (rare, but still in the rules)
• some messaging channels, depending on how you’re using them (for example, direct marketing messages)

And “marketing” isn’t just “buy now” messages. It can include messages that promote your brand, services, events, offers, or even messages that encourage engagement which ultimately drives sales.

Does PECR Apply To Your Small Business?

In most cases, yes - if you do any of the following:

• send newsletters or promotional emails
• run SMS campaigns
• use telephone sales or lead generation
• use cookies for analytics, personalisation, or advertising
• use online tracking tools (often treated as “similar technologies” to cookies)

PECR doesn’t only apply to businesses targeting consumers. It can apply to B2B marketing too, but the rules vary depending on the channel and who you’re contacting (for example, companies vs individuals).

PECR And UK GDPR: Why You Usually Need Both

PECR often tells you whether you can send the message (eg consent required), while UK GDPR tells you how you must handle the data (eg transparency, lawful basis, retention, security, data subject rights).

For example:

• If you email a marketing list, PECR may require consent (or soft opt-in).
• UK GDPR still requires you to process personal data fairly, tell people what you’re doing in your privacy information, and keep data secure.

This is why your customer-facing documentation needs to be consistent. A properly drafted Privacy Policy is often a core part of aligning your PECR and UK GDPR position, especially if you’re collecting leads online.

Marketing Rules Under PECR: Email, SMS, Calls, And More

The biggest PECR risk for many small businesses is marketing. It’s also where misunderstandings happen most often - especially around what counts as “consent” and when you can rely on “soft opt-in”.

Email And SMS Marketing: When Do You Need Consent?

As a general rule, you need prior consent to send marketing by email or SMS to individual subscribers (including many sole traders and partnerships, because their work contact details may identify them personally).

Consent under these rules should be:

• freely given (no pressure or hidden conditions)
• specific and informed (people understand what they’re signing up for)
• clear (eg an unticked opt-in box, not pre-ticked)
• easy to withdraw (simple unsubscribe options)

If you’re emailing a business address (such as a company email), the consent rules can differ compared to individuals - but you’ll still need to comply with PECR’s requirements (including identification and opt-out), and make sure your approach is consistent with UK GDPR where personal data is involved.

What Is “Soft Opt-In” And When Can You Use It?

“Soft opt-in” is one of the most useful (and misunderstood) PECR concepts for small businesses.

In simple terms, soft opt-in can let you send marketing emails/SMS without explicit consent if you meet strict conditions. Commonly, it’s used for existing customers.

Typically, soft opt-in may apply where:

• you obtained the person’s contact details during a sale (or negotiations for a sale) of a product/service, and
• you are marketing your own similar products/services, and
• you gave a clear opportunity to opt out at the time you collected the details, and
• you include an easy opt-out in every message

If you’re building an email strategy and want to rely on soft opt-in, it’s worth getting the details right upfront. A lot of the compliance work is in your signup wording, checkout flows, and unsubscribe processes. For many businesses, this is where a clear marketing compliance plan (and the right wording) can save a lot of headaches later.

If email marketing is a big part of your growth plans, the rules around the soft opt-in are worth understanding properly so you don’t accidentally cross the line.

Phone Marketing: Live Calls Vs Automated Calls

PECR treats phone marketing differently depending on whether the call is:

• a live marketing call (a real person calling), or
• an automated call (a recorded message played automatically)

Automated marketing calls are generally much stricter and usually require prior consent.

For live marketing calls, you still need to respect people’s preferences, including where they’ve opted out or registered with suppression services (such as the TPS/CTPS). You also need to be mindful of privacy expectations, transparency, and how you sourced the number in the first place.

For many small businesses, the practical takeaway is: if you’re doing phone outreach, make sure you have a documented process for (1) where leads come from, (2) what you say about privacy, and (3) how you record and honour opt-outs.

If your marketing includes call tracking, recorded calls, or storing call notes, you’ll also need to think about the wider data compliance position, not just PECR. For example, handling business calls and personal data can raise GDPR issues, as discussed in GDPR and business calls.

Practical Marketing Compliance Tips (That Don’t Kill Your Sales)

PECR compliance doesn’t have to mean boring marketing. It usually means being clearer and more intentional. For example:

• Use separate opt-in boxes for different channels (email vs SMS), so consent is specific.
• Keep a simple record of how and when each contact opted in (or why you believe soft opt-in applies).
• Make unsubscribe links obvious and instant - don’t hide them.
• Check your lead sources. If you buy lists, the risk usually goes up significantly.
• Train staff or contractors who send campaigns, so the rules are applied consistently.

If your team uses company devices and systems to run marketing campaigns, it’s also a good idea to set expectations in writing through an Acceptable Use Policy (for example, who can export mailing lists, where those lists can be stored, and what tools can be used).

Cookies And Similar Technologies: What PECR Means For Your Website

If your business has a website (even a simple one), you’ll almost certainly use some form of cookies or similar technology.

