Skip to content
Last reviewed: 2026-05-04 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial reference emblem — UKStylized regulator-jurisdiction emblem for editorial reference. Not affiliated with or endorsed by any government, regulator, or institution.UK
PECR Information Commissioner's Office

REGULATION · NATIONAL · IN FORCE SINCE 2003

Privacy and Electronic Communications (EC Directive) Regulations 2003

The EU's baseline privacy law since May 2018. Defines six lawful bases, eight data-subject rights, and fines up to 4% of global annual turnover.

EUR-Lex official text Reviewed 2026-05-05 Free reference · sources cited

Scope and territorial reach

Where it applies — 1 jurisdictions

🇬🇧United Kingdom
UK

Seven principles (Article 5)

The constitutional backbone — every processing activity must satisfy all seven simultaneously.

  1. 01
    Cookie consent Reg 6

    Inform users and obtain consent before storing or accessing information on their terminal equipment, except for strictly-necessary or transmission-facilitating cookies.

  2. 02
    Direct marketing — electronic Reg 22

    Unsolicited marketing by email/SMS to individuals requires prior opt-in consent, with a narrow soft opt-in carve-out for existing customers.

  3. 03
    Marketing calls Reg 21 / 21A / 21B

    Live marketing calls to TPS-registered numbers prohibited; automated dialler calls require prior specific consent; claims-management and pensions calls have stricter regimes.

  4. 04
    Communications confidentiality Reg 5

    Public electronic communications networks and services must take appropriate technical and organisational measures to safeguard the security and confidentiality of communications.

  5. 05
    Traffic data Reg 7

    Traffic data must be erased or anonymised when no longer needed for transmission, unless retained for billing, value-added services with consent, or law-enforcement purposes.

  6. 06
    Location data Reg 14

    Location data other than traffic data may be processed only when anonymised or with the user's consent, for the duration necessary to provide the value-added service.

  7. 07
    Itemised billing & CLI Reg 8–10

    Subscribers have the right to non-itemised bills and to suppress calling-line and connected-line identification on a per-call or permanent basis.

Six lawful bases (Article 6)

You must identify and document one before processing — and consent isn't always the right one.

Reg 6(4)(b)

Strictly necessary

Cookie/storage is strictly necessary to deliver a service explicitly requested by the user (e.g. shopping-cart session, login, CSRF token).

Common for: Session cookies, security tokens, load-balancer cookies
Reg 6(4)(a)

Communication facilitating

Sole purpose is to carry out the transmission of a communication over an electronic communications network.

Common for: Network routing cookies, transport-layer state
Reg 6(4)(b)

Service explicitly requested by the user

User has actively requested a specific service (e.g. webmail, video player) and the storage is necessary to deliver it.

Common for: Player preferences, language toggle on direct user action
Reg 6(1)–(3)

Consent (PECR)

User gives GDPR-standard consent — freely given, specific, informed, unambiguous — before non-essential cookies are set or accessed.

Common for: Analytics, advertising, social-embed, A/B-testing, session replay
Reg 22(3)

Soft opt-in (existing-customer marketing)

Email/SMS marketing of similar products to an existing customer whose details were obtained during a sale or sale negotiation, with a clear opt-out at collection and in every message.

Common for: Post-purchase newsletters from a B2C store to its own customers
Cookie banner under GDPR Consent Mode v2

Eight data-subject rights (Articles 12–22)

What individuals can demand from you, with the response window and scope.

RightArticleResponseScope
Right to refuse cookies Reg 6 Refusal must be as easy as acceptance; refusal must not degrade access to the core service.
Right to opt out of direct marketing Reg 22 / 23 Every electronic marketing message must offer a free, simple opt-out; opt-outs must be honoured promptly.
Right to withdraw consent Reg 6 / 22 (read with UK GDPR Art 7(3)) Withdrawal must be as easy as giving consent; processing before withdrawal remains lawful.
Right to register with TPS/CTPS Reg 26 (TPS) / Reg 25 (CTPS) 28 days Individuals/corporates can register their number; organisations must screen against TPS/CTPS within 28 days of registration.
Right to complain to the ICO Reg 32 Any person may complain to the Commissioner about an alleged PECR breach.
Topic: DSARs in practice Template: DSR reply (Art 15)

Fines & enforcement

Maximum administrative penalty: €20.0M or 4% of global annual turnover (Art 83(5)). Tiered structure: Art 83(4) = 2% / €10M for procedural failures.

  1. 2024-05 €575k
    DialaShop / Dial-a-Phone ICO · UK · Reg 21 / 21A

    Reported 500,000 GBP penalty for large-scale unsolicited live marketing calls to TPS-registered subscribers; case treated as repeat-offender pattern.

  2. 2024-09 €230k
    Outsource Strategies Ltd ICO · UK · Reg 21

    200,000 GBP penalty for ~1.2M unsolicited live marketing calls regarding pension reviews to TPS-registered subscribers.

  3. 2022-12 €175k
    Smart Sourcing UK Ltd ICO · UK · Reg 21

    150,000 GBP penalty for ~1.9M unsolicited live marketing calls about energy products to TPS-registered numbers.

  4. 2022-03 €175k
    Solarmovers Ltd ICO · UK · Reg 21

    150,000 GBP penalty for unsolicited live marketing calls about solar panels to TPS-registered numbers.

  5. 2023-10 €175k
    Boost Finance Ltd ICO · UK · Reg 22

    150,000 GBP penalty for ~6M unsolicited 'will-writing' marketing emails sent via affiliate networks without valid PECR consent.

  6. 2024-08 €165k
    HelloFresh ICO · UK · Reg 22

    140,000 GBP penalty for sending 79M unsolicited marketing emails and 1M texts in a 7-month period without valid PECR consent; opt-out wording inadequate and soft opt-in conditions not met.

  7. 2022-10 €155k
    Easylife Ltd ICO · UK · Reg 22 + UK GDPR Art 5/6

    130,000 GBP PECR penalty for unsolicited marketing calls plus a separate 1.35M GBP UK GDPR fine for profiling customer health from purchase data.

  8. 2024-03 €115k
    Outsource Strategies / pensions cluster ICO · UK · Reg 21B

    100,000 GBP penalty under the dedicated pensions-cold-calling regime introduced in 2019.

Sources: national supervisory-authority press releases. Full enforcement database available via CMS Law tracker.

National addons

GDPR is a Regulation — directly applicable, no transposition required. But Member States layer additional rules on top via national acts.

CountryNational actStricter than GDPR baseline?Note
🇬🇧 United Kingdom UK PECR 2003 (SI 2003/2426) + UK GDPR + DPA 2018 Stricter Primary jurisdiction. PECR transposes the EU ePrivacy Directive (2002/58/EC) and was retained post-Brexit. Definition of 'consent' aligned with UK GDPR via 2019 amendments.
🇪🇺 EU ePrivacy Directive (reference) EU Directive 2002/58/EC (as amended by 2009/136/EC) Aligned PECR's parent instrument. UK retained PECR post-Brexit; EU member states implement ePrivacy via national law (e.g. Germany's TDDDG, France's LCEN/Code des postes). Proposed ePrivacy Regulation remains stalled at EU level (2017–).
🇬🇬 Crown Dependencies (territorial reference) GG Mirror laws (Jersey/Guernsey/IoM) Aligned PECR itself does not extend to the Crown Dependencies; each has its own ePrivacy-style regime aligned with the UK approach.

Compared to other laws

Side-by-side rule comparison with the same field on each side.

COMPARE · 2 ENTITIES
GDPR vs CCPA / CPRA
Opt-in EU baseline against opt-out California — same rows on each side.
COMPARE · 2 ENTITIES
GDPR vs UK GDPR
Post-Brexit divergence — DPA 2018, ICO, UK Extension to DPF.
COMPARE · 2 ENTITIES
GDPR vs LGPD
EU baseline vs Brazilian privacy law modeled on it.