PECR’s cookie rules are a major focus for regulators because cookies can be used to:

• track users across websites
• profile behaviour for targeted advertising
• measure conversions and marketing performance
• personalise content

When Do You Need Cookie Consent?

Broadly, PECR requires you to:

• provide clear and comprehensive information about cookies, and
• get consent for cookies, unless they are strictly necessary for providing the service the user requested

“Strictly necessary” cookies are typically things like:

• shopping basket functionality
• security cookies
• load balancing cookies
• cookies needed to complete a payment or login session

Analytics and advertising cookies are generally not strictly necessary, which means you often need consent before placing them.

What A Cookie Banner Should Do (In Practice)

For many small businesses, cookie compliance becomes real when they install a banner and assume the job’s done. But PECR is about outcomes: transparency and real choice.

In practical terms, this usually means:

• Users should be able to accept and reject non-essential cookies easily.
• Non-essential cookies shouldn’t be set until consent is given.
• Your cookie information should be easy to find and written in plain English.
• Consent choices should be respected for a reasonable period, and users should be able to change their mind.

Putting the right Cookie Policy in place is often part of getting this right, because it ties together what cookies you use, why you use them, and how users can control them.

Don’t Forget: Cookies Often Involve Personal Data

Even though PECR is often described as the UK’s “cookie rules”, cookies can also involve personal data (or data that becomes personal when combined with other information). That’s where UK GDPR comes in.

So you typically need to make sure:

• your cookie choices and privacy disclosures align (no contradictions)
• your lawful bases under UK GDPR are thought through (especially if you’re doing analytics or targeted advertising)
• your suppliers (like analytics providers) are properly assessed and contracted where appropriate

Many small businesses choose to tackle this together as part of a broader privacy compliance setup, such as a GDPR Package, so marketing, cookies, and privacy disclosures actually match how the business operates day-to-day.

A Practical PECR Compliance Checklist For Small Businesses

PECR can feel technical, but for most small businesses, compliance comes down to good systems and clear customer journeys.

Here’s a practical checklist you can start using straight away.

1) Map Your Marketing Channels

List where you market and what data you use, for example:

• email newsletters
• SMS campaigns
• phone lead generation
• retargeting ads
• website contact forms

This matters because different channels can have different PECR rules.

2) Review How You Collect Consent (Or Soft Opt-In)

Look at:

• your website forms
• checkout pages
• lead magnets and downloadable content signups
• in-person signups (eg in-store or at events)

Then ask: are you relying on explicit opt-in consent, or soft opt-in? And can you prove it?

3) Make Opt-Out Easy (And Actually Honour It)

Every marketing email should include a working unsubscribe link, and SMS marketing should include a clear way to stop messages.

Behind the scenes, make sure you:

• update suppression lists quickly
• don’t re-upload unsubscribed contacts later
• train staff not to “work around” opt-outs

4) Fix Your Cookie Setup

Cookie compliance often requires both legal and technical action. You’ll usually need to:

• identify what cookies and trackers are on your site
• categorise them (necessary vs analytics vs advertising, etc.)
• set your banner to block non-essential cookies until consent
• keep your cookie information up-to-date as tools change

5) Align Your Documents With How You Operate

Most PECR problems happen when a business grows quickly and marketing tools change faster than documentation. Your legal foundations should keep up.

For many small businesses, that means ensuring you have:

• a Privacy Policy that accurately describes your marketing and data handling
• a Cookie Policy that matches what’s actually running on the website
• internal policies that control how staff use customer data for marketing
• supplier terms and privacy provisions where needed

Also, if you use subscription-style marketing or sign customers up to ongoing services, you’ll want to make sure your customer terms and cancellation flows are clear as part of building trust and reducing complaints. (This isn’t PECR itself, but it’s often part of the same “compliance and brand reputation” picture.)

6) Keep Evidence

If you ever need to respond to a complaint, it helps to have basic records such as:

• timestamped opt-in logs
• copies of the signup wording used at the time
• campaign lists and suppression lists
• cookie consent logs (where your platform provides them)

You don’t need to overcomplicate it - but you do need a system.

Key Takeaways

• The Privacy and Electronic Communications Regulations (PECR) regulate how your business uses electronic marketing and cookies, and they apply to many small businesses.
• PECR often works alongside UK GDPR and the Data Protection Act 2018, so you usually need to think about both when building compliant marketing systems.
• Marketing by email and SMS commonly requires prior consent, unless you can properly rely on the soft opt-in rules for existing customers.
• Phone marketing has its own rules, and automated marketing calls are usually more restricted than live calls.
• Cookies and similar technologies generally require transparency and consent for non-essential cookies (like analytics and advertising), and your cookie banner needs to offer real choice.
• Getting compliant is mostly about good systems: clear consent wording, easy opt-outs, accurate policies, and basic evidence of what you’re doing.

If you’d like help getting your marketing, cookies, and privacy compliance set up properly, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.