Common questions

PECR vs UK GDPR — what's the difference?
UK GDPR governs processing of personal data. PECR governs specific electronic-communications activities — cookies, marketing emails/SMS, marketing calls, traffic and location data — and applies whether or not the data is personal. The same campaign can trigger both: PECR sets the 'do you need consent at all' question for cookies and marketing channels; UK GDPR then governs the underlying personal-data processing once a user is in scope.
Cookie consent under PECR — is there a 'strictly necessary' exception?
Yes — Reg 6(4) exempts cookies whose sole purpose is (a) carrying out the transmission of a communication or (b) being strictly necessary to provide a service explicitly requested by the user. Analytics, advertising, A/B-testing and personalisation cookies do not qualify. The ICO's May 2023 cookie guidance is explicit: analytics cookies require opt-in consent.
Soft opt-in for marketing — what qualifies?
Reg 22(3) permits email/SMS marketing of similar products/services to a person whose contact details were obtained in the course of a sale or sale negotiation, provided (i) a clear opt-out was offered at the time of collection, (ii) every subsequent message offers a free, simple opt-out, and (iii) the message promotes the same business's similar offering. Soft opt-in does not apply to B2B-to-individuals, charities seeking donations (until amended by DUA Act 2025), or third-party promotions.
Maximum PECR fine — what's the current cap?
Until 2018, PECR penalties were capped at 500,000 GBP under s.55A of the Data Protection Act 1998. The Data (Use and Access) Act 2025 ('DUA Act') received Royal Assent on 19 June 2025 and aligns PECR maximum penalties with the UK GDPR cap of the higher of 17.5M GBP or 4% of global annual turnover — bringing PECR enforcement teeth into line with UK GDPR. Verify commencement date of the specific PECR provisions before quoting; some DUA Act sections phase in via secondary legislation.
DUA Act 2025 changes to PECR — what changed?
Three headline changes: (1) penalty cap aligned with UK GDPR (see above); (2) a new low-risk-analytics exemption that allows certain first-party statistical-measurement cookies without consent, provided users are clearly informed and can object — narrower than the EU ePrivacy reform draft and limited to aggregated, non-targeting use; (3) charities can now use a soft-opt-in equivalent for fundraising communications to existing supporters. Verify the precise scope and commencement of the analytics carve-out via the ICO's updated PECR guidance — drafting tolerances and 'low-risk' criteria are tighter than commercial summaries suggest.
Marketing calls — what's actually allowed under PECR?
Live calls (a human agent) are permitted to numbers not registered with the Telephone Preference Service (TPS) — Reg 21 — provided the recipient has not previously objected. Calls to TPS-registered numbers are unlawful unless the subscriber has specifically notified the caller that they consent. Automated dialler calls (recorded message) require prior specific opt-in consent — Reg 19. Pensions cold-calling (Reg 21B, since 2019) and claims-management cold-calling (Reg 21A, since 2018) are outright banned without specific consent, regardless of TPS status.
SMS marketing — opt-in only?
Yes, by default. SMS to individual subscribers requires prior opt-in consent under Reg 22, with the soft opt-in carve-out in Reg 22(3) the only exception. Note that 'individual subscribers' under PECR includes sole traders and most non-incorporated partnerships in England/Wales — they are treated as consumers, not businesses, for marketing purposes.
B2B marketing under PECR — different rules?
Yes. Calls and emails/SMS to corporate subscribers (limited companies, LLPs, Scottish partnerships, public bodies) operate on a soft-opt-out model — you may contact them unless they have specifically asked you not to, and corporate numbers can be registered with the Corporate TPS (CTPS). However, the message itself must still identify the sender, give a valid opt-out, and respect any prior objection. Sending B2B to an individual employee's personal-style address (john.smith@…) treads into individual-subscriber territory if there is real doubt — ICO guidance recommends treating ambiguous addresses as individual.
Cookies vs first-party server-side tracking — is server-side outside PECR?
Reg 6 is triggered by 'storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user'. Pure server-side analytics that processes only HTTP request data without setting cookies, reading localStorage, or running fingerprinting scripts on the device falls outside Reg 6 — though UK GDPR still applies to the personal data processed. The moment the server-side pipeline writes a first-party cookie, drops a client-side ID, or uses a tag that fingerprints the browser, Reg 6 is back in scope.
ICO enforcement — PECR vs UK GDPR — which is more active?
Operationally, PECR. The ICO publishes 8–15 PECR monetary penalties a year, overwhelmingly for unsolicited marketing calls and emails — this is the regulator's most consistent enforcement stream. UK GDPR fines are larger but rarer and concentrated on big-tech and breach cases. Pre-DUA Act 2025, the 500k GBP PECR cap meant headline fines were modest; post-alignment with UK GDPR the cap is the same 17.5M GBP / 4% maximum, so expect the gap to close. For most SMEs, the realistic risk surface is a PECR investigation triggered by spam-marketing complaints, not a strategic UK GDPR audit.